Use SnortSam to prevent intrusions by putting dynamic firewall rules in place to stop in-progress attacks.
An
alternative to running Snort on your firewall and having it activate filtering rules on the machine it’s running on [Hack #111] is to have Snort communicate which filtering rules should be put in place when an intrusion is detected on an external firewall. To do this, you can use SnortSam (http://www.snortsam.net).
SnortSam is made up of two components: a Snort plug-in and a daemon. It uses Snort’s plug-in architecture and extends Snort with the ability to communicate with a remote firewall, which then dynamically applies filtering rules to stop attacks that are in progress. Unlike Snort_inline, which is highly dependent on Linux, SnortSam supports a wide variety of firewalls, such as Check Point’s FireWall-1, various Cisco firewalls, NetScreen, Firebox, OpenBSD’s PF, and Linux’s ipchains and iptables interfaces to Netfilter.
To set up SnortSam, first download the source distribution and then unpack it. After you’ve done that, go into the directory it created and run this command:
$ sh makesnortsam.sh
This will build the snortsam binary, which you can then copy to a suitable place in your path (e.g., /usr/bin or /usr/local/bin).
Now, download the patch for Snort, which you can get from the same site as SnortSam. After you’ve done that, unpack it:
$ tar xvfz snortsam-patch.tar.gz
patchsnort.sh
patchsnort.sh.asc
snortpatch8
snortpatch8.asc
snortpatch9
snortpatch9.asc
snortpatchb
snortpatchb.ascNext, run patchsnort.sh and specify the directory where you’re keeping Snort’s source:
$patchsnort.sh snort-2.4.4Patching Snort version 2.x...patching file spo_alert_fwsam.cpatching file spo_alert_fwsam.hpatching file twofish.cpatching file twofish.hrm: cannot remove \Qspo_alert_fwsam.?.orig': No such file or directoryrm: cannot remove \Qtwofish.?.orig': No such file or directorypatching file plugbase.cHunk #1 succeeded at 114 with fuzz 2 (offset 4 lines).Hunk #2 succeeded at 588 with fuzz 2 (offset 13 lines).patching file plugin_enum.hHunk #1 succeeded at 37 with fuzz 1.Patching Makefiles...Done
Finally, compile Snort [Hack #106] as you would normally, except run the following commands before running ./configure:
$aclocal$autoheader$automake --add-missing$autoconf
Before running SnortSam, you must create a configuration file for it. SnortSam’s configuration syntax is pretty easy to use, but there are quite a few options, so only a subset of the available ones will be discussed here.
One useful option is
accept, which lets you tell SnortSam what Snort sensors are allowed to connect to it. This option can take a CIDR-format address range, a hostname, or a single IP address. You can optionally specify a password as well. If you don’t specify a password, the one specified by the
defaultkey option is used.
For example, if you want to allow all hosts from the network 192.168.1.0/24 with the password qwijybo, you can put a line like this in your configuration file:
accept 192.168.1.0/24, qwijybo
To specify multiple hosts or network address ranges, you can use multiple accept entries.
Another useful option is dontblock
, which enables you to construct a whitelist of hosts and networks that SnortSam will not block under any circumstances. This option takes hostnames, single IP addresses, and CIDR address ranges; you can also use multiple dontblock entries, just as you can with accept.
To improve SnortSam’s performance, you might want to use the skipinterval
option, which lets you tell SnortSam how long to skip identical blocking requests before it resumes applying rules for that request. This ensures that SnortSam isn’t constantly requesting the firewall to block the same IP address and port over and over again. The skipinterval option takes a single number as its argument, specifying how many seconds to wait.
You’ll probably want to keep tabs on what SnortSam’s doing, since you’re allowing it to modify your firewall’s rules. One way is to use the logfile option, which will cause SnortSam to log events such as program starts, blocking and unblocking requests, and any errors that were encountered. This option takes a single argument: the filename to which the logs will be written. The log file that you specify will be created in /var/log.
A couple of other useful options are daemon
and bindip. The daemon option simply tells SnortSam to fork into the background and run as a daemon; it does not take any arguments. The bindip option allows you to specify which IP address to listen on, which is useful when the machine that SnortSam is running on has multiple addresses available.
For instance, if you want SnortSam to listen on only 192.168.1.15, use a line like this:
bindip 192.168.1.15
You can also change the port that SnortSam listens on (898, by default) with the port option.
After you’re done with SnortSam’s options, you’ll need to tell it what kind of firewall to communicate with and how to do it. For example, to use SnortSam with a Check Point firewall, you can specify either the fwexec or fwsam keywords. Use fwexec when you want to run SnortSam on the host that the firewall is installed on, and use fwsam when you want to communicate with a remote firewall. The fwexec keyword takes the full pathname to the fw executable as its only argument, whereas the fwsam keyword uses the hostname or IP address of the firewall.
In addition, you’ll need to modify the fwopsec.conf file on your firewall to include the following line:
sam_server port 1813
To use SnortSam with a PIX firewall, you’ll need to use the pix keyword and specify the IP address of the firewall as well as the telnet and enable mode passwords:
pix 192.16.1.2 telnetpw enablepw
Or, if your firewall is set up to do user authentication, you can use user
/
password in place of the telnet password.
If you want to use SnortSam with OpenBSD’s PF or Linux’s
iptables, you’ll need to use the pf or iptables keywords. For basic usage, all you need to do is specify the interface on which to block packets.
To configure the Snort side of things, you’ll need to add the alert_fwsam output plug-in to the output plug-ins that you’re already using. This plug-in takes a hostname and an optional port to connect to, along with a password. If SnortSam is using the default port, you don’t need to specify the port here:
output alert_fwsam: firewall/mypassword firewall2:1025/mypassword
Notice that you can list multiple instances of SnortSam to send block requests to by separating them with whitespace.
You should modify any rules that you want to trigger a firewall rule to use the fwsam rule option. This option takes as its arguments what to block, and how long the block should be in effect. To block the source of the packet that caused the alert, use src; to block the destination, use dst. If you want to block both, use either. For the duration, you can use a number along with a modifier specifying what unit it’s in (i.e., seconds, minutes, hours, days, weeks, months, or years), or you can use 0 to specify an indefinite period of time.
For instance, to block the source address of the packet that triggered a rule for five minutes, you could add this to your rule options:
fwsam: src, 5 minutes;
Now that everything is configured, start SnortSam by running a command similar to this:
# snortsam /usr/local/etc/snortsam.conf
Of course, you’ll need to substitute the full path to your configuration file if it’s not /usr/local/etc/snortsam.conf. As for Snort, just start it as you normally would.
For more information on using SnortSam with other types of firewalls, be sure to check out the README files included with the source distribution
“Prevent and Contain Intrusions with Snort_inline” [Hack #111] discusses installing Snort_inline on your firewall