Hello!
There is a simple way to integrate fail2ban with suricata?
For example, my host blcoked some ips and I wish to block those ips on suricata as well.
I was thinking to create a new group like home_net to do this.
It’s possible to manage that?
Using hostbits might be useful for that, see https://suricata.readthedocs.io/en/suricata-5.0.0/rules/xbits.html?highlight=hostbit#unix-socket
In addition to what you see there you’d need a rule like
drop ip any any -> any any (hostbits:isset,blacklist,src; sid:1;)
This would drop any packet for a host that sits in the host table, with the ‘blacklist’ tag (bit). You can use the unix socket command to add (and remove) them.