Re: 'mirror' with iptables
thomas lakofski <email@example.com> writes:
[snip how I set up a box]
> > It's pretty rarely that I see any abuse that gets as far down the chain
> > as to deserve human intervention.
> that looks pretty practical. have you considered looking at something
> like 'guardian' http://www.chaotic.org/guardian/ to do automated response
> to selected snort rules?
I've considered it, to some extent, but in my case I figured it's best just
to look at snort's logs in a bit more detail before blocking things left
right & center.
> it's clever enough to maintain a rolling window of blocking, so you don't
> end up with a huge packetfilter and stale dynamic addresses over time...
Whatever automated solution you find, it *must*
a) allow me to specify some "must-not-block" networks/IP#s, eg upstream
b) allow me back in after a given amount of time
c) never block a valid user after a false alarm - just because my snort db
is filling up with `retransmission attempt's, it doesn't mean that every
IP# generating an alert wants blocking. (Yes, I've got some tweaking to
be doing :)
Cries of mercy rise like rockets |firstname.lastname@example.org
Through the paths of the redeemed |http://spodzone.org.uk/