soup4you2
July 22nd, 2003, 09:13
Here's a nice script i saw on deadly this morning... it takes evil snort captures and blockes them though pf

now can anybody who knows perl convert it to ipfw

[code:1:24dfc95740]
#!/usr/bin/perl
# snort2pf.pl v2.0 :: automagically block naughty hosts
# Written by Stephan Schmieder <http://www.unix-geek.info>, 2003
#
# Depends: pf(4), snort(8), logtail(8)
# Usage: ./snort2pf.pl&

#
# you need an anchor called "snort2pf" in /etc/pf.conf ("anchor snort2pf")
#

use strict;
use warnings;
use diagnostics;

# <configuration>
my $alertfile ='/var/log/snort/alert';
my $pfctl ='/sbin/pfctl';
my $logtail ='/usr/local/bin/logtail'; # logtail from log[check|sentry]
my $dont_block ='192.168.101.23,192.168.101.2';# never block these ips
my $amnesty =180; # unblock hosts after X seconds
# use '0' to disable
# </configuration>


my %bad_hosts;

&initalize;

while(sleep(1))
{
if($amnesty)
{
&unblock(time-$amnesty);
}
open(DATA,"$logtail $alertfile |") or die("Can't open logtail pipe($!)\n");
while(defined(my $ip=<DATA>))
{
chomp $ip;
if($ip)
{
$ip=&check_for_attack($ip);
$ip=&check_for_portscan($ip);
# valid IPv4 address?
if($ip=~/^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$/)
{
&block($ip);
}
}
}
close(DATA);
}

sub initalize
{
if(!-r $alertfile){die("\"$alertfile\" is not readable");}
if(!-x $pfctl){die("\"$pfctl\" is not executeable");}
if(!-x $logtail){die("\"$logtail\" is not executeable");}
open(DATA,"$logtail $alertfile |") or die("Unable to ignore old alerts($!)\n");
while(defined(my $_ip=<DATA>)){}
close(DATA);
}

sub check_for_attack
{
if($_[0]=~/[0-9]{2}\/[0-9]{2}\-[0-9]{2}\:[0-9]{2}\:[0-9]{2}\.[0-9]{6}\ /)
{
$_[0]=~s/[0-9]{2}\/[0-9]{2}\-[0-9]{2}\:[0-9]{2}\:[0-9]{2}\.[0-9]{6}\ //;
$_[0]=~s/(\:[0-9]{1,5}){0,1}\ \-\>\ [0-9]{0,3}\.[0-9]{0,3}\.[0-9]{0,3}\.[0-9]{0,3}(\:[0-9]{1,5}){0,1}//;
}
return($_[0]);
}

sub check_for_portscan
{
if($_[0]=~/\[\*\*\]\ \[[0-9]{3}\:[0-9]\:[0-9]\]\ spp_portscan\:\ PORTSCAN\ DETECTED\ from\ /)
{
$_[0]=~s/\[\*\*\]\ \[[0-9]{3}\:[0-9]\:[0-9]\]\ spp_portscan\:\ PORTSCAN\ DETECTED\ from\ //;
$_[0]=~s/\ \(THRESHOLD\ [0-9]{1,5}\ connections\ exceeded\ in\ [0-9]{1,5}\ seconds\)\ \[\*\*\]//;
}
return($_[0]);
}

sub block
{
my $_ip=$_[0];
if($dont_block!~/$_ip/)
{
$bad_hosts{$_[0]}=time;
open(PFCTL, "| $pfctl -a snort2pf:$_[0] -f -") or die("Can't open pfctl pipe($!)\n");
print PFCTL "block in quick from $_[0] to any\n";
close(PFCTL) or die ("Can't write to pf pipe($!)\n");
}
}

sub unblock
{
my $key;
foreach $key (keys %bad_hosts)
{
if($bad_hosts{$key}<=$_[0])
{
delete $bad_hosts{$key};
system("pfctl -a snort2pf:$key -F rules");
}
}
}
[/code:1:24dfc95740]

bsdjunkie
July 22nd, 2003, 09:31
This would be trivial to convert to ipf, as long as ipf has a tool like pfctl where the ruleset can be updated on the fly. If there is something like that, let me know. :wink: