Hi all,
Just wanted to share with you the IPS setup I have put in place to protect my home LAN… It is based on Suricata (of course) to identify malicious IPs triggering alerts.
Those IPs are then registered in a blacklist on my Edgerouter 4 Internet router using the EdgeOS REST API. It took me a bit of tinkering but I have finally managed to achieve a working solution.
Here is how it works in a nutshell:
- I have a Suricata instance monitoring my LAN traffic
- Suricata alerts are pushed to a Redis server
- A Python script pulls the alerts from Redis and gathers the alerts’ source IPs
- The script then adds the offending IPs to an address-group on my Edgerouter through API calls
- This address-group is used in rules to drop traffic originating from the blacklisted IPs
The Python script, Suricata and Redis all run on a little Raspberry Pi4.
For those wanting to try it out, I’ve uploaded my script (adapted from the original work of Justinas Bei @beinoriusju) on GitHub: GitHub - googleg/hund-ips-edgeos: HUND IPS for EdgeOS (EdgeRouter) and Suricata IDS