In a nutshell, this is a daemon that takes snort alerts and blocks traffic from the infected host to the rest of the 'world' (this can be done by alert classification or on all alerts). It also inserts a rule in IPTables to redirect all of their webtraffic to a webserver of your choice (can be local). It also has the _ability_ to _notify_ users via WinPopUp (needs smbclient and nmblookup). WinPopUp and blocking based on alert classification type could cause some slowdown in the system when dealing with a large number of alerts. WinPopUp is more guilty of this then classification support, because I have to system() out to smbclient etc... to get it to send the message. To install, you can try the included install script (install.sh) or ... you can follow the 'directions' below. Included in this should be netsquid: The daemon that grabs the snort alerts and generates the firewall ruleset. It normally lives in /usr/local/sbin (but not necessary) I.E. /usr/local/sbin/netsquid netsquid.config: An example config file (looked for in /usr/local/etc/netsquid.config) Can be overridden with -c command line switch Also, it is recommended that you create a file called netsquid.exclude that is in the location pointed to by the config file. This allows you to prevent certain IPs from ever being blocked. This is only used if it is defined in the config If you want you can also remove all the DEBUG checks/support simply `grep -v DEBUG netsquid > netsquid.new; mv netsquid.new netsquid` and viola, you save some instructions because you're not checking for DEBUG settings :) Usage: ./netsquid -s -d -c -s : starts the snort process upon startup of the daemon -d : runs in the background -c : overrides default location of /usr/local/etc/netsquid.config -h : prints usage Unsupported: -D : sets Debug level and will print out some information doesn't work with -d Offical project page is at: http://security.tamu.edu/db.html For Requirements etc... Questions/Comments/Suggestions? security@net.tamu.edu