Snort Sam

Docs that have proven to be a staple in understanding computer/network security. This is not an inclusive forum and nothing ipublished will tell you how to 0wn someone, these docs will help you understand how you got 0wnd.
Post Reply
User avatar
weazy
Ex-Admin
Posts: 1688
Joined: Sun Jul 07, 2002 10:02 am
Location: any given
Contact:

Snort Sam

Post by weazy » Fri May 30, 2003 7:17 pm

SnortSam is a plugin for Snort, an open-source light-weight Intrusion Detection System (IDS). The plugin allows for automated blocking of IP addresses on a Checkpoint Firewall-1 firewall.

SnortSam itself consists of two pieces -- the output plugin within Snort and an intelligent agent that runs on the firewall. The agent provides a variety of capabilities that go beyond other automated blocking mechanisms. Here are a few highlights:

White-list support of IP addresses that will never be blocked.

Time-override list.

Flexible blocking specification including rule dependent blocking time interval.

Misuse/Attack detection engine that works in conjunction with...

...rollback support. SnortSam keeps track of blocks and can unblock the last x blocks.

Repetitive (same IP) block prevention within 10 sec window to improve performance.

TwoFish encrypted communication between Snort and the SnortSam agent.



SnortSam is open-source software, free of charge. It can be compiled under any platform and should function across different platforms.

Download it from Snortsam.net directly

Download Snortsam from netflood: Here

Download Snort: Here



FW-1 config: To allow SnortSam to talk to FW-1 with an OPSEC packet, modify the file fwopsec.conf and change line 1 from sam_server auth_port 18183 to sam_server port 18183. (This file is located in /fw1/4.1/conf/ on FW-1 version 4.1, and in /fw/conf on FW-1 version 4.0).


Example 1: The agent can be setup quickly. Just copy snortsam.exe into a directory on the firewall. Then create a file called snortsam.cfg in the same directory. In our example, the Snort box has the IP address 192.168.0.25, so the configuration file would have to include:

accept 192.168.0.25/mypassword   # Replace with the IP of your Snort box


SnortSam will now be listening to requests from and block requested IP addresses. (Note: You can add more than one accept line if you have more than one Snort sensor)


Example 2: To add hosts or networks that you never want to block, just add them with the dontblock statement to the configuration file. Following example will prevent the firewall from blocking the DNS root servers:

dontblock a.root-servers.net
dontblock b.root-servers.net
dontblock c.root-servers.net
dontblock d.root-servers.net
dontblock e.root-servers.net
dontblock f.root-servers.net
dontblock g.root-servers.net
dontblock h.root-servers.net
dontblock i.root-servers.net
dontblock j.root-servers.net
dontblock k.root-servers.net
dontblock l.root-servers.net
dontblock m.root-servers.net



Example 3: If you also want to prevent your internal machines from accidentally being blocked, add following line to the configuration file:

dontblock 192.168.0.0/24



Example 4: If your Snort box monitors the Internet, you might want to include the Rollback support. Let's say you don't expect more than 10 blocking requests within 30 seconds. If the threshold is exceeded, something odd is going on. You want unblock the last 20 blocked IP addresses and wait until the level falls back below the set threshold. To do this, just add following lines to the configuration file:

rollbackthreshold 10/30
rollbackhosts 20



Snort Configuration   (snort.conf, Example Rule 1, Example Rule 2)

Snort.conf: In order to have Snort send requests to the SnortSam agent, it needs to be listed in the Snort config file. In our example, the IP address of the firewall is 192.168.0.1. Open snort.conf and add following line:

output alert_fwsam: 192.168.0.1/mypassword


Note: To enter additional firewalls just separate them with a space.
output alert_fwsam: 192.168.0.1/mypassword 192.168.0.5/wanfwkey

Example 1: Let's say you want to block intruders that scan for the .printer vulnerability in IIS5 for 1 hour. Modify the existing Snort rule (to be found web-iis.rules. The rules should read:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .printer access"; uricontent:".printer"; nocase; flags:A+; reference:cve,CAN-2001-0241; reference:arachnids,533; classtype:attempted-recon; sid:971; rev:1;)


Now, append the statement fwsam: 1 hour;. The rule should read now:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .printer access"; uricontent:".printer"; nocase; flags:A+; reference:cve,CAN-2001-0241; reference:arachnids,533; classtype:attempted-recon; sid:971; rev:1; fwsam: src, 1 hour;)


Note that the keyword SRC is used. If you look at the Snort rule, read it as alert tcp SRC -> DST. There are rules in Snort where $EXTERNAL_NET is on the other side of the ->. In these cases we want to use the keyword DST. The next example will show this.


Example 2: Let's say you have telnet server (or perhaps a router) within your home net. Someone from the outside has tried to login repeatedly, and the internal device now closes the telnet session, sending the phrase 'Login failed'. You want to block the intruder for a day from preventing him to hack his way in. You would have to modify the existing Snort rule below as specified:

alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET Bad Login"; flags: A+; content: "Login failed"; nocase; flags:A+; classtype:bad-unknown; sid:492; rev:2; fwsam: dst, 1 day)


In this case we have to use DST because the rule reads $HOME_NET 23 -> $EXTERNAL_NET. Remember, you have to think SRC -> DST. SRC in this case you be $HOME_NET (the IP address of the telnet device), and DST denotes the foreign IP address.
--The Devil is in the Details--

Post Reply