On 14 Nov 2001, Tim Haynes wrote:
> > that looks pretty practical. have you considered looking at something
> > like 'guardian' http://www.chaotic.org/guardian/ to do automated response
> > to selected snort rules?
>
> I've considered it, to some extent, but in my case I figured it's best just
> to look at snort's logs in a bit more detail before blocking things left
> right & center.
yes, familiarity with the traffic patterns you get over a few weeks is
useful for picking out the aberrations.
> > it's clever enough to maintain a rolling window of blocking, so you don't
> > end up with a huge packetfilter and stale dynamic addresses over time...
> [snip]
>
> Whatever automated solution you find, it *must*
> a) allow me to specify some "must-not-block" networks/IP#s, eg upstream
> nameservers, etc
> b) allow me back in after a given amount of time
> c) never block a valid user after a false alarm - just because my snort db
> is filling up with `retransmission attempt's, it doesn't mean that every
> IP# generating an alert wants blocking. (Yes, I've got some tweaking to
> be doing :)
i think it does all of the above (not used it -- so just going by docs)
-- i would assume that you would be able to choose which alerts to block
-- otherwise eventually you would block a large proportion of the hosts
that you communicate with legitimately.
i've got 'preprocessor stream4: noalerts' and 'preprocessor
stream4_reassemble: noalerts' in my snort 1.8 config; i'm not interested
in messages from my stream reassembler...
cheers,
-thomas
--
Do what thou wilt shall be the whole of the Law.
-- Aleister Crowley
gpg: pub 1024D/81FD4B43 sub 4096g/BB6D2B11=>p.nu/d
2B72 53DB 8104 2041 BDB4 F053 4AE5 01DF 81FD 4B43
