================== guardian2 ================= # Active IP blocker on iptables firewall with Snort, # and a general syslog parser and responder # Yunliang Yu 2/2005. # Based on guardian-1.7. http://www.chaotic.org/guardian/ # # Copyright (C) 2005, Yunliang Yu # # This program is released under GPL. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # To use this program, all you have to do is to unpack it in a directoy and run ./guardian2 -d or run it as a daemon by not using the '-d' option. Add '-a' option to watch over entire syslog files. Please see the usage info in the program file 'guardian2' and the conf file 'guardian.conf' for more detail. Use the '-D' option to play around. The sample guardian.conf, guardian.rule, guardian.ignore and *.sh files are for demo only; you have to modify them to make guardian2 fit your needs (or do anything useful at all:). -yu Last update: Tue Jun 13 10:09:20 EDT 2006 ====================================================================== Guardian2 watches over the snort or syslog files and responds with a pre-defined action whenever a match with any of your rules occurs. It's based on guardian-1.7, http://www.chaotic.org/guardian/ , and it has the following features: * it can watch over multiple log files at the same time * it has full regex support for easy configuration * flexible match for hosts/ports to make it possible to parse other log files * each rule can have multiple thresholds and throttling * each rule and track can optionally run any configured perl code upon each matching and/or before excuting the action * thresholds can be target-host based or port based * each rule can be overridden for any hosts. also supports global overrides. * tracking can be attached to a rule to track remote hosts' activities * each rule can have a tag to let you customize the blocking script easily * guardian2 on multiple hosts can communicate via the PullCommand. For example, your syslog server can track those hosts blocked on the firewall * it tries hard not to block any important hosts on the network:) * it handles log rotations gracefully * '-D' option for you to play around without causing any harm:) The following line is an interesting example in the sample .rule file: Invalid user \S+ from +++ 10/30 50/8h ==> ${FW} 6h which will inform the firewall to block the remote host for 6 hours if we get at least 10 'Invalid user...' entries from that host within 30 seconds, or 50 entries within 8 hours. And, Room temperature (\S+) degrees +++ ==> ${EMAIL} perl: ${1}>39.5; end; which will email you when the room temperature is above 39.5. The package is available, as a .tar.gz file, at: http://www.math.duke.edu/~yu/guardian2/ See 'guardian.conf' for more configuration info. ======================================================================