[Snort-users] firewall rules modification based on snort logs

Matt Kettler mkettler at ...4108...
Tue Jun 10 11:09:10 EDT 2003

At 02:21 AM 6/10/2003 -0700, Gaurav Kumar wrote:
>hello snort user...
>i was wondering if some script or tool is avaliable to modify the firewall 
>rules based on snort logs (i am using mysql database for snort logging).
>for example is someone is ping flooding my server, tool will read the logs 
>from snort and modify the iptable rule to DENY the ip address to access my 

Hogwash and Snortsam are tools that do this.

Hogwash was in a pretty disorganized state last I checked, and is Linux 
specific, but it's been a few months and may be in a better state now. It's 
also easy to screw up and wind up wide-open, since it acts as a parallel 
second path to iptables and the kernel's own routing. To be secure, a 
Hogwash box should have ip_forwarding disabled and all firewall rules for 
downstream systems written into hogwash instead of iptables. Don't use 
hogwash unless you fully understand how enabling ip_forwarding can bypass 
the whole firewall.

Snortsam operates on several different firewalls, and can configure a 
firewall that's not on the same system as snort or even in a remotely 
different location.

However if you need to split snortsam across a insecure network, make sure 
to use a SSH tunnel or similar mechanism. It acts by injecting 
configuration commands to your existing firewall, so it works with 
IPTables, instead of alongside it. Older versions of Snortsam tried to use 
encryption without a MAC (only a sequence number) to provide authentication 
and integrity.. Needless to say that doesn't work very well, but AFAIK the 
feature has been removed. It is however still mentioned in the FAQ in all 
it's incorrect glory.

More information about the Snort-users mailing list