Why Artica PCAP filter?
The default way to protect your server is to preload lists into firewall rules.
However, these lists load the firewall process for a few addresses that might come into contact with your network.
Artica PCAP filter is in charge of loading these lists outside the firewall and reacting only if addresses matches records loaded in its databases.
Anyone can use Artica PCAP filter, as it has been designed to be independent of the core Artica engine.
It can be managed from the command line or using the Artica Web console.
Artica PCAP filter can run as a tool or a deamon to secure your server network and provides REST HTTP API to query its database
Artica is able to capture network packets from the local defined network Interface and/or can scan events from Fortigate Firewall using syslog ( version 1.0.28 )
- In conjunction with CrowdSec or Fail2ban:
Artica PCAP filter will write alert events to its log file, so CrowdSec or Fail2ban will react accordingly and perform the necessary remediation.
- Feeding an ipset object:
When an IP address is detected, Artica PCAP filter automatically adds this address to an ipset object for a set period of time.
- ProxMox remediation
This method consists of filling remotely a ProxMox IPSet object with a time-limited duration.
- Fortigate remediation
This method consists of filling remotely a Fortigate IP addresses group object with a time-limited duration.
- pfSense remediation
This method consists of filling remotely a pfSense Address aliases object with a time-limited duration.
- HTTP lists:
Artica PCAP filter uses HTTP/HTTPs/RBL to periodically download lists (addresses or networks separated by a carriage return).
examples: FireHol lists
- RBL method:
Artica PCAP filter can perform DNS queries on IP addresses to detect the presence of a malicious IP address.
- Whitelists:
This is a software-internal database that automatically authorizes addresses and networks.
- IP geolicalization
Deny/warn if an IP address is located on specific countries
There are two ways to use it:
- Stand-alone: Download the software and use the command line to configure it.
- With the Core Artica engine: Use the Web interface to install and manage it.