[Snort-users] Guardian with Snort
claudio antonio
bastosclaudio at ...6873...
Thu May 27 09:45:15 EDT 2004
Anybody can a help me?????
My Guardian is not 100% , my snort is perfect, but ,
the guardian is not ready file logs.
Anybody has a ideia?
My file of the configuration.
========================Guardian.conf==================
HostIpAddr = 192.168.0.12
Interface eth0
HostGatewayByte 1
LogFile /var/log/guardian.log
AlertFile /var/log/secure
IgnoreFile /etc/guardian.ignore
TargetFile /etc/guardian.target
TimeLimit 86400
=======================================================
The file Guardian.pl has parts of the configuration
file.
=======================Guardian.pl=====================
##This parts is modific, my sistem isn't has ipchains
## My sistem has a iptables.
#sub ipchain {
# my ($source, $dest, $type) = @_;
# &write_log ("$source\t$type\n");
# if ($hash{$source} eq "") {
# &write_log ("Running '$blockpath $source
$interface'\n");
# system ("$blockpath $source $interface");
# $hash{$source} = time() + $TimeLimit;
# } else {
# # We have already blocked this one, but snort
detected another attack. So
# # we should update the time blocked..
# $hash{$source} = time() + $TimeLimit;
# }
#}
sub iptable {
my ($source, $dest, $type) = @_;
&write_log ("$source\t$type\n");
if ($hash{$source} eq "") {
&write_log ("Running '$blockpath $source
$interface'\n");
system ("$blockpath $source $interface");
$hash{$source} = time() + $TimeLimit;
} else {
# We have already blocked this one, but snort
detected another attack. So
# we should update the time blocked..
$hash{$source} = time() + $TimeLimit;
}
}
###################################################
$opt_c =
"/usr/local/src/guardian-1.7/guardian.conf";
##ALTERADO DIA 22 DE MAIO DE 2004 - CLÁUDIO
if(/iptablesPath\s+(.*)/){
$iptables_path = $1;
}
if (-x
"/usr/local/src/guardian-1.7/guardian_block.sh") {
$blockpath =
"/usr/local/src/guardian-1.7/guardian_block.sh";
}
#NÃO PRECISO DESTE UNBLOCK NO MOMENTO.
if (-x
"/usr/local/src/guardian-1.7/guardian_unblock.sh") {
$unblockpath =
"/usr/local/src/guardian-1.7/guardian_unblock.sh";
}
=======================================================
and...
=================guardian_block.sh=====================
#!/bin/sh
# this is a sample block script for guardian. This
should work with ipchains.
# This command gets called by guardian as such:
# guardian_block.sh <source_ip> <interface>
# and the script will issue a command to block all
traffic from that source ip
# address. The logic of weither or not it is safe to
block that address is
# done inside guardian itself.
source=$1
interface=$2
#/sbin/ipchains -I input -s $source -i $interface -j
DENY
/sbin/iptables -I INPUT -s $source -j DROP
echo "O IP : $1 foi bloqueado!!"
~
=======================================================
================Guardian_unblock.sh====================
#!/bin/sh
# this is a sample unblock script for guardian. This
should work with ipchains.
# This command gets called by guardian as such:
# unblock.sh <source_ip> <interface>
# and the script will issue a command to remove the
block that was created with # block.sh address.
source=$1
interface=$2
#/sbin/ipchains -D input -s $source -i $interface -j
DENY
/sbin/iptables -I input -s $source -i $interface -j
DENY
~
=======================================================
thanks!!
Cláudio Antônio - Brazil - Goiânia - Goiás
=====
Cláudio Antônio de Bastos
______________________________________________________________________
Participe da pesquisa global sobre o Yahoo! Mail:
http://br.surveys.yahoo.com/global_mail_survey_br
More information about the Snort-users
mailing list