Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Snort-users] guardian2, a snort log watcher and active responder

from [Yunliang Yu] Network Security [Permanent Link]
Subject: [Snort-users] guardian2, a snort log watcher and active responder
Date: Mon, 15 May 2006 10:35:30 -0400 (EDT) 
Hello All,

I'd like to announce the availability of a new snort log watcher program.
Guardian2 watches over the snort or syslog files and responds with a
pre-defined action whenever a match with any of your rules occurs. It's
based on guardian-1.7, http://www.chaotic.org/guardian/ , and it has the
following features:

* it can watch over multiple log files at the same time
* it has full regex support for easy configuration
* flexible match for hosts/ports to make it possible to parse other log
  files such as syslog or apache logs
* each rule can have multiple thresholds and throttling
* thresholds can be target-host based or port based
* each rule can be overridden for any hosts. also supports global
  overrides.
* tracking can be attached to a rule to track remote hosts' activities
* each rule can have a tag to let you customize the blocking script easily
* guardian2 on multiple hosts can communicate via the PullCommand. For
  example, your syslog server can track those hosts blocked on the
  firewall
* it tries hard not to block any important hosts on the network:)
* it handles log rotations gracefully
* '-D' option for you to play around without causing any harm:)

The following line is an interesting example in the sample .rule file:
    Invalid user \S+ from  +++ 10/30 50/8h ==> ${FW} 6h
which will inform the firewall to block the remote host for 6 hours if we
get at least 10 'Invalid user...' entries from that host within 30
seconds, or 50 entries  within 8 hours.

The package is available, as a .tar.gz file, at:

        http://www.math.duke.edu/~yu/guardian2/

See 'guardian.conf' for more configuration info.

Have fun!
-yu



-------------------------------------------------------
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=107521&bid=248729&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Snort-users] guardian2, a snort log watcher and active responder, Yunliang Yu <=
Previous by Date:  [Snort-users] snort sms and snort database, huda ahmed
Next by Date:  [Snort-users] getservbyname() failed on "any" when pushing snort conf, martin
Previous by Thread:  [Snort-users] snort sms and snort database, huda ahmed
Next by Thread:  [Snort-users] getservbyname() failed on "any" when pushing snort conf, martin
Indexes:  [Date] [Thread] [Top] [All Lists]