Pastein: import time, os, subprocess INTEL_LOG = "/tmp/zeek_block_intel.log" RULES_FILE = "/usr/local/var/lib/suricata/rules/dynamic_block.rules" SEEN_FILE = "/usr/local/var/lib/suricata/rules/dynamic

Загрузка данных

import time, os, subprocess

INTEL_LOG = "/tmp/zeek_block_intel.log"

RULES_FILE = "/usr/local/var/lib/suricata/rules/dynamic_block.rules"
SEEN_FILE  = "/usr/local/var/lib/suricata/rules/dynamic_block_seen.txt"

SID_START = 2000000

seen = set()
if os.path.exists(SEEN_FILE):
    with open(SEEN_FILE) as f:
        seen = set(line.strip() for line in f if line.strip())

sid = SID_START + len(seen)

print("[*] Bridge started")

while True:

    if os.path.exists(INTEL_LOG):

        with open(INTEL_LOG) as f:
            for line in f:

                line = line.strip()

                if not line or line in seen:
                    continue

                if ":" not in line:
                    continue

                itype, value = line.split(":", 1)

                if itype == "HTTP_HOST":
                    rule = f'drop http any any -> any any (msg:"BLOCK HOST {value}"; http.host; content:"{value}"; sid:{sid}; rev:1;)'
                elif itype == "HTTP_USERAGENT":
                    rule = f'drop http any any -> any any (msg:"BLOCK UA {value}"; http.user_agent; content:"{value}"; sid:{sid}; rev:1;)'
                elif itype == "FTP_PORT":
                    rule = f'drop tcp any any -> any 21 (msg:"BLOCK FTP"; sid:{sid}; rev:1;)'
                else:
                    continue

                with open(RULES_FILE, "a") as rf:
                    rf.write(rule + "\n")

                with open(SEEN_FILE, "a") as sf:
                    sf.write(line + "\n")

                seen.add(line)
                sid += 1

                subprocess.run(["killall", "-HUP", "suricata"])

                print(f"[+] BLOCK: {line}")

    time.sleep(2)

Больше возможностей при регистрации: