Snort mailing list archives

Previous By Date Next
Previous By Thread Next

guardian2, a snort log watcher and active responder

From: Yunliang Yu <yu () math duke edu>
Date: Mon, 15 May 2006 10:35:30 -0400 (EDT)
Hello All,

I'd like to announce the availability of a new snort log watcher program.
Guardian2 watches over the snort or syslog files and responds with a
pre-defined action whenever a match with any of your rules occurs. It's
based on guardian-1.7, http://www.chaotic.org/guardian/ , and it has the
following features:

* it can watch over multiple log files at the same time
* it has full regex support for easy configuration
* flexible match for hosts/ports to make it possible to parse other log
  files such as syslog or apache logs
* each rule can have multiple thresholds and throttling
* thresholds can be target-host based or port based
* each rule can be overridden for any hosts. also supports global
  overrides.
* tracking can be attached to a rule to track remote hosts' activities
* each rule can have a tag to let you customize the blocking script easily
* guardian2 on multiple hosts can communicate via the PullCommand. For
  example, your syslog server can track those hosts blocked on the
  firewall
* it tries hard not to block any important hosts on the network:)
* it handles log rotations gracefully
* '-D' option for you to play around without causing any harm:)

The following line is an interesting example in the sample .rule file:
    Invalid user \S+ from  +++ 10/30 50/8h ==> ${FW} 6h
which will inform the firewall to block the remote host for 6 hours if we
get at least 10 'Invalid user...' entries from that host within 30
seconds, or 50 entries  within 8 hours.

The package is available, as a .tar.gz file, at:

        http://www.math.duke.edu/~yu/guardian2/

See 'guardian.conf' for more configuration info.

Have fun!
-yu



-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: