Inspect incoming WAN packets for undesired content/text

[Guest]

[sagor]

Is there a way to use Endian to inspect incoming WAN packets for unwanted text, and ban the source IP?
For example, some hacker bot trying to connect to a web site, trying to connect to "//phpadmin/admin.php". I'd like to trap that packet and blacklist the source IP automatically.

I can do this somewhat with a text based firewall (Mikrotik) by flagging it in a early "mangle" stage, then having the firewall blacklist the source IP based on the flag that is triggered by this text.

I've just loaded Endian, hoping it may do the same, somehow, but don't see any menu option to do this function.

Am I dreaming that higher end firewalls don't do this function? Does it take too much compute power?

Thanks

PS: The web server is on the LAN side, on a separate PC. Just want to use Endian as an intelligent firewall/router
PPS I see Snort has a lot of rules, but how does one add a simple "text" probe to these? Does Snort use a lot of resources? (I assume so...)

[mrkroket]

You should do it with Intrusion Prevention (=snort).

You can probably create a custom ruleset on /etc/snort/rules/custom, by adding a new file.

Check an existing ruleset to see how works
/etc/snort/rules/auto/emerging-web_server.rules

I never created a snort rule, so I can't help you.

[mrkroket]

Edited:

Use "upload custom rules" button from Web, I think is easier for adding your custom rules.