As an update:    I lost some of my blocks when the IDS timer expired.   Support helped me realize that I could make them permanent by selecting any or all and choosing "blacklist".

Now I am back to collecting attacker addresses.   Currently adding at least 100 attack addresses per day to the blacklist.  Now my only concern is managing performance as the list grows.

It would be great if we could export these in a CSV or something. We also copy these (and copying them is a pain!) and add them to a block list at the firewall level.

I'd like to see the ids blocks put in a log or database then after they expire if the ip shows up again a 2nd time in a 30 day period it adds them to the blacklist. It shouldnt be to hard since SM does this with greylisting. If would also be nice if it would send a email when it added blacklist entry.

A very good idea, Matthew. And we would like to permanently see what IPs were blocked in the past and how many times.

@Matthew I think your suggestion of adding the IP to the blacklist automatically when detected by the IDS twice in a 30 day period, but believe this would require some longer term storage of the IDS list contents and may or may not be something we can implement. Only one way to find out though! I'll get a feature request submitted on this for you and we can go from there. Have a good one!

>@Matthew I think your suggestion of adding the IP to the blacklist automatically when detected by the IDS twice in a 30 day period...

It's a great idea. Seriously, not trying to be a PITA, via this august forum I recommended introducing this kind of logic to the IDS years ago... Went nowhere but hope springs eternal!

Matthew I agree and one member of development actually came by earlier this week to express support for a feature request as well. That being said, we believe this would likely take the form of a report which details IDS blocks, repeat offenders, etc. A neat addition to this would be if the report allowed for something like Actions>Blacklist IP from the report itself. Just some stuff we've been discussing and I'll make sure this all gets noted with development. Have a good one!

Just to reinforce the concept, we all know that our own customers can sometimes trigger an IDS event by accident by sending the wrong password in an email client. But dedicated spam engines wait for the IDS blocks to expire and then revisit the services that they are attempting to penetrate. I would think that some logic expressed as X strikes and you're out for good makes sense, rather than the X minutes or hours before releasing the block. Anyway, thanks to the dev team for considering it. Run it up the pole and see who salutes.

This can be done thru the API

I don't do it on our office implementation, but I have a program setup on my home implementation that monitors the logs daily.  It looks for failed access attempts and when exceeding a certain threshold it automatically adds those IPs into the Blacklist.   I see no reason it couldn't be scaled up to handle multiple domains and all.  Just my $.02

Most days I see 1 or 2 IPs... when kids are out of school and on holidays that can grow to 20 to 50 IPs per day... and this is on a home server... single domain, 10 mailboxes.   So... on a larger system, this could block a LOT of IPs so you would probably want to log WHEN they entered the blacklist somewhere so after X number of days you could remove them from the blacklist as well.

Bump