Previous Section  < Day Day Up >  Next Section

8.5 Controlling Your Border

SnortSAM is a plug-in for Snort that can be found at http://www.snortsam.net. It was developed by a team of people who saw the value in coupling a strong attach detection mechanism with the ability to change access controls on border devices—stopping an attack in progress. SnortSAM can order changes in the access control lists of the following network border devices:

Checkpoint Firewall-1
Cisco PIX Firewall
Cisco Routers
Netscreen firewall
IP Filter (ipf)—Unix-based OS firewall
Linux ipchains
Linux iptables
Watchguard firewall

SnortSAM consists of two components: a patch for the Snort sensor itself and the SnortSAM application, which can be run on the Snort sensor or another, dedicated SnortSAM system. SnortSAM allows the Snort sensor to act as a gateway IDS by running multiple interfaces, enabling routing, and running Iipchains or iptables. When an alert is detected, the ipchains or iptables access lists are modified to block traffic from the offending network. More commonly, a Snort sensor is configured to modify the access control lists for existing border devices using SnortSAM. The requested blocks can be given a specific lifetime, so that they do not last forever.

8.5.1 Installing SnortSAM

The first step in installing SnortSAM is to download and unpack the source code. There are some precompiled SnortSAM binaries for a wide range of operating systems that you can use, but I prefer to compile my own. After downloading the source, create a directory (I usually put the source in /usr/local/src/snortsam/ ), and copy the gzipped tarball to the directory. To install SnortSAM on your designated SnortSAM system (could be the system running Snort or a separate system altogether—please note that version numbers will change over time), use this:

# cd /usr/local/src/snortsam

# tar -zxvf snortsam-src-2.23.tar.gz

# cd snortsam

# chmod +x makesnortsam.sh

# ./makesnortsam.sh

This creates the binary called snortsam that you can copy to a directory such as /usr/local/bin. The above process creates a binary on FreeBSD, Linux, and Solaris. To compile for Windows, open the file called SnortSam.dsp with Visual C++ and select the project that you want to compile (Normal, in all likelihood).

8.5.2 Patching Snort to Enable Support for SnortSAM

Download snortsam-patch.tar.gz from http://www.snortsam.net/files/snort-plugin/snortsam-patch.tar.gz and make a directory to store the patch source (I use /usr/local/src/snortsam-patch/ ). Copy the patch source to this directory. To apply the patch to Snort (substitute the path to the Snort source directory), use this:

# cd /usr/local/src/snortsam-patch/

# tar -zxvf snortsam-patch.tar.gz

# chmod +x patchsnort.sh

# ./patchsnort.sh /usr/local/src/snort/snort2.1.x/

Then recompile Snort.

8.5.3 Starting SnortSAM

Running SnortSAM is simple since it only needs to be supplied with one argument: the location of the snortsam.conf file. The file needs to be built from scratch (I suggest locating it in /usr/local/etc/ ). You only need to include the applicable options for your environment. Append the desired configuration options in the snortsam.conf file. When supplying a pres-hared key, this is simply a string of characters that both the server and sensor knows, used to encrypt the traffic. The snortsam.conf file can include the following options:


accept < addresses from which to accept alerts>/< net mask>,< pre-shared key>

Designates the address of Snort sensors that are allowed to send the SnortSAM server blocking requests. The pre-shared key is used to encrypt the communication between the sensor and the SnortSAM server (the two-fish algorithm is used). Here's an example:

accept 192.168.1.0/24, supersecretkey


defaultkey < pre-shared key>

This is a pre-shared key that needs to be configured in the snort.conf file on the sensors, as well. SnortSAM uses the default key if one is not specified for a particular sensor. Here's an example:

defaultkey supersecretdefaultkey


port < port number>

The port number that SnortSAM uses to communicate with Snort sensors (898 is the default). Here's an example:

port 6666


dontblock < address or DNS hostname>

Specifies hosts that should never be blocked. This list is referred to as the White List in the documentation. It can be a single IP address, a range of address (address/mask bits—for example, 10.10.10.0/24), or a hostname. There can only be one entry per line, but there can be an unlimited number of lines. Here's an example:

dontblock a.root-servers.net

dontblock 192.168.0.0/16


logfile < filename>

A file that SnortSAM can use to log its activity. Here's an example:

logfile snortsam.log


loglevel < level>

This defaults to level 2. The default is suggested, but the options are as follows.

0:

Quiet

No logging occurs.

1:

Sparse

Only errors are logged.

2:

Normal

Errors and blocks are logged.

3:

Verbose

Additional information (such as connections/disconnections) are logged as well.


