Hack 88 Automated Dynamic Firewalling with SnortSam

figs/expert.gif figs/hack88.gif

Use SnortSam to prevent intrusions by putting dynamic firewall rules in place to stop in-progress attacks.

An alternative to running Snort on your firewall and having it activate filtering rules on the machine it's running on [Hack #87] is to have Snort communicate which filtering rules should be put in place when the an intrusion is detected on an external firewall. To do this, you can use SnortSam (http://www.snortsam.net).

SnortSam uses Snort's plug-in architecture and extends Snort with the ability to notify a remote firewall, which then dynamically applies filtering rules to stop attacks that are in progress. Unlike Snort_inline, which is highly dependent on Linux, SnortSam supports a wide variety of firewalls, such as Checkpoint, Cisco, Netscreen, Firebox, OpenBSD's pf, and even Linux's ipchains and iptables interfaces to Netfilter. SnortSam is made up of two components, a Snort plug-in and a daemon.

To set up SnortSam, first download the source distribution and then unpack it. After you've done that, go into the directory it created and run this command:

$ sh makesnortsam.sh

This will build the snortsam binary, which you can then copy to a suitable place in your path (e.g., /usr/bin or /usr/local/bin).

Now download the patch for Snort, which you can get from the same site as SnortSam. After you've done that, unpack it:

$ tar xvfz snortsam-patch.tar.gz 










Next, run patchsnort.sh and specify the directory where you're keeping Snort's source:

$ sh patchsnort.sh snort-2.0.5

Patching Snort version 2.0...

patching file spo_alert_fwsam.c

patching file spo_alert_fwsam.h

patching file twofish.c

patching file twofish.h

patching file plugbase.c

Hunk #1 succeeded at 29 with fuzz 2 (offset -73 lines).

Hunk #2 succeeded at 639 with fuzz 2 (offset 77 lines).

Patching Makefiles...


Now compile Snort as you would normally [Hack #82] .

Before running SnortSam, you must create a configuration file for it. SnortSam's configuration syntax is pretty easy to use, but there are quite a few options, so only a subset of the available ones will be discussed here.

One useful option is accept, which lets you tell SnortSam what Snort sensors are allowed to connect to it. This option can take a CIDR-format address range, a hostname, or a single IP address. You can optionally specify a password as well. If you don't specify a password, the one specified by the defaultkey option is used.

For example, if you wanted to allow all hosts from the network with the password qwijybo, you could put a line like this in your configuration file:

accept, qwijybo

To specify multiple hosts on network address ranges, you can use multiple accept entries.

Another useful option is dontblock. This enables you to construct a whitelist of hosts and networks that SnortSam will not block under any circumstances. This option takes hostnames, single IP addresses, and CIDR addresses; you can also use multiple dontblock entries, just as you can with accept.

To improve SnortSam's performance, you may want to use the skipinterval option. This option lets you tell SnortSam how long to skip identical blocking requests before it will resume applying rules for that request. This ensures that SnortSam isn't constantly requesting the firewall to block the same IP address and port over and over again. The skipinterval option takes a single number as its argument, which specifies how many seconds to wait.

You'll probably want to keep tabs on what SnortSam's doing, since you're allowing it to modify your firewall's rules. One way is to use the logfile option, which will cause SnortSam to log events such as program start, blocking and unblocking requests, and any errors that were encountered. This option takes a single argument, which is the filename that the logs will be written to. The log file that you specify will be created in /var/log.

A couple of other useful options are daemon and bindip. The daemon option simply tells SnortSam to fork into the background and run as a daemon; it does not take any arguments. The bindip option, on the other hand, allows you to specify which IP address to listen on, which is useful when the machine that SnortSam is running on has multiple addresses available.

For instance, if you wanted SnortSam to listen only on, you would use a line like this:


In addition, the default port that SnortSam listens on is 898, but you can change this with the port option.

After you're done with SnortSam's options, you'll need to tell it what kind of firewall to communicate with and how to do it. To use SnortSam with a Checkpoint Ffwexec or fwsamW-1 firewall, you can specify either the fwexec or fwsam keywords. Use fwexec when you when you want to run SnortSam on the host that the firewall is install fwexec or fwsamed on, and use fwsam when you want to communicate with a remote firewall.

The fwexec keyword takes the full pathname to the fw executable as its only argument, whereas the fwsam keyword uses the hostname or IP of the firewall. In addition, you'll need to modify the fwopsec.conf file on your firewall to include the following line:

sam_server port 1813

To use SnortSam with a PIX firewall, you'll need to use the pix keyword and specify the IP address of the firewall as well as the Telnet and enable mode passwords.

For example:

pix telnetpw enablepw

Or, if your firewall is set up to do user authentication, you can use user/password in place of the Telnet password.

If you want to use SnortSam with OpenBSD's PF or Linux's iptables, you'll need to use the pf or iptables keywords. For basic usage, all you need to do is specify the interface on which to block packets.

To configure the Snort side of things, you'll need to add the alert_fwsam output plug-in to the output plug-ins that you're already using. This plug-in takes a hostname and an optional port to connect to, along with a password. If SnortSam is using the default port, you don't need to specify the port here.

For example:

output alert_fwsam: firewall/mypassword firewall2:1025/mypassword

Notice that you can list multiple instances of SnortSam to send block requests to by separating them with whitespace.

Any rules that you want to trigger a firewall rule should be modified to use the fwsam rule option. This option takes as its arguments what to block and for how long the block should be in effect. To block the source of the packet that caused the alert, use src; to block the destination, use dst. If you want to block both, use either. For the duration you can use a number along with a modifier specifying what unit it's in (i.e., seconds, minutes, hours, days, weeks, months, or years), or you can use 0 to specify an indefinite period of time.

For instance, to block the source address of the packet that triggered a rule for five minutes, you could add this to your rule options:

fwsam: src, 5 minutes;

Now that everything is configured, start SnortSam by running a command similar to this:

# snortsam /usr/local/etc/snortsam.conf

Of course, you'll need to substitute the full path to your configuration file if it's not /usr/local/etc/snortsam.conf. As for Snort, just start it as you normally would.

For more information on using SnortSam with other types of firewalls, be sure to check out the README files included with the source distribution.