SnortSAM is a plug-in for Snort that can be found at http://www.snortsam.net. It was developed by a team of people who saw the value in coupling a strong attach detection mechanism with the ability to change access controls on border devices—stopping an attack in progress. SnortSAM can order changes in the access control lists of the following network border devices:
| Checkpoint Firewall-1 |
| Cisco PIX Firewall |
| Cisco Routers |
| Netscreen firewall |
| IP Filter (ipf)—Unix-based OS firewall |
| Linux ipchains |
| Linux iptables |
| Watchguard firewall |
SnortSAM consists of two components: a patch for the Snort sensor itself and the SnortSAM application, which can be run on the Snort sensor or another, dedicated SnortSAM system. SnortSAM allows the Snort sensor to act as a gateway IDS by running multiple interfaces, enabling routing, and running Iipchains or iptables. When an alert is detected, the ipchains or iptables access lists are modified to block traffic from the offending network. More commonly, a Snort sensor is configured to modify the access control lists for existing border devices using SnortSAM. The requested blocks can be given a specific lifetime, so that they do not last forever.
The first step in installing SnortSAM is to download and unpack the source code. There are some precompiled SnortSAM binaries for a wide range of operating systems that you can use, but I prefer to compile my own. After downloading the source, create a directory (I usually put the source in /usr/local/src/snortsam/ ), and copy the gzipped tarball to the directory. To install SnortSAM on your designated SnortSAM system (could be the system running Snort or a separate system altogether—please note that version numbers will change over time), use this:
# cd /usr/local/src/snortsam # tar -zxvf snortsam-src-2.23.tar.gz # cd snortsam # chmod +x makesnortsam.sh # ./makesnortsam.sh
This creates the binary called snortsam that you can copy to a directory such as /usr/local/bin. The above process creates a binary on FreeBSD, Linux, and Solaris. To compile for Windows, open the file called SnortSam.dsp with Visual C++ and select the project that you want to compile (Normal, in all likelihood).
Download snortsam-patch.tar.gz from http://www.snortsam.net/download.html and make a directory to store the patch source (I use /usr/local/src/snortsam-patch/ ). Copy the patch source to this directory. To apply the patch to Snort (substitute the path to the Snort source directory), use this:
# cd /usr/local/src/snortsam-patch/ # tar -zxvf snortsam-patch.tar.gz # chmod +x patchsnort.sh # ./patchsnort.sh /usr/local/src/snort/snort2.1.x/
Then recompile Snort.
Running SnortSAM is simple since it only needs to be supplied with one argument: the location of the snortsam.conf file. The file needs to be built from scratch (I suggest locating it in /usr/local/etc/ ). You only need to include the applicable options for your environment. Append the desired configuration options in the snortsam.conf file. When supplying a pres-hared key, this is simply a string of characters that both the server and sensor knows, used to encrypt the traffic. The snortsam.conf file can include the following options:
accept <
addresses from which to accept alerts
>/<
net mask
>,<
pre-shared key
>
Designates the address of Snort sensors that are allowed to send the SnortSAM server blocking requests. The pre-shared key is used to encrypt the communication between the sensor and the SnortSAM server (the two-fish algorithm is used). Here's an example:
accept 192.168.1.0/24, supersecretkey
defaultkey <
pre-shared key
>
This is a pre-shared key that needs to be configured in the snort.conf file on the sensors, as well. SnortSAM uses the default key if one is not specified for a particular sensor. Here's an example:
defaultkey supersecretdefaultkey
port <
port number
>
The port number that SnortSAM uses to communicate with Snort sensors (898 is the default). Here's an example:
port 6666
dontblock <
address or DNS hostname
>
Specifies hosts that should never be blocked. This list is referred to as the White List in the documentation. It can be a single IP address, a range of address (address/mask bits—for example, 10.10.10.0/24), or a hostname. There can only be one entry per line, but there can be an unlimited number of lines. Here's an example:
dontblock a.root-servers.net dontblock 192.168.0.0/16
logfile <
filename
>
A file that SnortSAM can use to log its activity. Here's an example:
logfile snortsam.log
loglevel <
level
>
This defaults to level 2. The default is suggested, but the options are as follows.
