README

Sniff2ban scans traffic through a given interface for nasties by performing
real-time scanning of your network.

Sites can be whitelisted.

Usage:
	sniff2ban [-d] [-k] [-s] [-t seconds] [-v] [-S program1] [-S program2...] [-w IPv4address1[/mask]] [-w IPv4address2[/mask]...] [-p pidfile] [-V] [-W] [ socket ] [ interface ]

-d:	Block (iptables DROP) sites sending us malware
-k:	Kill the program sending/receiving the malware (needs netstat which support -W)
-m:	When --enable-dovecot-scanning or --enable-ssh-scanning is given, this
		is the maximum number of incorrect password attempts. The
		default is 3.
-p:	Write a pidfile for monit(1) or puppet(1)
-S:	Don't kill this program
-s:	Don't drop ourself (i.e. whitelist "interface")
-t:	Consider a connection to be closed after this number of seconds of
		inactivity have elapsed (default 60).  If you see a lot of
		'already exists' errors on the console you may like to consider
		reducing this value, though don't reduce it too much or else
		you could risk false negatives
-T:	Temporary directory
-v:	Verbose -vv for more verbosity
-V:	Print the version of sniff2ban
-w:	Don't block (whitelist) this IP address
-W:	Don't scan whitelisted IP addresses
socket:		Means to talk to clamd: /full/path/name OR hostname:port, if
			not given it is determined from clamd.conf, if that file
			exists
interface:	Interface to listen to (e.g. eth0), if not given we try to
			guess

If "socket" and/or "interface" aren't given it will take a guess, but it may
get them wrong so it's best to be explicit. LIBPCAP is needed to guess the
interface.

You are urged to keep this product up-to-date.  The best way is to checkout the
latest version from the GIT repositary about once a day:
	git clone https://github.com/nigelhorne/sniff2ban.git

On systems other than Linux you must use libpcap.  On Linux it's use is
encouraged but not mandatory. To use LIBPCAP on Debian Linux you must first
install the libpcap-dev package; on Fedora you must first install the
libpcap-devel package.
If you don't install it, you'll need to give the interface argument.

On Debian, netstat is provided by the net-tools package.

Tested on Linux2.6, FreeBSD7.0, Solaris10, OpenBSD4.2 and NetBSD4.0.

On Linux I have used both tinycc and gcc.

To build with tinycc:
	CFLAGS="-Wall -g -bt 20" CPPFLAGS= CXXFLAGS= CC=tcc ./configure
	automake --add-missing
	make
	sudo make install

On Solaris10 I have used cc and gcc. You can get libpcap and lsof from
http://www.sunfreeware.com/.

Whitelisted IPs are tracked and reported.

I put this into /etc/rc.local (212.159.0.0 is my ISP which houses secondary MXs
so I don't want to blacklist it):
	sniff2ban -d -s -vv -w 212.159.0.0/19 -W /var/run/clamav/clamd.sock&

If you're using TCP to connect to clamd you need to give a hostname:port pair,
e.g. localhost:3310.

Works well with the Sanesecurity signatures to stop spammers, see
http://www.sanesecurity.co.uk/. Very often, after a spam is sent a copy of the
same one is sent from the same client, sniff2ban will use your firewall to
prevent that.

Since the software plays around with system files you MUST run as root.

To enable HTTP scanning on Debian:
	./configure --enable-http-scanning=/etc/apache2/sites-enabled

To enable Dovecot scanning on Debian:
	./configure --enable-dovecot-scanning=/var/log/syslog

There is also an --enable-ssh-scanning option, however I suggest you do NOT
enable it for now because the code hasn't been hardened or optimised.
	./configure --enable-ssh-scanning=/var/log/auth.log

To enable SMTP brute force detection (not currently implemented)
	./config --enable-smtp-scannint=/var/log/mail.log

If you see lots of send errors, the chances are that clamd is timingout. In
this case, increase ReadTimeout and CommandReadTimeout in clamd.conf to
86400 (1 day) and restart clamd and sniff2ban.

If you can't get configure && make to work because of an autoconf issue,
try the following commands before rerunning configure:
	autoscan
	aclocal
	autoheader
	autoconf
	automake
	ln -s /usr/share/automake-1.16/compile .