Guardian Active Response for Snort

Overview:

New Stuff/Changes

• New block/unblock scripts! Checkpoint firewall and Pix firewall scripts. Download them below. Thanks goes out to Markwalder Philip (pm at ibp.ch) and Roland Gafner (roland.gafner at gmx.net). Awesome work guys :)
• Better syslog parsing! Now guardian should work regardless of how your syslog/snortlib reports the attacks (as long as the attacker's IP address is first). The new code is much cleaner, and should be a bit faster as well.
• Added support for watching for more than one IP address. To do this, a new option has been added to the guardian.conf file:
  
  TargetFile /etc/guardian.target
  
  The file should contain a list of IP addresses which are local IP addresses. The format is the same as the IgnoreFile. This is useful for people who are hosting several IP addresses from one machine. It might also be useful for poeple who are running snort/guardian on a firewall.
  This will also only place a block on the interface which is defined in the guardian.conf .. I should also add that this is experimental.
  
• Bug fix: guardian now catches portscans as reported by the portscan modules

Block/Unblock Scripts

• ipchains (Block / Unblock)
• iptables (Block / Unblock)
• ipfwadm (Block / Unblock)
• FreeBSD using IPFW (Block / Unblock)
• ipfilter (courtesy of Wes Sonnenreich (sonny at alum.mit.edu) (Block / Unblock)
• New! Null Route for Linux systems with no other packet filter software (Block / Unblock)
  This is a hack. Please read the file.. It works by adding a route to your routing table when an attack is detected. The route is invalid, and specific to the attacker, so while the route exists, your machine won't send anything back to the attacker. I have no idea what this does to performace.
• Checkpoint Firewall (Thanks Markwalder Philip and Roland Gafner)(Block / Unblock)
• Pix Firewall (Thanks Markwalder Philip and Roland Gafner)(Block / Unblock / Required perl script (also requires ssh perl module))

Misc Stuff

• Here is a readme file that explains how to have guardian/snort running on one machine, and applying blocks to your firewall on a diffrent machine. This was written by Roland Gafner (roland.gafner at gmx.net)

Downloads

• Current Version: 1.7 (Download here)
  
  • Better syslog parsing
  • TargetFile to watch multiple IP addresses
  • Bug Fix for catching portscans
• Version: 1.6.2 (Download here)
  
  • Support added for syslog rotation. Previously, guardian would not reopen the syslog file if it got rotated. This does not mean that there is support for rotating the guardian log itself. This will be supported in a future version.
  • Added block/unblock script for ipfwadm (useful for older linux kernels)
  • Bug fixes. Thanks to brian at unearthed.org for pointing them out.
• Version: 1.6.1 (Download here)
  
  • Bug fix for newer snortlibs and syslog
    
  • Added block/unblock scripts for ipfwadm
    
• Version: 1.6 (Download here)
  
  • Now calls an external script for blocking ip addresses.
    
  • Added a timelimit feature.
    
  • Removes all blocks upon exit
    
• Version: 1.5 beta (Download here)
  Many bug fixes, FreeBSD support added, syslog support added, IPtables support added
  
• Original release: 1.0 (Download here)
  

TODO

• Support for other Network Intrusion Detection systems
• Write block/unblock scripts for other OSs
• Do something with the Priority codes that come with newer snort-libs
• Include changes from unofficial guardian releases..
• More stuff later on..