I have found a similar post talking about that but no solution is explained.
I would like Guardian to ban some internet IP when they are involved in trojan, ramsonware requesting keys, etc..
In my logs I saw many of these :
Code: Select all
Date: 02/22 18:16:29 Name: PUA-ADWARE Win.Trojan.InstantAccess variant outbound connection Priority: 3 Type: Misc activity IP info: 192.168.X.X:55569 -> 126.96.36.199:80 References: http://virustotal.com/en/file/c6828c8bcce6786b39427fc5ad9df2f8163d3b8a7b3b5f8a5c5790c4488039f7/analysis/ SID: 40356
for information (192.168.X.X) happens to be the IP fire IP address asigned by the optic fiber modem, so for IPfire it is its public ip adress (and of course I have put this IP in the DMZ of the modem)
I have guardian running on all interfaces with priority 3 and I have lowered the Strike Threshold (Snort) to 1 to see if this would do anything, but no...
Did someone ever managed to have Guardian block and external IP adress as consequence of a snort outbound rule being triggered ?
Many thanks !