Block Network Attacks with SnortSAM

By | September 21, 2006

SnortSAM is an open source agent that allows Snort intrusion detection system to block attacking connections by reconfiguration of access control lists on firewalls – stopping an attack in progress. SnortSAM can order changes on firewalls such as CheckPoint, Cisco PIX firewalls, Cisco routers, UNIX-based firewalls and more.

SnortSAM consists of two components: a patch for the Snort IDS itself and the SnortSAM application, which can be run on a dedicated SnortSAM server or on the Snort sensor. SnortSAM uses Snort´s output plug-in that notifies SnortSAM agent of blocking requests on a rule basis. When an alert is detected, the firewall(s) access control lists are modified to block traffic from the offending network.

The first step in installing SnortSAM is to download and unpack the source code. To install SnortSAM, run these commands:

# mkdir /usr/local/src/snortsam
# cd /usr/local/src/snortsam
# tar -xzf snortsam-src-2.50.tar.gz
# cd snortsam
# chmod +x
# ./

This creates a binary in /usr/local/src/snortsam called snortsam that you can copy to a directory such as /usr/local/bin. The next step is to patch snort source code. Download snortsam-patch.tar.gz and make a directory to store the patch source:

# mkdir /usr/local/src/snortsam-patch
# cd /usr/local/src/snortsam-patch
# tar -xzf snortsam-patch.tar.gz
# chmod +x
# ./ /usr/local/src/snort_source_code/

Then recompile Snort; use these commands:

# cd /usr/local/src/snort_source_code/
# aclocal
# autoheader
# automake –add-missing
# autoconf

Then run ./configure and make as usual installation. Now that you have SnortSAM installed, running it is simple since it only requires on program argument which is the location of snortsam.conf. The configuration file contains a variety of options. A sample configuration file snortsam.conf.sample is provided and contains a full description of the options. Make sure to include applicable options for your environment only.

At a very minimum, you need to specify what hosts running Snort are allowed to send blocking requests to SnortSAM server. This is done with the ACCEPT option, for example: accept, MY_PASSWORD. Next you need to configure the firewall you want to block on. SnortSAM has documentation for all supported firewalls and their options.

Once the snortsam.conf is built, you can run SnortSAM, designating the location of the configuration file:

# /usr/local/bin/snortsam /etc/snortsam.conf

Now that you have SnortSAM agent running and listening, you need to tell Snort to send SnortSAM blocking instructions to the SnortSAM server. Add the following line to snort.conf on the Snort sensor:

output alert_fwsam: snortsam IP address:port/password

The password value must be exactly the same value that you entered into the accept line in the snortsam.conf file. If you have more than one SnortSAM host, just add them on the same line, separated by a space.

Once you have the output plug-in configured, you need to configure the Snort rules that should invoke a block on the firewall. To do this, you will need to add a new rule option – fwsam. It´s made up of these elements: . For example:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
$HTTP_PORTS (msg:”WEB-ATTACKS /bin/ps commandattempt”;
uricontent:”/bin/ps”; nocase;
classtype:web-application-attack; sid:1328; rev:6;)

Add ´fwsam: src, 5 minutes;´ so that the rule reads (blocks attacker for 5 minutes):

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS
commandattempt”; flow:to_server,established;
uricontent:”/bin/ps”; nocase;
classtype:web-application-attack; sid:1328;
rev:6; fwsam: src, 5 minutes;)

Final Thoughts

The concept of integrated intrusion detection systems and firewalls is still in its infancy. SnortSAM is not perfect, but most likely the best available open source security solution to accomplish the task. To learn more on SnortSAM configuration, make sure to read SnortSAM´s manual.

Leave a Reply