[Snort-users] firewall rules modification based on snort logs
mkettler at ...4108...
Tue Jun 10 11:09:10 EDT 2003
At 02:21 AM 6/10/2003 -0700, Gaurav Kumar wrote:
>hello snort user...
>i was wondering if some script or tool is avaliable to modify the firewall
>rules based on snort logs (i am using mysql database for snort logging).
>for example is someone is ping flooding my server, tool will read the logs
>from snort and modify the iptable rule to DENY the ip address to access my
Hogwash and Snortsam are tools that do this.
Hogwash was in a pretty disorganized state last I checked, and is Linux
specific, but it's been a few months and may be in a better state now. It's
also easy to screw up and wind up wide-open, since it acts as a parallel
second path to iptables and the kernel's own routing. To be secure, a
Hogwash box should have ip_forwarding disabled and all firewall rules for
downstream systems written into hogwash instead of iptables. Don't use
hogwash unless you fully understand how enabling ip_forwarding can bypass
the whole firewall.
Snortsam operates on several different firewalls, and can configure a
firewall that's not on the same system as snort or even in a remotely
However if you need to split snortsam across a insecure network, make sure
to use a SSH tunnel or similar mechanism. It acts by injecting
configuration commands to your existing firewall, so it works with
IPTables, instead of alongside it. Older versions of Snortsam tried to use
encryption without a MAC (only a sequence number) to provide authentication
and integrity.. Needless to say that doesn't work very well, but AFAIK the
feature has been removed. It is however still mentioned in the FAQ in all
it's incorrect glory.
More information about the Snort-users