[Snort-users] Guardian with Snort

claudio antonio bastosclaudio at ...6873...
Thu May 27 09:45:15 EDT 2004


Anybody can a help me?????
My Guardian is not 100% , my snort is perfect, but ,
the guardian is not ready file logs.
Anybody has a ideia?
My file of the configuration.

========================Guardian.conf==================
HostIpAddr = 192.168.0.12
Interface       eth0
HostGatewayByte  1
LogFile         /var/log/guardian.log
AlertFile       /var/log/secure
IgnoreFile      /etc/guardian.ignore
TargetFile      /etc/guardian.target
TimeLimit       86400
=======================================================
The file Guardian.pl has parts of the configuration
file.
=======================Guardian.pl=====================
##This parts is modific, my sistem isn't has ipchains
## My sistem has a iptables.
#sub ipchain {
#  my ($source, $dest, $type) = @_;
#  &write_log ("$source\t$type\n");
#  if ($hash{$source} eq "") {
#    &write_log ("Running '$blockpath $source
$interface'\n");
#    system ("$blockpath $source $interface");
#    $hash{$source} = time() + $TimeLimit;
#  } else {
#    # We have already blocked this one, but snort
detected another attack. So
#    # we should update the time blocked..
#    $hash{$source} = time() + $TimeLimit;
#  }
#}
                                                      
                                                      
              
sub iptable {
  my ($source, $dest, $type) = @_;
  &write_log ("$source\t$type\n");
  if ($hash{$source} eq "") {
    &write_log ("Running '$blockpath $source
$interface'\n");
    system ("$blockpath $source $interface");
    $hash{$source} = time() + $TimeLimit;
  } else {
    # We have already blocked this one, but snort
detected another attack. So
    # we should update the time blocked..
    $hash{$source} = time() + $TimeLimit;
  }
}
###################################################
  $opt_c =
"/usr/local/src/guardian-1.7/guardian.conf";
##ALTERADO DIA 22 DE MAIO DE 2004 - CLÁUDIO
    if(/iptablesPath\s+(.*)/){
       $iptables_path = $1;
    }
   if (-x
"/usr/local/src/guardian-1.7/guardian_block.sh") {
      $blockpath =
"/usr/local/src/guardian-1.7/guardian_block.sh";
    }
#NÃO PRECISO DESTE UNBLOCK NO MOMENTO.
    if (-x
"/usr/local/src/guardian-1.7/guardian_unblock.sh") {
      $unblockpath =
"/usr/local/src/guardian-1.7/guardian_unblock.sh";
    }

=======================================================
and...
=================guardian_block.sh=====================
#!/bin/sh
                                                      
                                                      
              
# this is a sample block script for guardian. This
should work with ipchains.
# This command gets called by guardian as such:
#  guardian_block.sh <source_ip> <interface>
# and the script will issue a command to block all
traffic from that source ip
# address. The logic of weither or not it is safe to
block that address is
# done inside guardian itself.
source=$1
interface=$2
                                                      
                                                      
              
#/sbin/ipchains -I input -s $source -i $interface -j
DENY
/sbin/iptables -I INPUT -s $source -j DROP
echo "O IP : $1 foi bloqueado!!"
~

=======================================================
================Guardian_unblock.sh====================
#!/bin/sh
                                                      
                                                      
              
# this is a sample unblock script for guardian. This
should work with ipchains.
# This command gets called by guardian as such:
#  unblock.sh <source_ip> <interface>
# and the script will issue a command to remove the
block that was created with # block.sh address.
source=$1
interface=$2
                                                      
                                                      
              
#/sbin/ipchains -D input -s $source -i $interface -j
DENY
/sbin/iptables -I input -s $source -i $interface -j
DENY
~

=======================================================
thanks!!
Cláudio Antônio - Brazil - Goiânia - Goiás


=====
Cláudio Antônio de Bastos

______________________________________________________________________

Participe da pesquisa global sobre o Yahoo! Mail: 
http://br.surveys.yahoo.com/global_mail_survey_br




More information about the Snort-users mailing list