Snort mailing list archives
RES: Guardian with Snort
From: "Franco Catena" <facatena () surson com br>
Date: Tue, 8 Jun 2004 08:12:56 -0300
Ola Claudio, Eu to com alguns problemas que quem sabe vc me ajude.... Eu to com o CL9 da conectiva rodando o snort 1.9x e o guardian 1.6. O pepino é que o snort registra os ataques no Alerts mas não no MYSQL e o guardian apesar de identificar, não executa o acrecimo de regra não iptables. Vc sabe me dizer o que pode ser? []s Franco Catena http://www.surson.com.br tel 011-55390073 cel:82021562 MSN: facdavilla () hotmail com ICQ: 24755602 I've stopped 5.634 spam messages. You can too! One month FREE spam protection at http://www.cloudmark.com/spamnetsig/? -----Mensagem original----- De: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] Em nome de claudio antonio Enviada em: quinta-feira, 27 de maio de 2004 13:45 Para: snort-users () lists sourceforge net Assunto: [Snort-users] Guardian with Snort Anybody can a help me????? My Guardian is not 100% , my snort is perfect, but , the guardian is not ready file logs. Anybody has a ideia? My file of the configuration. ========================Guardian.conf================== HostIpAddr = 192.168.0.12 Interface eth0 HostGatewayByte 1 LogFile /var/log/guardian.log AlertFile /var/log/secure IgnoreFile /etc/guardian.ignore TargetFile /etc/guardian.target TimeLimit 86400 ======================================================= The file Guardian.pl has parts of the configuration file. =======================Guardian.pl===================== ##This parts is modific, my sistem isn't has ipchains ## My sistem has a iptables. #sub ipchain { # my ($source, $dest, $type) = @_; # &write_log ("$source\t$type\n"); # if ($hash{$source} eq "") { # &write_log ("Running '$blockpath $source $interface'\n"); # system ("$blockpath $source $interface"); # $hash{$source} = time() + $TimeLimit; # } else { # # We have already blocked this one, but snort detected another attack. So # # we should update the time blocked.. # $hash{$source} = time() + $TimeLimit; # } #} sub iptable { my ($source, $dest, $type) = @_; &write_log ("$source\t$type\n"); if ($hash{$source} eq "") { &write_log ("Running '$blockpath $source $interface'\n"); system ("$blockpath $source $interface"); $hash{$source} = time() + $TimeLimit; } else { # We have already blocked this one, but snort detected another attack. So # we should update the time blocked.. $hash{$source} = time() + $TimeLimit; } } ################################################### $opt_c = "/usr/local/src/guardian-1.7/guardian.conf"; ##ALTERADO DIA 22 DE MAIO DE 2004 - CLÁUDIO if(/iptablesPath\s+(.*)/){ $iptables_path = $1; } if (-x "/usr/local/src/guardian-1.7/guardian_block.sh") { $blockpath = "/usr/local/src/guardian-1.7/guardian_block.sh"; } #NÃO PRECISO DESTE UNBLOCK NO MOMENTO. if (-x "/usr/local/src/guardian-1.7/guardian_unblock.sh") { $unblockpath = "/usr/local/src/guardian-1.7/guardian_unblock.sh"; } ======================================================= and... =================guardian_block.sh===================== #!/bin/sh # this is a sample block script for guardian. This should work with ipchains. # This command gets called by guardian as such: # guardian_block.sh <source_ip> <interface> # and the script will issue a command to block all traffic from that source ip # address. The logic of weither or not it is safe to block that address is # done inside guardian itself. source=$1 interface=$2 #/sbin/ipchains -I input -s $source -i $interface -j DENY /sbin/iptables -I INPUT -s $source -j DROP echo "O IP : $1 foi bloqueado!!" ~ ======================================================= ================Guardian_unblock.sh==================== #!/bin/sh # this is a sample unblock script for guardian. This should work with ipchains. # This command gets called by guardian as such: # unblock.sh <source_ip> <interface> # and the script will issue a command to remove the block that was created with # block.sh address. source=$1 interface=$2 #/sbin/ipchains -D input -s $source -i $interface -j DENY /sbin/iptables -I input -s $source -i $interface -j DENY ~ ======================================================= thanks!! Cláudio Antônio - Brazil - Goiânia - Goiás ===== Cláudio Antônio de Bastos ______________________________________________________________________ Participe da pesquisa global sobre o Yahoo! Mail: http://br.surveys.yahoo.com/global_mail_survey_br ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users -- [Este email está livre de vírus] Verificado por AVG Anti-Vírus (http://www.grisoft.com). Version: 7.0.245 / Virus Database: 262.10.5 - Release Date: 26/5/2004 -- Mensagens enviadas estão livres de vírus. Verificado por AVG Anti-Vírus (http://www.grisoft.com). Version: 7.0.245 / Virus Database: 263.1.2 - Release Date: 7/6/2004 ------------------------------------------------------- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Guardian with Snort claudio antonio (May 27)
- RES: Guardian with Snort Franco Catena (Jun 08)
- Re: RES: Guardian with Snort bonnie buwono (Jun 08)
- RES: Guardian with Snort Franco Catena (Jun 08)