Guardian Active Response for Snort
Guardian is a security program which works in conjunction with Snort to automaticly update firewall rules based on alerts generated by Snort.
The updated firewall rules block all incoming data from the IP address of the attacking machine (the machine which caused Snort to generate an alert.
There is also logic in place which pervents blocking important machines, such as DNS servers, gateways, and whatever else you want.
Here is a link you might want to read:
http://online.securityfocus.com/infocus/1540 .. I found it very interesting on why you should use this software with great caution.
- New block/unblock scripts! Checkpoint firewall and Pix firewall scripts. Download them below. Thanks goes out to Markwalder Philip (pm at ibp.ch) and Roland Gafner (roland.gafner at gmx.net). Awesome work guys :)
- Better syslog parsing! Now guardian should work regardless of how your
syslog/snortlib reports the attacks (as long as the attacker's IP address is
first). The new code is much cleaner, and should be a bit faster as well.
- Added support for watching for more than one IP address. To do this,
a new option has been added to the guardian.conf file:
The file should contain a list of IP addresses which are local IP
addresses. The format is the same as the IgnoreFile. This is useful
for people who are hosting several IP addresses from one machine.
It might also be useful for poeple who are running snort/guardian on a
This will also only place a block on the interface which is defined in
the guardian.conf .. I should also add that this is experimental.
- Bug fix: guardian now catches portscans as reported by the portscan modules
- ipchains (Block / Unblock)
- iptables (Block / Unblock)
- ipfwadm (Block / Unblock)
- FreeBSD using IPFW (Block / Unblock)
- ipfilter (courtesy of Wes Sonnenreich (sonny at alum.mit.edu) (Block / Unblock)
- New! Null Route for Linux systems with no other packet filter software (Block / Unblock)
This is a hack. Please read the file.. It works by adding a route to your routing table when an attack is detected. The route is invalid, and specific to the attacker, so while the route exists, your machine won't send anything back to the attacker. I have no idea what this does to performace.
- Checkpoint Firewall (Thanks Markwalder Philip and Roland Gafner)(Block / Unblock)
- Pix Firewall (Thanks Markwalder Philip and Roland Gafner)(Block / Unblock / Required perl script (also requires ssh perl module))
- Here is a readme file that explains how to have guardian/snort running on one machine, and applying blocks to your firewall on a diffrent machine. This was written by Roland Gafner (roland.gafner at gmx.net)
- Current Version: 1.7 (Download here)
- Better syslog parsing
- TargetFile to watch multiple IP addresses
- Bug Fix for catching portscans
- Version: 1.6.2 (Download here)
- Support added for syslog rotation. Previously, guardian would not reopen
the syslog file if it got rotated. This does not mean that there is
support for rotating the guardian log itself. This will be supported in a future version.
- Added block/unblock script for ipfwadm (useful for older linux kernels)
- Bug fixes. Thanks to brian at unearthed.org for pointing them out.
- Version: 1.6.1 (Download here)
- Bug fix for newer snortlibs and syslog
- Added block/unblock scripts for ipfwadm
- Version: 1.6 (Download here)
- Now calls an external script for blocking ip addresses.
- Added a timelimit feature.
- Removes all blocks upon exit
- Version: 1.5 beta (Download here)
Many bug fixes, FreeBSD support added, syslog support added, IPtables support added
- Original release: 1.0 (Download here)
This page is still under much work, so check back often =)
--- Anthony (astevens @ chaotic . org) 03-26-02
- Support for other Network Intrusion Detection systems
- Write block/unblock scripts for other OSs
- Do something with the Priority codes that come with newer snort-libs
- Include changes from unofficial guardian releases..
- More stuff later on..