#!/bin/sh # this is a sample block script for guardian. This should work with ipfilter. # This command gets called by guardian as such: # ipfilter_block.sh # and the script will issue a command to block all traffic from that source ip # address. The logic of whether or not it is safe to block that address is # done inside guardian itself. # VERY IMPORTANT: you may need to change loglevel if you're using local7.alert # already... change it to something you're not using in any of your rules. # # why? Suppose you have the following rule in your normal active rule set: # # block in quick from 127.0.0.1 to any # # now snort detects an attack packet that has been spoofed to come from # 127.0.0.1. Guardian immediately creates a block rule: # # block in quick from 127.0.0.1 to any # # which is completely redundant. Guardian says "ok, let's wait a bit." # now the timeout period is up. Guardian deletes the above block rule. # suddenly, you've deleted your original blocking rule, and spoofed packets # can now get through your firewall. # # to solve this, we add something to guardian's rules that won't be matched # by any other rule in your ruleset -- logging to a facility/pri that most of # us won't be using (local7.alert). Of course, some people might be using this # for something else... but it's unlikely. # # A side benefit to this is that we collect all of the "attack" packets filtered # by guardian in a separate log (if you configure syslog to log local7.alert some # place special). By default, this will create a simple log entry. If you want # to have more info tho, you might want to set the variable "options" below to # "body" -- this will log the first 128 bytes of payload for each packet that has # been blocked by guardian. Useful for diagnostics and forensics... although is # probably redundant w/snort logs (unless you're fast logging with snort, then you # can use this to get more packet info for those packets you REALLY care about). source=$1 interface=$2 loglevel="local7.alert" options="" echo "block in log $options level $loglevel quick on $interface from $source to any" | /sbin/ipf -f -