Here's an example:

loglevel 1


include < filename>

You can specify additional files to include in the configuration. SnortSAM comes with a list of the root name servers to include in your white list called rootservers.cfg. You could keep another file called donotblock.conf that contains the entire white list and include it, as well. Here's an example:

include rootservers.cfg


daemon

This option takes no arguments. If it is present, SnortSAM runs in Daemon mode—similar to the -D option in Snort. Here's an example:

daemon


skipinterval <time period>

This defaults to a value of 10 seconds. It causes SnortSAM to ignore the same block request if it falls within the specified time period. Here's an example:

skipinterval 60 secs


skiphosts < integer>

Works with skipinterval and designates how many blocks are kept in memory. Here's an example:

skiphosts 30


rollbackhosts < integer>

Tells SnortSAM to keep a record of the designated number of blocking requests for each Snort sensor. These traffic blocks are disabled if the rollback threshold is exceeded. Here's an example:

rollbackhosts 20


rollbackthreshold < integer> / < time period>

If more than <integer> blocking requests occur in a given <time period>, SnortSAM "unblocks" the number of blocks designated in the rollbackhosts directive.Here's an example:

rollbackthreshold 30 / 60 secs


rollbacksleeptime < time period>

Tells SnortSAM to ignore new blocking requests for the specified period of time, giving SnortSAM time to catch up and reduce the load. Defaults to 15 minutes.Here's an example:

rollbacksleeptime 2 minutes

You need to include configuration information for the firewalls SnortSAM will use to block offending addresses. Below are examples for the Cisco PIX, ipchains, and iptables. For details on supporting other firewalls (like Checkpoint or Watchguard, or Cisco Routers), refer to the documentation:


pix < ip_address_of_PIX_firewall> < telnet_password> < enable_password>


pix < ip_address_of_PIX_firewall> < username/password> < enable_password>

Instructs SnortSAM to telnet to the PIX firewall located at the designated address, log in with the supplied password (or, in the second case, the TACACS or RADIUS username and password), enter enable mode with the supplied password, and generate a SHUN command. The SHUN command blocks the offending address, supplied by the patched Snort sensor. If the enable password is not included on the configuration line, the telnet password will be used for both.Here's an example:

pix 10.10.10.1 p1xp455w0rd 3n4bl3p455w0rd


ipchains < interface> < log_option>

SnortSAM uses this option when it's running on the Linux router running ipchains. ipchains creates a blocking rule for the reported naughty address on the specified interface. Optionally, a log option can be designated (log or logall).Here's an example:

ipchains eth0


iptables < interface> < log_option>

SnortSAM uses this option when it's on a Linux router running iptables. It creates a blocking rule for the offending address on the specified interface. Optionally, a log option can be designated. Here's an example:

iptables eth1

Once the snortsam.conf is built, you can run SnortSAM, designating the location of the file:

# /usr/local/bin/snortsam /usr/local/etc/snortsam.conf

8.5.4 Supporting the SnortSAM Output Plug-in

Add a line in the snort.conf on the Snort sensor so it can send notifications to the SnortSAM server (this might be the sensor system itself). Add the following line to the snort.conf file:

output alert_fwsam: <SnortSam Server IP address>:<port>/<pre-shared key>

This tells Snort to send SnortSAM blocking instructions to the SnortSAM server located at the designated IP address. If the server is using a nonstandard port, it can be designated here. Finally, include the pre-shared key that you entered into the accept line in the snortsam.conf file. These two keys must match exactly. Here's an example:

output alert_fwsam: 192.168.1.1:6666/pr3sh4r3dk3y

8.5.5 Modifying Rules That Trigger Block Requests

Once you have the output plug-in configured, modify the rules that generate blocking requests. To do this, you'll use a new rule option, fwsam. It's made up of these elements:


<which host to block>

Can be src, source, dst, dest, or destination. Designates which address should be blocked. In Snort rules, the source address is always before the direction indicator (->). For some rules, the "bad guys" would be the source and for others, the destination. Examine what the rule is doing before making this choice. See the examples below for an illustration.


<duration>

Duration of block in seconds, minutes, hours, days, weeks, or years. A value of 0, or the keyword PERM, INF, or ALWAYS blocks the host permanently.

Here are some examples. The following blocks the destination address for the packet that triggered the alert for 1 hour:

alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES Microsoft 

cmd.exe banner"; flow:from_server,established; content:"Microsoft Windows"; 

content:"(C) Copyright 1985-"; distance:0; content:"Microsoft Corp."; distance:0; 

reference:nessus,11633; classtype:successful-admin; sid:2123; rev:1; 

fwsam: dst, 1 hour;)

The following blocks the source address for the packet that triggered the alert for 15 minutes:

alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm propagation 

attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|"; 

content:"sock"; content:"send"; reference:bugtraq,5310; classtype:misc-attack; 

reference:bugtraq,5311; reference:url,vil.nai.com/vil/content/v_99992.htm; sid:

2003; rev:2; fwsam: src, 15 minutes;)

    Previous Section  < Day Day Up >  Next Section