NetSQUID is a Perl script (daemon) that sits in between Snort and IPTables. It gathers alerts generated by Snort, then automatically creates an IPTables firewall entry to block the alerting host (such as those infected by viruses). Web traffic is redirected to a Web server that can alert the user to the infection. The host is automatically unblocked after a specified time. It can also send DHCP address requests, so rogue DHCP servers can be detected by Snort.
|Tags||Networking Firewalls Security Monitoring|
|Operating Systems||POSIX Linux|
Release Notes: Some code cleanup, and minor bugfixes. Adding of previously blocked IPs was fixed. The way HTTP traffic is allowed to specific hosts (NAT rules) has been fixed, which also means you cannot redirect to more than one host now.
Release Notes: The ability to allow for a 'pass through' HTTP server was added, so that all port 80 traffic will be redirected except to a specified server (perhaps a patch server or similar). Also, any IPs specified in either the DNS section or the HTTP section of the config file are automatically added to the exclude list, so they will not be blocked for any alert generated by them.
Release Notes: There are a few minor changes and some code cleanup. DNS rules to also allow TCP for things like zone transfers and hosts with large DNS records have been added.
Release Notes: The ability to keep state on a restart has been added, so currently blocked hosts will get re-blocked after the daemon is restarted. There is some more code cleanup and an updated documentation/install script, and a startup script has been added.
Release Notes: This version added blocks for a specific classification type and network (CIDR) support to the exclude file. A config file option for specifying the location of sendmail was added along with code cleanups, bugfixes, more documentation, and fixes for the install script.