今天試了一下guardian 和 snort

想把log跟之前的honeypot和LP配合
這樣就可以用來 block ip了
在/etc/snort/snort.conf加上
output alert_full: /var/log/snort/alert
這樣alert才會同時進到mysql及記錄在 /var/log/snort/alert
再將guardian的alert指到/var/log/snort/alert
(依snort官方文件的方法還是無法同時寫到mysql及alert file)

---Guardian 安裝與組態---

Guardian 將監視SNORT 之Alert 訊息,並呼叫IPTABLES 以BLOCK 該IP惡意行為之套件,

 目前官方最新版本1.7

>tar zxvf guardian-1.7.tar.gz
>cd guardian-1.7
> touch /etc/snort/guardian.ignore
>  touch /etc/snort/guardina.target
>   touch  /var/log/snort/guardian.log
>cp guardian.pl /usr/local/bin/
>cp scripts/iptables_block.sh /usr/local/bin/guardian_block.sh
>cp scripts/iptables_unblock.sh /usr/local/bin/guardian_unblock.sh
>cp guardian.conf /etc/snort

組態guardian 組態檔案如下

vi /etc/snort/guardian.conf

Interface       eth0
LogFile         /var/log/snort/guardian.log
AlertFile       /var/log/snort/alert
IgnoreFile      /etc/snort/guardian.ignore
TimeLimit       86400                             #約一週釋放該被封鎖IP

[啟動guardian程式]

/usr/bin/perl /usr/local/bin/guardian.pl -c /etc/snort/guardian.conf

#guardian 啟用成功如下,將先檢查,guardian.ignore(白名單) guardian.target IP

http://blog.yam.com/keynes0918/article/40353559