Snort mailing list archives
Guardian with Snort
From: claudio antonio <bastosclaudio () yahoo com br>
Date: Thu, 27 May 2004 13:44:49 -0300 (ART)
Anybody can a help me????? My Guardian is not 100% , my snort is perfect, but , the guardian is not ready file logs. Anybody has a ideia? My file of the configuration. ========================Guardian.conf================== HostIpAddr = 192.168.0.12 Interface eth0 HostGatewayByte 1 LogFile /var/log/guardian.log AlertFile /var/log/secure IgnoreFile /etc/guardian.ignore TargetFile /etc/guardian.target TimeLimit 86400 ======================================================= The file Guardian.pl has parts of the configuration file. =======================Guardian.pl===================== ##This parts is modific, my sistem isn't has ipchains ## My sistem has a iptables. #sub ipchain { # my ($source, $dest, $type) = @_; # &write_log ("$source\t$type\n"); # if ($hash{$source} eq "") { # &write_log ("Running '$blockpath $source $interface'\n"); # system ("$blockpath $source $interface"); # $hash{$source} = time() + $TimeLimit; # } else { # # We have already blocked this one, but snort detected another attack. So # # we should update the time blocked.. # $hash{$source} = time() + $TimeLimit; # } #} sub iptable { my ($source, $dest, $type) = @_; &write_log ("$source\t$type\n"); if ($hash{$source} eq "") { &write_log ("Running '$blockpath $source $interface'\n"); system ("$blockpath $source $interface"); $hash{$source} = time() + $TimeLimit; } else { # We have already blocked this one, but snort detected another attack. So # we should update the time blocked.. $hash{$source} = time() + $TimeLimit; } } ################################################### $opt_c = "/usr/local/src/guardian-1.7/guardian.conf"; ##ALTERADO DIA 22 DE MAIO DE 2004 - CLÁUDIO if(/iptablesPath\s+(.*)/){ $iptables_path = $1; } if (-x "/usr/local/src/guardian-1.7/guardian_block.sh") { $blockpath = "/usr/local/src/guardian-1.7/guardian_block.sh"; } #NÃO PRECISO DESTE UNBLOCK NO MOMENTO. if (-x "/usr/local/src/guardian-1.7/guardian_unblock.sh") { $unblockpath = "/usr/local/src/guardian-1.7/guardian_unblock.sh"; } ======================================================= and... =================guardian_block.sh===================== #!/bin/sh # this is a sample block script for guardian. This should work with ipchains. # This command gets called by guardian as such: # guardian_block.sh <source_ip> <interface> # and the script will issue a command to block all traffic from that source ip # address. The logic of weither or not it is safe to block that address is # done inside guardian itself. source=$1 interface=$2 #/sbin/ipchains -I input -s $source -i $interface -j DENY /sbin/iptables -I INPUT -s $source -j DROP echo "O IP : $1 foi bloqueado!!" ~ ======================================================= ================Guardian_unblock.sh==================== #!/bin/sh # this is a sample unblock script for guardian. This should work with ipchains. # This command gets called by guardian as such: # unblock.sh <source_ip> <interface> # and the script will issue a command to remove the block that was created with # block.sh address. source=$1 interface=$2 #/sbin/ipchains -D input -s $source -i $interface -j DENY /sbin/iptables -I input -s $source -i $interface -j DENY ~ ======================================================= thanks!! Cláudio Antônio - Brazil - Goiânia - Goiás ===== Cláudio Antônio de Bastos ______________________________________________________________________ Participe da pesquisa global sobre o Yahoo! Mail: http://br.surveys.yahoo.com/global_mail_survey_br ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Guardian with Snort claudio antonio (May 27)
- RES: Guardian with Snort Franco Catena (Jun 08)
- Re: RES: Guardian with Snort bonnie buwono (Jun 08)
- RES: Guardian with Snort Franco Catena (Jun 08)