Solved

SNORT + IPTABLES [ How to block with Snort ]

Posted on 2004-03-29
3
3,086 Views
Last Modified: 2012-05-04
Hi,

I installed Snort and Acid on my server, but, it only log / alert the intruders but do not block them.

How can I configure Snort to block intruders? Are there rules pre-configured to block automaticaly?


[],
Luiz
0
Comment
Question by:ipsystems
3 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
Comment Utility
Snort calls this "inline" IDS. http://snort-inline.sourceforge.net/
Also a good source: http://sourceforge.net/projects/snort-inline/

I recommend this book (to be released next month) http://www.amazon.com/exec/obidos/tg/detail/-/1931836043/002-1040456-6280019?v=glance
The previous book was excellent, and with the enhancements in 2.1, this book will prove to be even better!
Try the precompiled kernel's above... otherwise you'll need to compile your own, it's actually quite involved. Obtain the books and read chapter 12 pages 482-501 to get all the steps.

Basically you'll need the following: (remember you are going to have to recompile your kernel... be sure your confident with this task and it's implications- danger danger)
Linux- RedHat preferred (rh8 is assumed with these instructions)
IpTables  (netfilter.org)
libpcap  (install this before make install
Linux bridge patch ( http://bridge.sourceforge.net/devel/bridge-nf/bridge-nf-0.0.7-against-2.4.19.diff )
bridge-utils ( http://bridge.sourceforge.net/download.html )
snort inline patch ( http://www.snort.org/dl/contrib/patches/inline/ )
snort rules ( http://www.snort.org/dl/rules/ )
rc.firewall script ( http://www.honeynet.org/papers/honeynet/tools/ )
 run make...
"make KERNEL_DIR=/usr/src/linux-2.4.18-14"  (or your current kernel 2.4.xxxx) (no quotes btw)
"make install KERNEL_DIR=/usr/src/linux-2.4.18-14"
"make install-devel"

Apply the patch "patch -pl < bridge-nf-0.0.7-against-2.4.18.diff"
In the kernel source directory run "make menuconfig" and  "make xconfig"

That is just to get started... I don't feel like transcribing the book tonight... they are well worth the money.
GL!
-rich


0
 
LVL 18

Expert Comment

by:chicagoan
Comment Utility
You've got to tread very lightly here, as rich pointed out it's a complicated and arcane setup and if not configured correctly you're going to be a target for denial of service attacks both directed and inadvertant. The "self defending network" is the new buzz-phrase, but if you start blocking addresses willy-nilly you'll have no connectivity.
0
 

Author Comment

by:ipsystems
Comment Utility

I found a SNORTSAM to auto blocking based on Snort Rulez. It is integrated with IPTABLES
http://www.snortsam.net/

We develop an integration with EBTABLES to use it on transparent bridge too.

Regards,
Luiz
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now