I just installed this IDS thingy and it's doing what it's supposed to do. The "Guardian" part of it (
http://www.chaotic.org/guardian/) is also doing what it's supposed to do (block the IP address of the "attacker" for 24 hours).
I just wanted to point to anyone who fits into any of the following categories that the default setup may need a bit of tweaking :
- you host public websites you want spidered by search engines
- you host your own primary dns which you want seconded by an external nameserver
by default, snort & guardian will
- block any ip (for 24 hours) that asks for your robots.txt file
(edit /etc/web-misc.rules)
- block any ip (for 24 hours) that attempts a dns zone transfer
(edit /etc/dns.rules)
This is probably all fine and good for the majority that don't run dns or web - although even for them, the ports would not be open so why would you monitor?
Also I was surprised that the snort rules weren't templated... although I guess the automatic updating of the rules could have something to do with that. Actually, with that in mind, I wonder what will happen to the rules I have turned off once the weekly rule update happens?
G