SNORT + IPTABLES [ How to block with Snort ]

Hi,

I installed Snort and Acid on my server, but, it only log / alert the intruders but do not block them.

How can I configure Snort to block intruders? Are there rules pre-configured to block automaticaly?


[],
Luiz
ipsystemsAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Rich RumbleConnect With a Mentor Security SamuraiCommented:
Snort calls this "inline" IDS. http://snort-inline.sourceforge.net/ 
Also a good source: http://sourceforge.net/projects/snort-inline/

I recommend this book (to be released next month) http://www.amazon.com/exec/obidos/tg/detail/-/1931836043/002-1040456-6280019?v=glance
The previous book was excellent, and with the enhancements in 2.1, this book will prove to be even better!
Try the precompiled kernel's above... otherwise you'll need to compile your own, it's actually quite involved. Obtain the books and read chapter 12 pages 482-501 to get all the steps.

Basically you'll need the following: (remember you are going to have to recompile your kernel... be sure your confident with this task and it's implications- danger danger)
Linux- RedHat preferred (rh8 is assumed with these instructions)
IpTables  (netfilter.org)
libpcap  (install this before make install
Linux bridge patch ( http://bridge.sourceforge.net/devel/bridge-nf/bridge-nf-0.0.7-against-2.4.19.diff )
bridge-utils ( http://bridge.sourceforge.net/download.html )
snort inline patch ( http://www.snort.org/dl/contrib/patches/inline/ )
snort rules ( http://www.snort.org/dl/rules/ )
rc.firewall script ( http://www.honeynet.org/papers/honeynet/tools/ )
 run make...
"make KERNEL_DIR=/usr/src/linux-2.4.18-14"  (or your current kernel 2.4.xxxx) (no quotes btw)
"make install KERNEL_DIR=/usr/src/linux-2.4.18-14"
"make install-devel"

Apply the patch "patch -pl < bridge-nf-0.0.7-against-2.4.18.diff"
In the kernel source directory run "make menuconfig" and  "make xconfig"

That is just to get started... I don't feel like transcribing the book tonight... they are well worth the money.
GL!
-rich


0
 
chicagoanCommented:
You've got to tread very lightly here, as rich pointed out it's a complicated and arcane setup and if not configured correctly you're going to be a target for denial of service attacks both directed and inadvertant. The "self defending network" is the new buzz-phrase, but if you start blocking addresses willy-nilly you'll have no connectivity.
0
 
ipsystemsAuthor Commented:

I found a SNORTSAM to auto blocking based on Snort Rulez. It is integrated with IPTABLES
http://www.snortsam.net/

We develop an integration with EBTABLES to use it on transparent bridge too.

Regards,
Luiz
0
All Courses

From novice to tech pro — start learning today.