[help] Snort + Guardian

summersgone · 05-27-2009, 08:11 AM

Hi,
I've just currently setup guardian and snort together , so it looks like this :

[attacker's host]--> [snort+guardian]--> [target's host]

Guardian works fine if I used it to proect 1 ip address (on snort+guardian's host). Is it possible to use guardian to protect the target's host ?
When I tried to attack target's host from attacker's host , this is what i got on /var/log/guardian.log :

Quote:

Odd.. source= 192.168.1.4,dest = 192.168.1.7 - No Action Done

FYI : I'm using these scripts to block/unblock :
http://www.chaotic.org/guardian/scri...ables_block.sh
http://www.chaotic.org/guardian/scri...les_unblock.sh

Thankx

unSpawn · 05-27-2009, 02:16 PM

Looking at the guardian source you see this explained as:

Code:

  # you will see this if the destination was not in the $targethash, and the
  # packet was not ignored before the target check.. 
  else { 
    &write_log ("Odd.. source = $source, dest = $dest - No action done.\n");

so maybe adjust the target hash (see source around line 38 for explanation)?

summersgone · 05-27-2009, 10:36 PM

well , thanks unSpawn.
I finally managed it by sending the snort alert (cron) to the target's host , and running the guardian ips from target's host.