Block list/group from fail2ban


There is a simple way to integrate fail2ban with suricata?
For example, my host blcoked some ips and I wish to block those ips on suricata as well.
I was thinking to create a new group like home_net to do this.
It’s possible to manage that?

Using hostbits might be useful for that, see

In addition to what you see there you’d need a rule like

drop ip any any -> any any (hostbits:isset,blacklist,src; sid:1;)

This would drop any packet for a host that sits in the host table, with the ‘blacklist’ tag (bit). You can use the unix socket command to add (and remove) them.