Solved

SNORT + IPTABLES [ How to block with Snort ]

Posted on 2004-03-29
3
3,200 Views
Last Modified: 2012-05-04
Hi,

I installed Snort and Acid on my server, but, it only log / alert the intruders but do not block them.

How can I configure Snort to block intruders? Are there rules pre-configured to block automaticaly?


[],
Luiz
0
Comment
Question by:ipsystems
3 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 10710076
Snort calls this "inline" IDS. http://snort-inline.sourceforge.net/ 
Also a good source: http://sourceforge.net/projects/snort-inline/

I recommend this book (to be released next month) http://www.amazon.com/exec/obidos/tg/detail/-/1931836043/002-1040456-6280019?v=glance
The previous book was excellent, and with the enhancements in 2.1, this book will prove to be even better!
Try the precompiled kernel's above... otherwise you'll need to compile your own, it's actually quite involved. Obtain the books and read chapter 12 pages 482-501 to get all the steps.

Basically you'll need the following: (remember you are going to have to recompile your kernel... be sure your confident with this task and it's implications- danger danger)
Linux- RedHat preferred (rh8 is assumed with these instructions)
IpTables  (netfilter.org)
libpcap  (install this before make install
Linux bridge patch ( http://bridge.sourceforge.net/devel/bridge-nf/bridge-nf-0.0.7-against-2.4.19.diff )
bridge-utils ( http://bridge.sourceforge.net/download.html )
snort inline patch ( http://www.snort.org/dl/contrib/patches/inline/ )
snort rules ( http://www.snort.org/dl/rules/ )
rc.firewall script ( http://www.honeynet.org/papers/honeynet/tools/ )
 run make...
"make KERNEL_DIR=/usr/src/linux-2.4.18-14"  (or your current kernel 2.4.xxxx) (no quotes btw)
"make install KERNEL_DIR=/usr/src/linux-2.4.18-14"
"make install-devel"

Apply the patch "patch -pl < bridge-nf-0.0.7-against-2.4.18.diff"
In the kernel source directory run "make menuconfig" and  "make xconfig"

That is just to get started... I don't feel like transcribing the book tonight... they are well worth the money.
GL!
-rich


0
 
LVL 18

Expert Comment

by:chicagoan
ID: 10713419
You've got to tread very lightly here, as rich pointed out it's a complicated and arcane setup and if not configured correctly you're going to be a target for denial of service attacks both directed and inadvertant. The "self defending network" is the new buzz-phrase, but if you start blocking addresses willy-nilly you'll have no connectivity.
0
 

Author Comment

by:ipsystems
ID: 11630775

I found a SNORTSAM to auto blocking based on Snort Rulez. It is integrated with IPTABLES
http://www.snortsam.net/

We develop an integration with EBTABLES to use it on transparent bridge too.

Regards,
Luiz
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you thought ransomware was bad, think again! Doxware has the potential to be even more damaging.
Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question