This is the documentation for NetSQUID as seen on http://security.tamu.edu/db.html and http://freshmeat.net/projects/netsquid/ Introduction. NetSQUID was created as a way to take snort alerts and generate a firewall rule set off of them. It creates not a default blocking firewall, but instead one that blocks all traffic (except for DNS so hosts can still resolve) and reroutes web traffic to a web server of the admins choosing. This allows infected users to be notified that they are infected/compromised etc ... It also associated an unblock time with each rule. This time is reset to the default each time an alert is generated and once alerts are no longer generated the rule is then allowed to expire, unblocking the user. The automatic blocking/unblocking/notification makes this a good low-administration option to fighting worms/viruses. It can also send out DHCP address requests, so combined with a Snort rule you can block/notifiy people running a DHCP server. Features. * Dump/Keep state on restart on a -SIGUSR1 * Block on any alert generated by Snort * Block based on a specific Snort rule Classification * Redirect blocked user web traffic * Allow access to any or specific DHCP servers * Syslog logging support * Send out DHCP address requests * User configurable block time * User configurable DHCP packet time * Email on DHCP server detection * Exclude list Devel Features. * Block based on snort preprocessor information * WinPopUp alerts to blocked users Requirements. * Linux * IPTables support in kernel * Snort * Must be configured for fast alerts * Perl * 5.8.x tested * Compiled with threads * Modules * Config::Natural * IPTables::IPv4 * Net::RawIP * tail - Linux binary Optional. * smbclient, nmblookup - Linux binaries * Required only if using WinPopUps * Sendmail * Only if using email on DHCP server detection Installing. netsquid: The daemon that grabs the snort alerts and generates the firewall ruleset. Normally placed in /usr/local/sbin (but not necessary) I.E. /usr/local/sbin/netsquid netsquid.config: An example config file (default :looked for in /usr/local/etc/netsquid.config) Can be overridden with -c command line switch Just copy the netsquid file (make sure it is set executable) to /usr/local/sbin and the netsquid.config file to the location of your choosing. Also, it is recommended that you create a file called netsquid.exclude that is in the location pointed to by the config file. This allows you to prevent certain IPs from ever being blocked. This is only used if it is defined in the config If you want you can also remove all the DEBUG checks/support simply `grep -v DEBUG netsquid > netsquid.new; mv netsquid.new netsquid` and viola, you save some instructions because you're not checking for DEBUG settings :) Usage. ./netsquid -s -d -c -s : starts the snort process upon startup of the daemon -d : runs in the background -c : overrides default location of /usr/local/etc/netsquid.config -h : prints usage Unsupported: -D : sets Debug level and will print out some information doesn't work with -d Other. Upgrading rules is as simple as adding new snort signatures... *all you have to do is update your snort sigs* Offical project page is at: http://security.tamu.edu/db.html For Requirements etc... Questions/Comments/Suggestions? security@net.tamu.edu