The ipset mode consists in filling an ipset object with a time-limited duration.
Note that this is a "hard" method, meaning that an IP address detected by the sources will be automatically banned by your firewall without notice.
Artica PCAP filter is able to create the IPSet object, you have to focus on wich iptable rule you need to use.
Tokens -enable-ipset or -disable-ipset enable or disable the IPSet remediation.
( you can use ./articapsniffer -quick-setup-ipset to make the service ready )
You need to define the IPSet object that will be filled by the daemon.
The token -ipset-object [name] define the name of the IPSet object to create and manage.
The token -ipset-timeout defines the lifetime (in minutes) of an address in the object.
If the engine adds an address, it will be tagged with an end-of-life time.
You can use both -enable-ipset and -ipset-object -ipset-timeout in the same command-line
Example :
articapsniffer -enable-ipset -ipset-object articapf -ipset-timeout 30
Allows remediation of IPSet using the articapf object, and a recording is kept for 30 minutes.
iptables -I INPUT -m set --match-set articapf src -j DROP
If you wan to log all denied connections: iptables -I INPUT -m set --match-set articapf src -j LOG --log-prefix "SNIFFER:IN:"
To reload the daemon, means flushing memory caches and reload sources databases in memory, use the token -reload