In a nutshell, this is a daemon that takes snort alerts and blocks traffic from the infected host to the rest of the 'world' (this can be done by alert classification or on all alerts). It also inserts a rule in IPTables to redirect all of their webtraffic to a webserver of your choice (can be local). It also has the ability to notify users via WinPopUp (needs smbclient and nmblookup).
WinPopUp and blocking based on alert classification type could cause some slowdown in the system when dealing with a large number of alerts. WinPopUp is more guilty of this then classification support, because I have to system() out to smbclient etc... to get it to send the message.
To install, you can try the included install script (install.sh) or ... you can follow the 'directions' below.
Included in this should be
netsquid: The daemon that grabs the snort alerts and generates the firewall ruleset.
It normally lives in /usr/local/sbin (but not necessary)
I.E. /usr/local/sbin/netsquid
netsquid.config:An example config file (looked for in /usr/local/etc/netsquid.config)
Can be overridden with -c command line switch
Also, it is recommended that you create a file called netsquid.exclude that is in the location pointed to by the config file. This allows you to prevent certain IPs from ever being blocked. This is only used if it is defined in the config
If you want you can also remove all the DEBUG checks/support simply `grep -v DEBUG netsquid > netsquid.new; mv netsquid.new netsquid` and viola, you save some instructions because you're not checking for DEBUG settings :)
- Usage
./netsquid -s -d -c <config file>
-s : starts the snort process upon startup of the daemon
-d : runs in the background
-c <config file> : overrides default location of /usr/local/etc/netsquid.config
-h : prints usage
- Unsupported
- -D <number> : sets Debug level and will print out some information
doesn't work with -d
Offical project page is at:
http://security.tamu.edu/db.html
For Requirements etc...
Questions/Comments/Suggestions?
security@net.tamu.edu