Thursday, 17 June 2004
SnortShorewall Version 1.4.4 has been released. SnortShorewall is a deamon, written in perl, that monitors snort alerts and drops ip addresses using shorewalls dynamic chain
NOTE: There was a typo in ss.pl version 1.4.3 that prevented the program from starting. This release fixes that problem SnortShorewall is a program can be used to proactively protect your network. To use this program you must have snort ( ww.snort.org ) and shorewall ( www.shorewall.net ) installed. This program will run as a deamon and monitor the alerts raised by snort. If the ip address that caused the alert is not a trusted address (defined in trustedIps) than the program will add the ip address to shorewalls dynamic chain causing all traffic from that machine to be blocked. Snort may raise some alerts for valid traffic such as robots.txt access (if you are running a web server) you can avoid having machines blocked for specific alerts by adding an entry in the ignoredSids file. If the SID that caused the alert is in the ignoredSids file, the ip address will not be blocked .
SnortShorewall Requirements:
- Snort IDS installed and configured (Logging must be in the -A fast format)
- Shorewall installed and configured
- Perl installed and configured
Download SnortShorewall 1.4.4
1. Download the tar file and unzip it to the directory you want the program to reside in
[root]# mkdir /usr/local/SnortShorewall
[root]# cd /usr/local/SnortShorewall
[root]# tar -zxvf SnortShorewall_1_4_4.tar.gz
2. Run the setup program and answer the 3 questions asked
[root]# ./setup.pl
3. Start program. You can view all the program option with ss.pl -h
[root]# ./ss.pl start
You can run the program as root or you can give sudo privileges to the snort user to run under. To give snort user sudo privileges:
[root]# visudo
This will open sudo file in vi. add the following line in this file
snort ALL=NOPASSWD: /sbin/shorewall
type in :wq to save and exit the file.
Now you can start the program up as the snort user
You can view the log for the current day
[root]# ./ss.pl log
(IGNORED SID) 06/04 00:26:47 195.184.43.69 -> 65.29.17.55 2003 MS-SQL Worm propagation attempt
(NEW IP BLOCKED) 06/04 00:26:47 195.184.43.69 2004 MS-SQL Worm propagation attempt OUTBOUND
(IP ALREADY BLOCKED) 06/04 00:26:47 195.184.43.69 2050 MS-SQL version overflow attempt
(RELEASE IP) 06/04 02:36:36 195.184.43.69 Hold Time Exceeded
(IGNORED SID) 06/04 04:33:29 218.190.129.106 -> 65.29.17.55 2003 MS-SQL Worm propagation attempt
(NEW IP BLOCKED) 06/04 04:33:29 218.190.129.106 2004 MS-SQL Worm propagation attempt OUTBOUND
(IP ALREADY BLOCKED) 06/04 04:33:29 218.190.129.106 2050 MS-SQL version overflow attempt
(RELEASE IP) 06/04 06:39:35 218.190.129.106 Hold Time Exceeded
(TRUSTED IP) 06/04 08:22:18 65.29.17.55 -> 65.29.17.55 3 PORT SCAN DETECTED |
Written by Guest on 2004-11-04 17:51:33
    | Snort Realtime usage
Written by Guest on 2005-03-28 15:44:47
I was wondering if anyone has had any experience using shorewall with snort-inline. I want to allow snort to read packets in real time by moving the packets that pass into a iptables queue that snort then uses to determine wheter the traffic should be allowed in/out. The only way i've found is to modify the shorewall program. Is there an easier way to allow the queue option in shorewall?
| 1 question
Written by Guest on 2005-08-06 19:27:46
Hi. Your program works great!
The only thing I miss is the ability to release the ip locks after some time has gone. After some days, block list is long.
I am trying to change the "shorewall allow" at now + 2 hours, but I am a newbie and need some help.
Can anyone here do that ? | Which version?
Written by Guest on 2005-08-06 20:03:48
The latest version 1.4.4 releases the ip addresses every 2 hours by default. Type ss.pl --help for details |
Powered by AkoComment 1.0 beta 2! |
Home 
-->
