LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 05-12-2006, 07:09 AM   #1
saini_mw
Member
 
Registered: Jun 2005
Location: On the top of the World
Posts: 114

Rep: Reputation: 15
How to setup snort IDS


Hi Dears

Have anyone used snort IDS solution, i have got a tar file from snort.org but is there any rpm available for the same,and if someone can guide me how to setup the SNORT IDS solution,i will really be very thankful,

Thanks in advance..
 
Old 05-12-2006, 06:40 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
They're available at the snort website under pre-compiled binaries here. Make sure to verify the sig and md5 checksum before installing.
 
Old 05-15-2006, 08:46 AM   #3
DENSVO
LQ Newbie
 
Registered: Apr 2006
Posts: 10

Rep: Reputation: 0
I've set up snort a while ago and just wrote a perl script, that analyses snort's log file and uses iptables to block malicious IP's. Nothing fancy, but here it is if you wish to use it:

Quote:
#!/usr/bin/perl

$sbin_path = '/sbin/';
$script_path = '/var/log/snortlogs/';

$file = $script_path.'ips';
%IPs = ();

open FILE, "< $file"||die "can't open ips file";
while (<FILE>){
chomp;
$IPs{$_}++;
}
close FILE;

open FILE, "/usr/bin/tail -f ".$script_path."alert|" ;

$logfile = $script_path.'alert3';

@strings = ();

while (<FILE>){

chomp;
$test = $_;
$test=~s/ +//;
unless ($test eq '') {push(@strings, $_)};
if ($test eq ''){
$strings[1] =~ m/Priority\: (\d+)/g;
$priority = $1;
if ($strings[0] =~ m/MS Terminal/){$priority = 1};
if ($strings[0] =~ m/ortscan/){$priority=3; $strings[2] = $strings[1]};
if ($priority > 2){
open LOG, ">> $logfile";
$strings[0] =~ s/\[.*\] \[.*\] (.*) \[.*\]/\1/g;
$strings[1] =~ s/\[.*\: (.*)\] \[.*\]/\1/g;
$strings[2] =~ m/(\d+\.\d+\.\d+\.\d+).* ->/ig;
$IP_FROM = $1;
$strings[2] =~ m/(\d+\.\d+\.\d+\.\d+)/ig;
$IP_TO = $1;
print LOG "$strings[1]: $strings[0]\n";
print LOG "($priority) IP: $IP_FROM -> $IP_TO\n";
$match = 0;
foreach $key (keys %IPs){
$match++ if ($IP_FROM =~ m/$key/g);
}
block_ip($IP_FROM) unless $match;
print LOG "=====\n";
close LOG;
}
@strings = ();
}
}

close FILE;

sub block_ip{
@params = @_; $no_match = 1;
$IP = $params[0];
$ff = $sbin_path."iptables -t mangle -L -vnx";
open IPTABLES, "$ff |";
while (<IPTABLES>){
$no_match=0 if ($_ =~ m/$IP/g);
}
close IPTABLES;
$command = $sbin_path.'iptables -t mangle -A FORWARD -s '.$IP.' -j DROP';
system($command) if $no_match;
$command = $sbin_path.'iptables -A INPUT -s '.$IP.' -j DROP';
system($command) if $no_match;
open LOG, ">> $logfile";
print LOG "to block $IP\n";
close LOG;
}
I don't claim it to be the most efficient script or anything of that kind, it works for me

Make sure you have file 'ips', that contains white list of IP addresses. I will be glad to provide further info on that script if required.

Best regards,
Den
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
developing an ids using snort chax Linux - Security 1 01-10-2006 01:20 PM
developing an ids using snort chax Linux - Networking 1 01-10-2006 12:51 PM
Questions regarding the use of Snort (IDS) and security nasty_daemon Linux - Security 8 09-09-2005 11:48 PM
Snort/ACID as an IDS WeNdeL Linux - Security 4 09-10-2004 01:14 PM
snort (ids) not working please help!!! crealkillerI75 Slackware 5 07-18-2002 04:39 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:37 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration