Downloads

The Autoshun Shun List
- CSV
- HTML
Autoshun Plugin
Snort p0f Plugin
- Snort p0f plugin
- MD5 Sums
Pepper Jack's Recommendations. This is a Snort source tree with p0f, timeofday, dayofweek, bastardlist, snortsam, and autoshun plug-ins already built-in.
- Prepatched snort-2.6 source tree
- Prepatched snort-2.8 source tree
Pepper Jack's Snort plug-ins
- Documentation for the p0f, tod, dow, and Bastard plugins
- Sample Rules for all plug-ins
Interesting snort rulesets
Old arachnids stuff, just to see how it used to be done
- vision.conf 422 rules from October 2000
- vision18.conf the last (I think) ruleset from arachnids, 545 rules from July 2001
Pepper Jack's LibChart-1.2 patches. The charts on this page were made (mostly) with libchart. I had to make some changes to libchart in order to get the vertical aspect ratio and the stacked line charts. Here is the patch. Or if you prefer, the already patched PHP source code.
- Patch File
- Prepatched Version (tgz)

Please visit our Sponsors

Afferent Security Labs

Integrated Corporate Solutions, Inc.

Risk Analytics

Useful Links

Legal

Autoshun is a registered trademark of Afferent Security Labs, LLC

Snort is a registered trademark of Sourcefire.

Install Doc

Compile snort 2.4, snort 2.6, or snort 2.8 on your IDS. Make sure it works the way you think it should. For help getting snort working visit http://www.snort.org

Write down the following items:

Parameters on your configure command

Location of your snort.conf file (Usually /etc/snort.conf)

Location of your Rule Path (Frequently /etc/snort/rules, but it could be anything)

Location of your snort executable (Frequently it's /usr/local/bin/snort, but yours could be anything.)Try which snort or check the snort initialization script.

Download the Snort source code patch into your Snort directory; example /install/snort-2.4.5.,

Snort Version 2.4 - Download

Snort Version 2.6 - Download

Snort Version 2.8 - Download

Patch and recompile Snort to use the Autoshun plugin.

cd [location of Snort source code]; example, cd /install/snort-2.4.5/src

make clean; example,make distclean

change directory up one level; example, cd ..

extract Autoshun plugin; example, tar -zxvf Snort-2.4-AutoshunPatch.tgz

Patch -p1 < [location of the patchfile you downloaded]; example assuming patch is located at /install/snort-2.4.5 directory, patch -p1 < autoshunpatch-Snort-2.4-Autoshun-1.0d

Run configure with your installation specific options; example, ./configure

Run make; make

Test your Snort installation; example assuming your snort.conf is in /etc, snort -T -c /etc/snort.conf

If test is successful stop your Snort service; example, service snort stop

Install Snort; example, make install

Start Snort service; example, service snort start

Configure your snort configuration file to use the autoshun rules.

While logged into your IDS, browse to http://www.myipaddress.com or any other service that displays the outside address of your IDS.

Log onto the Autoshun server to register your IDS.

Click on the Register My IDS link

Enter the outside IP address of the IDS and the hostname for the IDS.

It will return a huge long key value. Copy and save this long series of digits. This is the unique login key for your IDS. This key value is unique to the outside address of your IDS. If the outside address of the IDS changes, this key will need to be regenerated.

Edit your snort.conf file; example, assuming that your snort.conf is located in /etc, vi /etc/snort.conf

Go to output plugin section.

Add the autoshun output plugin to your snort.conf; example,

output output_autoshun:

afferentsecurity.com:80 abcdefgh1234567ijklm890

Use wget to download the autoshun rules and autoshuncalibration (you should not use the calibration rules in production, the rules will be ignored) rules to your rules directory; example, assuming that your rules directory is /etc/snort, cd /etc/snort

wget http://www.autoshun.org/downloads/autoshun2.rules

wget http://www.autoshun.org/downloads/autoshuncalibration.rules

Edit your snort.conf file; example, assuming that your snort.conf is located in /etc, vi /etc/snort.conf

Go to the rules section and add the autoshun2.rules and autoshuncalibration.rules

include $RULE_PATH/autoshun2.rules

include $RULE_PATH/autoshuncalibrations.rules

Test your Snort installation; example assuming your snort.conf is in /etc, snort -T -c /etc/snort.conf

After successful testing of the new snort install, restart Snort; example, service snort restart

From another machine on the network ping 10.2.2.43 (Success or Failure of the ping is irrelevant). Review that the alert was registered in your alert system (i.e. database, alert file, etc.).

To see that the IDS has contacted the autoshun database go to Manage Your IDS to see the last contact time.

Edit your snort.conf file; example, assuming that your snort.conf is located in /etc, vi /etc/snort.conf Go to the rules section and comment out the autoshuncalibration.rules
#include $RULE_PATH/autoshuncalibrations.rules

Restart Snort service; example, service snort start
Create a script to update the autoshun rules everyday.

For installation problems contact us

image here

The history of Autoshun In 2001 a group of Snort users decided to merge their real time snort databases to create a mutual network protection society. Their shunlist has been freely available at https://monitor.teamics.com since 2001.

As the ongoing management and administration of the "shunlist" became more complex, the project was handed over to @fferent Security Labs (ASL) in 2002.

With the rise of botnets as a major threat in 2004, ASL undertook a total overhaul of the Autoshun project, focusing on detecting and blocking bot-based attacks with extraordinary accuracy.

In 2006, ASL decided to make Autoshun available to the world. The new autoshun code (Jan 2007) allows anyone with a snort box to contribute their logs, and anyone with a firewall to download the shunlist for free.

ASL can also use their proprietary firewall administration software to 'push' shun events directly to your firewall in real time.

PCI Certified by Scanless PCI

Autoshun Statistics (numbers update every two hours )
	Number of attacks interrupted by member IDSs (TATI)	Total number of attacks prevented by sharing of shun data (TCE)	Total number of attacks prevented by all types of shunning (TOT)
2010-08-26	48	Error	92655
2010-08-27	43	57910	60753
2010-08-28	34	30435	462048
2010-08-29	34	29959728	50172491
2010-08-30	43	13525	4458145
2010-08-31	57	60343	27380
2010-09-01	42	87875	62117
2010-09-02	46	72510	49563
2010-09-04	29	25390	25296
2010-09-05	25	22531	25943
2010-09-06	23	19934	24319

Autoshun

Downloads

Please visit our Sponsors

Useful Links

Legal

Install Doc

Autoshun Statistics

Number of attacks interrupted by member IDSs(TATI)

Total number of attacks prevented by sharing of shun data(TCE)

Total number of attacks prevented by all types of shunning(TOT)

Number of attacks interrupted by member IDSs
(TATI)

Total number of attacks prevented by sharing of shun data
(TCE)

Total number of attacks prevented by all types of shunning
(TOT)