Topic: Howto: Change the email you get from Snort/Guardian

[LucL]

Hello,

I'm hoping someone will help me complete the last part of this puzzle.  I want to send the reason the firewall was triggered in the email: Firewall rules updated

I was combing the web one day and came across these mods.  Below are changes I made to two of the perl scripts.  

    ----------------
 /usr/local/bin/guardian.pl
sub ipchain {
  my ($source, $dest, $type) = @_;
  &write_log ("$source\t$type\n");
  if ($hash{$source} eq "") {
    &write_log ("Running '$blockpath $source $interface'\n");
    system ("$blockpath $source $interface \"$type\"");
    $hash{$source} = time() + $TimeLimit;
  } else {
    # We have already blocked this one, but snort detected another
attack. So
    # we should update the time blocked..
    $hash{$source} = time() + $TimeLimit;
  }
}
   ---------------
 /bin/guardian_unblock.sh
source=$1
interface=$2
alert=$3  <---{added}

/sbin/ipchains -I input -s $source -i $interface -j DENY

echo "The Snort-Guardian service has updated your firewall rules by
blocking th$

This IP address will be blocked for 24 hours unless the server is
rebooted.

$alert  <---{added}

For detailed information: /var/log/guardian.log
                          /var/log/snort/alert

" | mail -s "Firewall rules updated" admin
-----

And wouldn't you know it doens't work.  I know a bit of perl and so I think my problem is here, but I dont know enough about IPChains to know whats going on here:
/sbin/ipchains -I input -s $source -i $interface -j DENY

[LucL]

I changed this line:
system ("$blockpath $source $interface \"$type\"");

To read:
system ("$blockpath $source $interface $type");

And someone suggested I change:
/sbin/ipchains -I input -s $source -i $interface -j DENY

To read:
/sbin/ipchains -D input -s $source -i $interface -j DENY

But they never explained why D instead of I . . .

The alert now gets printed in the email,  if I can just figure out why it sends me two messages for each alert . . .

[LucL]

Here's the other mods, I quickly realized the guardian block is for when the firewall blocks and IP and the guardian un block is for when the firewall releases the IP.

--------------------------
/bin/guardian_unblock.sh
--------------------------
#!/bin/sh

# this is a sample unblock script for guardian. This should work with ipchains.
# This command gets called by guardian as such:
#  unblock.sh
# and the script will issue a command to remove the block that was created with # block.sh address.
source=$1
interface=$2

/sbin/ipchains -I input -s $source -i $interface -j DENY
# /sbin/ipchains -D input -s $source -i $interface -j DENY new

echo "The Snort-Guardian service has updated your firewall rules by
un-blocking the IP address $source on interface $interface

For detailed information: /var/log/guardian.log
                          /var/log/snort/alert

" | mail -s "Firewall rules updated" admin

---------------------------
/bin/guardian_block.sh
--------------------------

#!/bin/sh

# this is a sample block script for guardian. This should work with ipchains.
# This command gets called by guardian as such:
#  guardian_block.sh
# and the script will issue a command to block all traffic from that source ip
# address. The logic of weither or not it is safe to block that address is
# done inside guardian itself.
source=$1
interface=$2
alert=$3

/sbin/ipchains -D input -s $source -i $interface -j DENY

echo "The Snort-Guardian service has updated your firewall rules by
blocking the IP address $source on ethernet interface $interface

This IP address will be blocked for 24 hours unless the server is rebooted.

Trigger: $alert

For detailed information: /var/log/guardian.log
                          /var/log/snort/alert

" | mail -s "Firewall rules updated" admin


===========================
This is what the email I get looks like (I still get multiple copies).
-----
The Snort-Guardian service has updated your firewall rules by
blocking the IP address 127.0.0.1 on ethernet interface eth1

This IP address will be blocked for 24 hours unless the server is rebooted.

Trigger: [1:528:4] BAD-TRAFFIC loopback traffic

For detailed information: /var/log/guardian.log
                          /var/log/snort/alert

[George]

LucL wrote:

> sub ipchain {
...

If you care about security, why are you still using version 5.5 (or earlier)?

G.

[jeroen]

LucL wrote:

> The alert now gets printed in the email,  if I can just
> figure out why it sends me two messages for each alert . . .

Do you have two instances running?

[LucL]

jeroen wrote:
>
> Do you have two instances running?

Sorry, can you let me know how to check for that?  

I stop and start the Guardian service everytime I make a change so I assume there is not more than one thread.  But, I did do some heavy upgrades to the newest Snort a few weeks ago and I was worried some stuff would not 'uninstall' properly before I installed the newer software.

And George, 5.6 doesn't support the 3Com NIC's I have.   I've hardened the system to the extent that is needed but thank you for your contribution. If the non-beta 6.0 version still includes this 'bug', I'll just have to find another Linux.

[LucL]

Ok, I checked to see if there was more than one instance, by: ps -aux | grep guardian.pl and it returned one line.  So if there was more than one instance there would be several lines right?

[Dave]

Just a simple question.

How do you stop and then start Guardian again.

Cheers

Dave