Snort mailing list archives

Re: firewall rules modification based on snort logs

From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 10 Jun 2003 13:55:06 -0400

At 02:21 AM 6/10/2003 -0700, Gaurav Kumar wrote:

hello snort user...
i was wondering if some script or tool is avaliable to modify the firewallrules based on snort logs (i am using mysql database for snort logging).for example is someone is ping flooding my server, tool will read the logsfrom snort and modify the iptable rule to DENY the ip address to access myserver.


Hogwash and Snortsam are tools that do this.

Hogwash was in a pretty disorganized state last I checked, and is Linuxspecific, but it's been a few months and may be in a better state now. It'salso easy to screw up and wind up wide-open, since it acts as a parallelsecond path to iptables and the kernel's own routing. To be secure, aHogwash box should have ip_forwarding disabled and all firewall rules fordownstream systems written into hogwash instead of iptables. Don't usehogwash unless you fully understand how enabling ip_forwarding can bypassthe whole firewall.

Snortsam operates on several different firewalls, and can configure afirewall that's not on the same system as snort or even in a remotelydifferent location.

However if you need to split snortsam across a insecure network, make sureto use a SSH tunnel or similar mechanism. It acts by injectingconfiguration commands to your existing firewall, so it works withIPTables, instead of alongside it. Older versions of Snortsam tried to useencryption without a MAC (only a sequence number) to provide authenticationand integrity.. Needless to say that doesn't work very well, but AFAIK thefeature has been removed. It is however still mentioned in the FAQ in allit's incorrect glory.




-------------------------------------------------------
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

firewall rules modification based on snort logs Gaurav Kumar (Jun 10)
- Re: firewall rules modification based on snort logs Matt Kettler (Jun 10)
  - Re: firewall rules modification based on snort logs Frank Knobbe (Jun 10)
    - many 'NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt' Ciprian Badescu (Jun 11)
    - Re: firewall rules modification based on snort logs Matt Kettler (Jun 11)
- <Possible follow-ups>
- RE: firewall rules modification based on snort logs John Hally (Jun 10)