Snort mailing list archives
guardian2, a snort log watcher and active responder
From: Yunliang Yu <yu () math duke edu>
Date: Mon, 15 May 2006 10:35:30 -0400 (EDT)
Hello All, I'd like to announce the availability of a new snort log watcher program. Guardian2 watches over the snort or syslog files and responds with a pre-defined action whenever a match with any of your rules occurs. It's based on guardian-1.7, http://www.chaotic.org/guardian/ , and it has the following features: * it can watch over multiple log files at the same time * it has full regex support for easy configuration * flexible match for hosts/ports to make it possible to parse other log files such as syslog or apache logs * each rule can have multiple thresholds and throttling * thresholds can be target-host based or port based * each rule can be overridden for any hosts. also supports global overrides. * tracking can be attached to a rule to track remote hosts' activities * each rule can have a tag to let you customize the blocking script easily * guardian2 on multiple hosts can communicate via the PullCommand. For example, your syslog server can track those hosts blocked on the firewall * it tries hard not to block any important hosts on the network:) * it handles log rotations gracefully * '-D' option for you to play around without causing any harm:) The following line is an interesting example in the sample .rule file: Invalid user \S+ from +++ 10/30 50/8h ==> ${FW} 6h which will inform the firewall to block the remote host for 6 hours if we get at least 10 'Invalid user...' entries from that host within 30 seconds, or 50 entries within 8 hours. The package is available, as a .tar.gz file, at: http://www.math.duke.edu/~yu/guardian2/ See 'guardian.conf' for more configuration info. Have fun! -yu ------------------------------------------------------- All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- guardian2, a snort log watcher and active responder Yunliang Yu (May 25)