|
|
Quiet |
No logging occurs. |
|
|
Sparse |
Only errors are logged. |
|
|
Normal |
Errors and blocks are logged. |
|
|
Verbose |
Additional information (such as connections/disconnections) are logged as well. |
Here's an example:
loglevel 1
include <
filename
>
You can specify additional files to include in the configuration. SnortSAM comes with a list of the root name servers to include in your white list called rootservers.cfg. You could keep another file called donotblock.conf that contains the entire white list and include it, as well. Here's an example:
include rootservers.cfg
daemon
This option takes no arguments. If it is present, SnortSAM runs in
Daemon mode—similar to the -D option in
Snort. Here's an example:
daemon
skipinterval
<time period>
This defaults to a value of 10 seconds. It causes SnortSAM to ignore the same block request if it falls within the specified time period. Here's an example:
skipinterval 60 secs
skiphosts <
integer
>
Works with skipinterval and designates how many
blocks are kept in memory. Here's an example:
skiphosts 30
rollbackhosts <
integer
>
Tells SnortSAM to keep a record of the designated number of blocking requests for each Snort sensor. These traffic blocks are disabled if the rollback threshold is exceeded. Here's an example:
rollbackhosts 20
rollbackthreshold <
integer
> / <
time period
>
If more than <integer> blocking
requests occur in a given <time
period>, SnortSAM
"unblocks" the number of blocks
designated in the rollbackhosts
directive.Here's an example:
rollbackthreshold 30 / 60 secs
rollbacksleeptime <
time period
>
Tells SnortSAM to ignore new blocking requests for the specified period of time, giving SnortSAM time to catch up and reduce the load. Defaults to 15 minutes.Here's an example:
rollbacksleeptime 2 minutes
You need to include configuration information for the firewalls SnortSAM will use to block offending addresses. Below are examples for the Cisco PIX, ipchains, and iptables. For details on supporting other firewalls (like Checkpoint or Watchguard, or Cisco Routers), refer to the documentation:
pix <
ip_address_of_PIX_firewall
> <
telnet_password
> <
enable_password
>
pix <
ip_address_of_PIX_firewall
> <
username/password
> <
enable_password
>
Instructs SnortSAM to telnet to the PIX firewall located at the designated address, log in with the supplied password (or, in the second case, the TACACS or RADIUS username and password), enter enable mode with the supplied password, and generate a SHUN command. The SHUN command blocks the offending address, supplied by the patched Snort sensor. If the enable password is not included on the configuration line, the telnet password will be used for both.Here's an example:
pix 10.10.10.1 p1xp455w0rd 3n4bl3p455w0rd
ipchains <
interface
> <
log_option
>
SnortSAM uses this option when it's running on the
Linux router running ipchains. ipchains creates a
blocking rule for the reported naughty address on the specified
interface. Optionally, a log option can be designated
(log or
logall).Here's an example:
ipchains eth0
iptables <
interface
> <
log_option
>
SnortSAM uses this option when it's on a Linux router running iptables. It creates a blocking rule for the offending address on the specified interface. Optionally, a log option can be designated. Here's an example:
iptables eth1
Once the snortsam.conf is built, you can run SnortSAM, designating the location of the file:
# /usr/local/bin/snortsam /usr/local/etc/snortsam.conf
Add a line in the snort.conf on the Snort sensor so it can send notifications to the SnortSAM server (this might be the sensor system itself). Add the following line to the snort.conf file:
output alert_fwsam: <SnortSam Server IP address>:<port>/<pre-shared key>This tells Snort to send SnortSAM blocking instructions to the SnortSAM server located at the designated IP address. If the server is using a nonstandard port, it can be designated here. Finally, include the pre-shared key that you entered into the accept line in the snortsam.conf file. These two keys must match exactly. Here's an example:
output alert_fwsam: 192.168.1.1:6666/pr3sh4r3dk3y
Once you have the output plug-in configured, modify the
rules
that generate blocking requests. To do this, you'll
use a new
rule option,
fwsam. It's made up of these
elements:
<which host to block>
Can be src, source,
dst, dest, or
destination. Designates which address should be
blocked. In Snort rules, the source address is always before the
direction indicator (->). For some rules, the
"bad guys" would be the source and
for others, the destination. Examine what the rule is doing before
making this choice. See the examples below for an illustration.
<duration>
Duration of block in seconds, minutes, hours, days, weeks, or years. A value of 0, or the keyword PERM, INF, or ALWAYS blocks the host permanently.
Here are some examples. The following blocks the destination address for the packet that triggered the alert for 1 hour:
alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES Microsoft
cmd.exe banner"; flow:from_server,established; content:"Microsoft Windows";
content:"(C) Copyright 1985-"; distance:0; content:"Microsoft Corp."; distance:0;
reference:nessus,11633; classtype:successful-admin; sid:2123; rev:1;
fwsam: dst, 1 hour;)The following blocks the source address for the packet that triggered the alert for 15 minutes:
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm propagation
attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|";
content:"sock"; content:"send"; reference:bugtraq,5310; classtype:misc-attack;
reference:bugtraq,5311; reference:url,vil.nai.com/vil/content/v_99992.htm; sid:
2003; rev:2; fwsam: src, 15 minutes;)