Snort mailing list archives
Re: firewall rules modification based on snort logs
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 10 Jun 2003 13:55:06 -0400
At 02:21 AM 6/10/2003 -0700, Gaurav Kumar wrote:
hello snort user...i was wondering if some script or tool is avaliable to modify the firewall rules based on snort logs (i am using mysql database for snort logging). for example is someone is ping flooding my server, tool will read the logs from snort and modify the iptable rule to DENY the ip address to access my server.
Hogwash and Snortsam are tools that do this.Hogwash was in a pretty disorganized state last I checked, and is Linux specific, but it's been a few months and may be in a better state now. It's also easy to screw up and wind up wide-open, since it acts as a parallel second path to iptables and the kernel's own routing. To be secure, a Hogwash box should have ip_forwarding disabled and all firewall rules for downstream systems written into hogwash instead of iptables. Don't use hogwash unless you fully understand how enabling ip_forwarding can bypass the whole firewall.
Snortsam operates on several different firewalls, and can configure a firewall that's not on the same system as snort or even in a remotely different location.
However if you need to split snortsam across a insecure network, make sure to use a SSH tunnel or similar mechanism. It acts by injecting configuration commands to your existing firewall, so it works with IPTables, instead of alongside it. Older versions of Snortsam tried to use encryption without a MAC (only a sequence number) to provide authentication and integrity.. Needless to say that doesn't work very well, but AFAIK the feature has been removed. It is however still mentioned in the FAQ in all it's incorrect glory.
------------------------------------------------------- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- firewall rules modification based on snort logs Gaurav Kumar (Jun 10)
- Re: firewall rules modification based on snort logs Matt Kettler (Jun 10)
- Re: firewall rules modification based on snort logs Frank Knobbe (Jun 10)
- many 'NETBIOS SMB SMB_COM_TRANSACTION Max Data Count of 0 DOS Attempt' Ciprian Badescu (Jun 11)
- Re: firewall rules modification based on snort logs Matt Kettler (Jun 11)
- Re: firewall rules modification based on snort logs Frank Knobbe (Jun 10)
- <Possible follow-ups>
- RE: firewall rules modification based on snort logs John Hally (Jun 10)
- Re: firewall rules modification based on snort logs Matt Kettler (Jun 10)