[Oisf-users] IPS alternatives to Snort's guardian?

John Devine john.devine at nuspire.com
Wed Jan 27 21:55:24 UTC 2016 

Sorry. Thanks.

________________________________________
From: Andreas Herz <andi at geekosphere.org>
Sent: Wednesday, January 27, 2016 4:46 PM
To: John Devine
Cc: oisf-users at lists.openinfosecfoundation.org
Subject: Re: [Oisf-users] IPS alternatives to Snort's guardian?

Please try to reply also to the mailinglist, thanks.

On 27/01/16 at 21:38, John Devine wrote:
> Thanks I will look into it. I am look specifically for something that
> can work in tandem with Suricata which will create iptables firewall
> rules based on alerts that Suricata generates. Guardian is a perl
> script which creates iptables drop rules based on Snort alerts but
> does not have functionality to manually unblock things that were
> blocked through the alerts generated.

Well you could also look into the unix-socket feature to gather those
information and then trigger ipset (which is something on my todo list).
But it looks like guardian just parses logfiles, which isn't that hard.
So you could build that logic and just have some iptables rule for a
blacklist set and when parsing the rules call ipset add blacklist $IP
timeout X.

>
> ________________________________________ From: Oisf-users
> <oisf-users-bounces at lists.openinfosecfoundation.org> on behalf of
> Andreas Herz <andi at geekosphere.org> Sent: Wednesday, January 27, 2016
> 4:16 PM To: oisf-users at lists.openinfosecfoundation.org Subject: Re:
> [Oisf-users] IPS alternatives to Snort's guardian?
>
> On 27/01/16 at 20:10, John Devine wrote:
> > Hi all,
> >
> > Currently I run snort as an IDS and guardian as an IPS. I am looking
> > for alternatives to guardian for IPS software because guardian does
> > not allow me to manually unblock specific IP addresses or change the
> > duration of which something is blocked without some hassle or custom
> > scripts. I have been messing around with Suricata and have
> > successfully got it running both in IDS and IPS mode and alerting
> > successfully. Right now I want to run Suricata as an IDS and have
> > some other open source software to run as my IPS. Are there any
> > decent alternatives to guardian.pl which allow me to manually
> > unblock specific IP addresses and change the length of time in which
> > something is blocked? I am looking for a good IPS 'companion' to run
> > in tandem with Suricata.
>
> I'm not familiar with guardian. Since you seem to use debian, you
> might want to look into ipset which would help you adding IPs to a
> blacklist for a defined period of time.
>
> > Thanks in advance
>
> > _______________________________________________ Suricata IDS Users
> > mailing list: oisf-users at openinfosecfoundation.org Site:
> > http://suricata-ids.org | Support: http://suricata-ids.org/support/
> > List:
> > https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> > Suricata User Conference November 9-11 in Washington, DC:
> > http://oisfevents.net
>
>
> -- Andreas Herz _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support:
> http://suricata-ids.org/support/ List:
> https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> Suricata User Conference November 9-11 in Washington, DC:
> http://oisfevents.net

--
Andreas Herz

More information about the Oisf-users mailing list