Feb. 12, 2011, 9:40 p.m.
posted by unixgeek
Automatically Firewall Attackers with SnortSam
Use SnortSam to prevent intrusions by putting dynamic firewall rules in place to stop in-progress attacks.
An alternative to running Snort on your firewall and having it activate filtering rules on the machine it's running on [Hack #111] is to have Snort communicate which filtering rules should be put in place when an intrusion is detected on an external firewall. To do this, you can use SnortSam (http://www.snortsam.net).
SnortSam is made up of two components: a Snort plug-in and a daemon. It uses Snort's plug-in architecture and extends Snort with the ability to communicate with a remote firewall, which then dynamically applies filtering rules to stop attacks that are in progress. Unlike Snort_inline, which is highly dependent on Linux, SnortSam supports a wide variety of firewalls, such as Check Point's FireWall-1, various Cisco firewalls, NetScreen, Firebox, OpenBSD's PF, and Linux's ipchains and iptables interfaces to Netfilter.
$ sh makesnortsam.sh
This will build the snortsam binary, which you can then copy to a suitable place in your path (e.g., /usr/bin or /usr/local/bin).
Now, download the patch for Snort, which you can get from the same site as SnortSam. After you've done that, unpack it:
$ tar xvfz snortsam-patch.tar.gz patchsnort.sh patchsnort.sh.asc snortpatch8 snortpatch8.asc snortpatch9 snortpatch9.asc snortpatchb snortpatchb.asc
Next, run patchsnort.sh and specify the directory where you're keeping Snort's source:
$ patchsnort.sh snort-2.4.4 Patching Snort version 2.x... patching file spo_alert_fwsam.c patching file spo_alert_fwsam.h patching file twofish.c patching file twofish.h rm: cannot remove \Qspo_alert_fwsam.?.orig': No such file or directory rm: cannot remove \Qtwofish.?.orig': No such file or directory patching file plugbase.c Hunk #1 succeeded at 114 with fuzz 2 (offset 4 lines). Hunk #2 succeeded at 588 with fuzz 2 (offset 13 lines). patching file plugin_enum.h Hunk #1 succeeded at 37 with fuzz 1. Patching Makefiles... Done
Finally, compile Snort [Hack #106] as you would normally, except run the following commands before running ./configure:
$ aclocal $ autoheader $ automake --add-missing $ autoconf
Before running SnortSam, you must create a configuration file for it. SnortSam's configuration syntax is pretty easy to use, but there are quite a few options, so only a subset of the available ones will be discussed here.
One useful option is accept, which lets you tell SnortSam what Snort sensors are allowed to connect to it. This option can take a CIDR-format address range, a hostname, or a single IP address. You can optionally specify a password as well. If you don't specify a password, the one specified by the defaultkey option is used.
For example, if you want to allow all hosts from the network 192.168.1.0/24 with the password qwijybo, you can put a line like this in your configuration file:
accept 192.168.1.0/24, qwijybo
To specify multiple hosts or network address ranges, you can use multiple accept entries.
Another useful option is dontblock , which enables you to construct a whitelist of hosts and networks that SnortSam will not block under any circumstances. This option takes hostnames, single IP addresses, and CIDR address ranges; you can also use multiple dontblock entries, just as you can with accept.
To improve SnortSam's performance, you might want to use the skipinterval option, which lets you tell SnortSam how long to skip identical blocking requests before it resumes applying rules for that request. This ensures that SnortSam isn't constantly requesting the firewall to block the same IP address and port over and over again. The skipinterval option takes a single number as its argument, specifying how many seconds to wait.
You'll probably want to keep tabs on what SnortSam's doing, since you're allowing it to modify your firewall's rules. One way is to use the logfile option, which will cause SnortSam to log events such as program starts, blocking and unblocking requests, and any errors that were encountered. This option takes a single argument: the filename to which the logs will be written. The log file that you specify will be created in /var/log.
A couple of other useful options are daemon and bindip. The daemon option simply tells SnortSam to fork into the background and run as a daemon; it does not take any arguments. The bindip option allows you to specify which IP address to listen on, which is useful when the machine that SnortSam is running on has multiple addresses available.
For instance, if you want SnortSam to listen on only 192.168.1.15, use a line like this:
After you're done with SnortSam's options, you'll need to tell it what kind of firewall to communicate with and how to do it. For example, to use SnortSam with a Check Point firewall, you can specify either the fwexec or fwsam keywords. Use fwexec when you want to run SnortSam on the host that the firewall is installed on, and use fwsam when you want to communicate with a remote firewall. The fwexec keyword takes the full pathname to the fw executable as its only argument, whereas the fwsam keyword uses the hostname or IP address of the firewall.
In addition, you'll need to modify the fwopsec.conf file on your firewall to include the following line:
sam_server port 1813
pix 220.127.116.11 telnetpw enablepw
Or, if your firewall is set up to do user authentication, you can use user / password in place of the telnet password.
If you want to use SnortSam with OpenBSD's PF or Linux's iptables, you'll need to use the pf or iptables keywords. For basic usage, all you need to do is specify the interface on which to block packets.
To configure the Snort side of things, you'll need to add the alert_fwsam output plug-in to the output plug-ins that you're already using. This plug-in takes a hostname and an optional port to connect to, along with a password. If SnortSam is using the default port, you don't need to specify the port here:
output alert_fwsam: firewall/mypassword firewall2:1025/mypassword
Notice that you can list multiple instances of SnortSam to send block requests to by separating them with whitespace.
You should modify any rules that you want to trigger a firewall rule to use the fwsam rule option. This option takes as its arguments what to block, and how long the block should be in effect. To block the source of the packet that caused the alert, use src; to block the destination, use dst. If you want to block both, use either. For the duration, you can use a number along with a modifier specifying what unit it's in (i.e., seconds, minutes, hours, days, weeks, months, or years), or you can use 0 to specify an indefinite period of time.
For instance, to block the source address of the packet that triggered a rule for five minutes, you could add this to your rule options:
fwsam: src, 5 minutes;
Now that everything is configured, start SnortSam by running a command similar to this:
# snortsam /usr/local/etc/snortsam.conf