Shorewall + SNORT

Hi

I looking for something to find attackers ip and block it in firewall.
I use shorewall, and I just installed snort, but I can not find anything
about how to talk snort with shorewall, like if snort will
find attacker ips say HEY SHOREWALL BLOCK IT "DO IT DO IT...!" and plus
some notification would be awesome.
I find snortsam but there is no how to install it on gentoo, I found
also snort_inline but seems is not a snort actually separate package.

thanks for help

michal

Re: Shorewall + SNORT

On Thu, 09 Nov 2006 15:23:38 -0600, misiek wrote:
> Hi
>
> I looking for something to find attackers ip and block it in firewall.
> I use shorewall, and I just installed snort, but I can not find anything
> about how to talk snort with shorewall, like if snort will
> find attacker ips say HEY SHOREWALL BLOCK IT "DO IT DO IT...!" and plus
> some notification would be awesome.
> I find snortsam but there is no how to install it on gentoo, I found
> also snort_inline but seems is not a snort actually separate package.

Well, if it were me, I could append ip_whatever to
/etc/shorewall/blacklist and do a shorewall refresh.

Of course that assumes you have enabled blacklist in interfaces net options.

Now think about that for awhile. You can windup with quite a list of
ip addresses.

You could feed the ip addy to whois and get the NetRange: value and
use it instead.

Re: Shorewall + SNORT

Bit Twister wrote:
> On Thu, 09 Nov 2006 15:23:38 -0600, misiek wrote:
>> Hi
>>
>> I looking for something to find attackers ip and block it in firewall.
>> I use shorewall, and I just installed snort, but I can not find anything
>> about how to talk snort with shorewall, like if snort will
>> find attacker ips say HEY SHOREWALL BLOCK IT "DO IT DO IT...!" and plus
>> some notification would be awesome.
>> I find snortsam but there is no how to install it on gentoo, I found
>> also snort_inline but seems is not a snort actually separate package.
>
> Well, if it were me, I could append ip_whatever to
> /etc/shorewall/blacklist and do a shorewall refresh.
>
> Of course that assumes you have enabled blacklist in interfaces net options.
>
> Now think about that for awhile. You can windup with quite a list of
> ip addresses.
>
> You could feed the ip addy to whois and get the NetRange: value and
> use it instead.

yeah true, so far I do this method, but I need something advanced , I
need also some notification.
The Snort seems nice , I compiled snort inline use inline flag during
emerging of snort, but I do not have idea how to use it, because there
is no howto.
I found only snort_inline documentations but its a separate package and
is totally different .

Re: Shorewall + SNORT

Boger wrote:
> misiek wrote:
>
>> Bit Twister wrote:
>>> On Thu, 09 Nov 2006 15:23:38 -0600, misiek wrote:
>>>> Hi
>>>>
>>>> I looking for something to find attackers ip and block it in firewall.
>>>> I use shorewall, and I just installed snort, but I can not find anything
>>>> about how to talk snort with shorewall, like if snort will
>>>> find attacker ips say HEY SHOREWALL BLOCK IT "DO IT DO IT...!" and plus
>>>> some notification would be awesome.
>>>> I find snortsam but there is no how to install it on gentoo, I found
>>>> also snort_inline but seems is not a snort actually separate package.
>>> Well, if it were me, I could append ip_whatever to
>>> /etc/shorewall/blacklist and do a shorewall refresh.
>>>
>>> Of course that assumes you have enabled blacklist in interfaces net
>>> options.
>>>
>>> Now think about that for awhile. You can windup with quite a list of
>>> ip addresses.
>>>
>>> You could feed the ip addy to whois and get the NetRange: value and
>>> use it instead.
>> yeah true, so far I do this method, but I need something advanced , I
>> need also some notification.
>> The Snort seems nice , I compiled snort inline use inline flag during
>> emerging of snort, but I do not have idea how to use it, because there
>> is no howto.
>> I found only snort_inline documentations but its a separate package and
>> is totally different .
> Snort itself is a profession. Don't expect anyone
> on a news server to write a book about it.
>
>

I do not expect anyone to write a book , this is a group to ask a
questions ONLY.
But some little how to should be exists somewhere, if snort is able to
compile into a inline so it means that some human did that so there
suppose to be how to use it.

Re: Shorewall + SNORT

misiek wrote:

>
> Bit Twister wrote:
>> On Thu, 09 Nov 2006 15:23:38 -0600, misiek wrote:
>>> Hi
>>>
>>> I looking for something to find attackers ip and block it in firewall.
>>> I use shorewall, and I just installed snort, but I can not find anything
>>> about how to talk snort with shorewall, like if snort will
>>> find attacker ips say HEY SHOREWALL BLOCK IT "DO IT DO IT...!" and plus
>>> some notification would be awesome.
>>> I find snortsam but there is no how to install it on gentoo, I found
>>> also snort_inline but seems is not a snort actually separate package.
>>
>> Well, if it were me, I could append ip_whatever to
>> /etc/shorewall/blacklist and do a shorewall refresh.
>>
>> Of course that assumes you have enabled blacklist in interfaces net
>> options.
>>
>> Now think about that for awhile. You can windup with quite a list of
>> ip addresses.
>>
>> You could feed the ip addy to whois and get the NetRange: value and
>> use it instead.
>
> yeah true, so far I do this method, but I need something advanced , I
> need also some notification.
> The Snort seems nice , I compiled snort inline use inline flag during
> emerging of snort, but I do not have idea how to use it, because there
> is no howto.
> I found only snort_inline documentations but its a separate package and
> is totally different .
Snort itself is a profession. Don't expect anyone
on a news server to write a book about it.