Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

SNORT + IPTABLES [ How to block with Snort ]

Posted on 2004-03-29
3
Medium Priority
?
3,411 Views
Last Modified: 2012-05-04
Hi,

I installed Snort and Acid on my server, but, it only log / alert the intruders but do not block them.

How can I configure Snort to block intruders? Are there rules pre-configured to block automaticaly?


[],
Luiz
0
Comment
Question by:ipsystems
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 1500 total points
ID: 10710076
Snort calls this "inline" IDS. http://snort-inline.sourceforge.net/ 
Also a good source: http://sourceforge.net/projects/snort-inline/

I recommend this book (to be released next month) http://www.amazon.com/exec/obidos/tg/detail/-/1931836043/002-1040456-6280019?v=glance
The previous book was excellent, and with the enhancements in 2.1, this book will prove to be even better!
Try the precompiled kernel's above... otherwise you'll need to compile your own, it's actually quite involved. Obtain the books and read chapter 12 pages 482-501 to get all the steps.

Basically you'll need the following: (remember you are going to have to recompile your kernel... be sure your confident with this task and it's implications- danger danger)
Linux- RedHat preferred (rh8 is assumed with these instructions)
IpTables  (netfilter.org)
libpcap  (install this before make install
Linux bridge patch ( http://bridge.sourceforge.net/devel/bridge-nf/bridge-nf-0.0.7-against-2.4.19.diff )
bridge-utils ( http://bridge.sourceforge.net/download.html )
snort inline patch ( http://www.snort.org/dl/contrib/patches/inline/ )
snort rules ( http://www.snort.org/dl/rules/ )
rc.firewall script ( http://www.honeynet.org/papers/honeynet/tools/ )
 run make...
"make KERNEL_DIR=/usr/src/linux-2.4.18-14"  (or your current kernel 2.4.xxxx) (no quotes btw)
"make install KERNEL_DIR=/usr/src/linux-2.4.18-14"
"make install-devel"

Apply the patch "patch -pl < bridge-nf-0.0.7-against-2.4.18.diff"
In the kernel source directory run "make menuconfig" and  "make xconfig"

That is just to get started... I don't feel like transcribing the book tonight... they are well worth the money.
GL!
-rich


0
 
LVL 18

Expert Comment

by:chicagoan
ID: 10713419
You've got to tread very lightly here, as rich pointed out it's a complicated and arcane setup and if not configured correctly you're going to be a target for denial of service attacks both directed and inadvertant. The "self defending network" is the new buzz-phrase, but if you start blocking addresses willy-nilly you'll have no connectivity.
0
 

Author Comment

by:ipsystems
ID: 11630775

I found a SNORTSAM to auto blocking based on Snort Rulez. It is integrated with IPTABLES
http://www.snortsam.net/

We develop an integration with EBTABLES to use it on transparent bridge too.

Regards,
Luiz
0

Featured Post

How to Use the Help Bell

Need to boost the visibility of your question for solutions? Use the Experts Exchange Help Bell to confirm priority levels and contact subject-matter experts for question attention.  Check out this how-to article for more information.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
The well known Cerber ransomware continues to spread this summer through spear phishing email campaigns targeting enterprises. Learn how it easily bypasses traditional defenses - and what you can do to protect your data.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question