[Snort-users] guardian2, a snort log watcher and active responder

Yunliang Yu yu at ...13831...
Thu May 25 04:56:30 EDT 2006

Hello All,

I'd like to announce the availability of a new snort log watcher program.
Guardian2 watches over the snort or syslog files and responds with a
pre-defined action whenever a match with any of your rules occurs. It's
based on guardian-1.7, http://www.chaotic.org/guardian/ , and it has the
following features:

* it can watch over multiple log files at the same time
* it has full regex support for easy configuration
* flexible match for hosts/ports to make it possible to parse other log
   files such as syslog or apache logs
* each rule can have multiple thresholds and throttling
* thresholds can be target-host based or port based
* each rule can be overridden for any hosts. also supports global
* tracking can be attached to a rule to track remote hosts' activities
* each rule can have a tag to let you customize the blocking script easily
* guardian2 on multiple hosts can communicate via the PullCommand. For
   example, your syslog server can track those hosts blocked on the
* it tries hard not to block any important hosts on the network:)
* it handles log rotations gracefully
* '-D' option for you to play around without causing any harm:)

The following line is an interesting example in the sample .rule file:
     Invalid user \S+ from  +++ 10/30 50/8h ==> ${FW} 6h
which will inform the firewall to block the remote host for 6 hours if we
get at least 10 'Invalid user...' entries from that host within 30
seconds, or 50 entries  within 8 hours.

The package is available, as a .tar.gz file, at:


See 'guardian.conf' for more configuration info.

Have fun!

More information about the Snort-users mailing list