I've set up snort a while ago and just wrote a perl script, that analyses snort's log file and uses iptables to block malicious IP's. Nothing fancy, but here it is if you wish to use it:
Quote:
#!/usr/bin/perl
$sbin_path = '/sbin/';
$script_path = '/var/log/snortlogs/';
$file = $script_path.'ips';
%IPs = ();
open FILE, "< $file"||die "can't open ips file";
while (<FILE>){
chomp;
$IPs{$_}++;
}
close FILE;
open FILE, "/usr/bin/tail -f ".$script_path."alert|" ;
$logfile = $script_path.'alert3';
@strings = ();
while (<FILE>){
chomp;
$test = $_;
$test=~s/ +//;
unless ($test eq '') {push(@strings, $_)};
if ($test eq ''){
$strings[1] =~ m/Priority\: (\d+)/g;
$priority = $1;
if ($strings[0] =~ m/MS Terminal/){$priority = 1};
if ($strings[0] =~ m/ortscan/){$priority=3; $strings[2] = $strings[1]};
if ($priority > 2){
open LOG, ">> $logfile";
$strings[0] =~ s/\[.*\] \[.*\] (.*) \[.*\]/\1/g;
$strings[1] =~ s/\[.*\: (.*)\] \[.*\]/\1/g;
$strings[2] =~ m/(\d+\.\d+\.\d+\.\d+).* ->/ig;
$IP_FROM = $1;
$strings[2] =~ m/(\d+\.\d+\.\d+\.\d+)/ig;
$IP_TO = $1;
print LOG "$strings[1]: $strings[0]\n";
print LOG "($priority) IP: $IP_FROM -> $IP_TO\n";
$match = 0;
foreach $key (keys %IPs){
$match++ if ($IP_FROM =~ m/$key/g);
}
block_ip($IP_FROM) unless $match;
print LOG "=====\n";
close LOG;
}
@strings = ();
}
}
close FILE;
sub block_ip{
@params = @_; $no_match = 1;
$IP = $params[0];
$ff = $sbin_path."iptables -t mangle -L -vnx";
open IPTABLES, "$ff |";
while (<IPTABLES>){
$no_match=0 if ($_ =~ m/$IP/g);
}
close IPTABLES;
$command = $sbin_path.'iptables -t mangle -A FORWARD -s '.$IP.' -j DROP';
system($command) if $no_match;
$command = $sbin_path.'iptables -A INPUT -s '.$IP.' -j DROP';
system($command) if $no_match;
open LOG, ">> $logfile";
print LOG "to block $IP\n";
close LOG;
}
|
I don't claim it to be the most efficient script or anything of that kind, it works for me
Make sure you have file 'ips', that contains white list of IP addresses. I will be glad to provide further info on that script if required.
Best regards,
Den