logo

Snort2c attempts to be a improved version of snort2pf wrote by Stephan
Schmieder in perl [0] with some advantages:

It contents snort2c (daemon) and mons2c (snort2c's table management tool).

Hey! Now avaliable snort2c into snort like an output-plugin
see [!] or spoink.sourceforge.net

snort2c

Snort2c works monitoring snort's alertfile using a kqueue
filter and blocking any attacker's ip that not were in our
whitelist file.
It uses a (persist) table and a (block in) rule
that blocks any access against our network.

Snort2c can be called in several forms, using -s (start)
option, it will add table and rule at the end of
your pf rules.

A rc.local example:

if [ -x "$path_to_snort2c" ]; then
        
         $path_to_snort2c -w $path_to_whitelist -s
         echo -n " snort2c"
fi

Adding snort2c's table manually:

# pf.conf

ext_if="rl0"
int_if="rl1"
trusted_ip="{192.168.1.15}"
internal_net="192.168.2.0/24"
public_tcp="{https, cvspserver,www, ssh, smtp}"

set block-policy return
table <snort2c> persist
...
pass in on $int_if from $int_if:network to any keep state
block in from <snort2c> to any

# end

NOTE: when snort2c is called without -s option assumes
snort2c's table and rule exists, in other case, it quits.

You must use a whitelist file for snort2c, including your ip
and others than you want to protect against snort decisions.
It can be done using -w option and specifying a whitelist
file similar to:

192.168.21.1
192.168.21.4
192.168.21.8

Snort2c runs in daemon mode per default, use debug option (-d)
to view decisions and parsing stuff when it is working.

mons2c

Listing blocked ips.

vm@mescaline# mons2c -l
192.168.1.40
192.168.1.115

Using mons2c to flush snort2c's table.

vm@mescaline# mons2c -f
vm@mescaline# mons2c -l

Using mons2c to delete IP's in snort2c's table.

vm@mescaline# mons2c -d 192.168.1.115
vm@mescaline# mons2c -l
192.168.1.40

Download

snort2c-v0.2

Notes

It lacks "autodisable blocks" support for blocked ips.
Its not recommended use snort2c in production environments
or critical systems.

man pages


SNORT2C(8)              OpenBSD System Manager's Manual             SNORT2C(8)
NAME
     snort2c - action tool against attackers based in snort alerts

SYNOPSIS
     snort2c [-hsd] [-w WhiteListFile] [-a AlertFile]

DESCRIPTION
     snort2c analyzes snort output and blocks attackers using pf. It's based
     in orignal snort2pf wrote by Stephan Schmieder.

     The options are as follows:

     -h      Show help.

     -s      Run in init mode. It create for you a persist table (snort2c) and
             a "block return" rule for it. It useful
             when you run snort2c at boot and you don't want to edit your
             pf.conf.

     -d      Run in debug mode. Daemon mode is disabled.

     -w WhiteListFile
             whitelist file for protected hosts.

     -a AlertFile
             snort alert file, default is /var/log/snort/alert.

SEE ALSO
     pf(4), pfctl(8), snort(8)

AUTHORS
     Antonio Benojar
             
                               January 29, 2005                              1


MONS2C(8)               OpenBSD System Manager's Manual              MONS2C(8)

NAME
     mons2c - snort2c monitor

SYNOPSIS
     mons2c [-lf] [-d ip]

DESCRIPTION
     mons2c prints out IPs blocked by snort2c

     The options are as follows:

     -l      prints out blocked IPs.

     -f      flush snort2c table.

     -d ip   delete "ip" ip from snort2c table.

SEE ALSO
     pf(4), pfctl(8), snort2c(8), snort(8)

AUTHORS
     Antonio Benojar

                               January 30, 2005                              1

Todo

- autorevoke blocks per time.

References

contact at zz |dot| stalker |at| gmail |dot| com
public key id: 0x1E0D5A2A

SourceForge.net Logo

Valid HTML 4.01 Transitional