An invasive test system active firewall (Snort Guardian)
Snort is an open source lightweight intrusion monitoring system that can monitor an abnormal situation on the network, give reports; Guardian is based on Snort iptables, which analyzes Snort's log files, automatically will automatically according to certain criteria Some malicious IPs are automatically joined the input chain of iptables, and their datagrams are discarded.
Since I use Snort Guardian, I can see a lot of malicious behavior every day, I am very happy! Recommend you to use!
installation steps:
1) Install Snort:
* Now Snort & Guardian, current download address is:
http://www.snort.org/dl/snort-2.3.0rc2.tar.gz
http://www.snort.org/dl/contrib/ ... Guardian-1.6.tar.gz
* Copy the above file to / TMP
* TAR ZXVF * .TGZ
* CD Snort-2.3.0RC2
*. / configure
* Make
* Make Install
* MKDIR / ETC / SNORT
* CD / ETC / SNORT
* wget http://www.snort.org/dl/rules/snortrules-snapshot-current.tar.gz
* TAR ZXVF SnortRules-Snapshot-Current.tar.gz
* MKDIR / VAR / LOG / SNORT
* CD / ETC
* vi snort.conf
Some key settings after modification are as follows:
Var Home_Net YourNetwork
Var rule_path / etc / snort / rules
Preprocessor http_inspect: global /
IIS_UNICODE_MAP / Etc/Snort/rules /unicode.map 1252
INCLUDE / Etc/snort/rules/reference.config
INCLUDE / Etc/snort/rules/classification.config
Such as: YourNetwork 220.8.0.0/16
At the same time, you can choose to
INCLUDE $ rule_path / local.rules
Wait, front ## is removed, set your own rule set
* / usr / local / bin / snort -d -l / var / log / snort -c /etc/snort.conf
* Write the previous command to /etc/rc.d/rc.local
2) Install Guardian --- Requires Perl Support
* CD / TMP
* TAR ZXVF Guardian-1.6.tar.gz
* CD Guardian-1.6
* echo> /etc/guardian.Ignore
* cp Guardian.pl / usr / local / bin /.
* CP scripts / iptables_block.sh /usr/local/bin/guardian_block.sh
* CP scripts / iptables_unblock.sh /usr/local/bin/guardian_unblock.sh
* cp Guardian.conf / etc /.
* vi /etc/guardian.conf
Edit this file, examples are as follows:
HostgatewaybyTe 1
# Guardian log file
Logfile /var/log/guardian.log
# Guardian where to read the log of Snort
AlertFile / Var / log / Snort / Alert # puts the IP you need to ignore in this file
Ignorefile /etc/guardian.ignore
# The maximum time of blocking IP, 99999999 is no time limit
Timelimit 86400
* / usr / bin / perl /usr/local/bin/guardian.pl -c /etc/guardian.conf
* Add the previous command to /etc/rc.d/rc.local
At this point, complete settings
note:
1) Snort's rule file is often updated, you can use the following script to automatically update:
#! / bin / sh
CD / ETC / SNORT
Wget http://www.snort.org/dl/rules/snortrules-snapshot-current.tar.gz
Tar Zxvf Snortrules-Snapshot-Current.tar.gz
EXIT 0
* The above script is stored as SnortUpdate and placed in /etc/cron.daily/, can be updated once a day;
2) Guardian sometimes exits automatically, you can use the following script to resolve:
#! / usr / bin / perl
Use proc :: processtable;
$ FOUND = 0;
$ T = New Proc :: Processtable;
$ g = "guardian.pl";
Foreach $ p (@ {$ t-> table}) {
$ f = ($ P-> cmndline = ~ m / guardian /);
IF ($ f == 1)
{
$ FOUND = 1;
Last;
}
}
IF ($ FOUND == 1)
{
Print "Guardian IS Alive! / N";
}
Else
{
Print "Guardian is dead! / n";
Print "Restart Guardian now ... / n";
System "/usr/local/bin/guardian.pl -c /etc/guardian.conf";
}
The above script is stored as TestGuardian, placed under /etc/cron.Hourly, meaning: GUARDIAN is survive every 1 hour, restart Guardian if you have died
Remember, give TestGuardian executable permissions:
CHMOD X /etc/cron.Hourly/testguardian
At the same time, editing / etc / crontab
Add / usr / local / bin on the PATH
Script: KillGuardian
#! / usr / bin / perl
# Kill the current Guardian.pl process, need to install Perl Module Proc :: Processtable
# Http://www.cpan.org You can get the above Module
Use proc :: processtable;
$ T = New Proc :: Processtable;
Foreach $ p (@ {$ t-> Table})
{
Kill 9, $ P-> PID $ P-> Cmndline = ~ 'Guardian.pl';
}
Related Q / A:
Q:
I follow the above steps to install and configure Snort on RedHat AS3.0, but start Snort Times:
Error: Unable to open rules file: etc / snort / rules / bad-traff/rules/bad-traffic.Rulesfatal error, quitting ..
And there is a Bad-Traffic.Rules file under / etc / snort / rules and download it directly from www.snort.org, why is it.
A:
CD / ETC / SNORT
Wget http://www.snort.org/dl/rules/snortrules-snapshot-current.tar.gz
Tar Zxvf Snortrules-Snapshot-Current.tar.gz
*********************************************************** ***********************
Q:
* TAR ZXVF SnortRules-Snapshot-Current.tar.gz
* MKDIR / VAR / LOG / SNORT
* CD / ETC
* vi snort.conf
When I made the above step, I found that there is no Snort.conf file at the / etc directory. I have a new file with VI. How is this?
A:
Looking in the Snort's unzipped directory, do not go to the rules of decompression directory to find
Copy / Etc/snort/rules/snort.conf to / ETC I don't know if there is any effect
*********************************************************** ***********************
Q:
I installed Snort, didn't report it when started, but / var / log / snort / log is empty, why? I use NMAP in the client to test, and the server is not recorded anything at all. I started using Snort -V directly, and the terminal doesn't have any information displayed. I don't know what is going on? Do you still have other software? View the log, the Snort starts in the last last Successful.
A:
The problem is solved.
But when Guardian_unblock.sh This file deletes the rules, actually use the ipchains command to view the Guardian-1.6.tar.gz package, the iptables_unblock.sh inside is a mistake ........
