Solved

SNORT + IPTABLES [ How to block with Snort ]

Posted on 2004-03-29
3
3,277 Views
Last Modified: 2012-05-04
Hi,

I installed Snort and Acid on my server, but, it only log / alert the intruders but do not block them.

How can I configure Snort to block intruders? Are there rules pre-configured to block automaticaly?


[],
Luiz
0
Comment
Question by:ipsystems
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 10710076
Snort calls this "inline" IDS. http://snort-inline.sourceforge.net/ 
Also a good source: http://sourceforge.net/projects/snort-inline/

I recommend this book (to be released next month) http://www.amazon.com/exec/obidos/tg/detail/-/1931836043/002-1040456-6280019?v=glance
The previous book was excellent, and with the enhancements in 2.1, this book will prove to be even better!
Try the precompiled kernel's above... otherwise you'll need to compile your own, it's actually quite involved. Obtain the books and read chapter 12 pages 482-501 to get all the steps.

Basically you'll need the following: (remember you are going to have to recompile your kernel... be sure your confident with this task and it's implications- danger danger)
Linux- RedHat preferred (rh8 is assumed with these instructions)
IpTables  (netfilter.org)
libpcap  (install this before make install
Linux bridge patch ( http://bridge.sourceforge.net/devel/bridge-nf/bridge-nf-0.0.7-against-2.4.19.diff )
bridge-utils ( http://bridge.sourceforge.net/download.html )
snort inline patch ( http://www.snort.org/dl/contrib/patches/inline/ )
snort rules ( http://www.snort.org/dl/rules/ )
rc.firewall script ( http://www.honeynet.org/papers/honeynet/tools/ )
 run make...
"make KERNEL_DIR=/usr/src/linux-2.4.18-14"  (or your current kernel 2.4.xxxx) (no quotes btw)
"make install KERNEL_DIR=/usr/src/linux-2.4.18-14"
"make install-devel"

Apply the patch "patch -pl < bridge-nf-0.0.7-against-2.4.18.diff"
In the kernel source directory run "make menuconfig" and  "make xconfig"

That is just to get started... I don't feel like transcribing the book tonight... they are well worth the money.
GL!
-rich


0
 
LVL 18

Expert Comment

by:chicagoan
ID: 10713419
You've got to tread very lightly here, as rich pointed out it's a complicated and arcane setup and if not configured correctly you're going to be a target for denial of service attacks both directed and inadvertant. The "self defending network" is the new buzz-phrase, but if you start blocking addresses willy-nilly you'll have no connectivity.
0
 

Author Comment

by:ipsystems
ID: 11630775

I found a SNORTSAM to auto blocking based on Snort Rulez. It is integrated with IPTABLES
http://www.snortsam.net/

We develop an integration with EBTABLES to use it on transparent bridge too.

Regards,
Luiz
0

Featured Post

RoboForm Secure Password Management System

RoboForm Everywhere - Superb Browser Support
Windows / Apple / IOS / Android / Linux / Chrome OS
Use different complex passwords everywhere
Best Secure Password Management by far
Synchronize all of your devices instantly
Safe, Secure & Highly Recommended!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
TLS 1.0 & Windows 7 - How to disable? 16 238
sample of wannacry 3 217
Linksys EA8500 3 16
Windows 10 14 37
There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question