8.5 Controlling Your Border
SnortSAM
is a plug-in for Snort that can be found at http://www.snortsam.net. It was developed by
a team of people who saw the value in coupling a strong attach
detection mechanism with the ability to change access controls on
border devices—stopping an attack in progress. SnortSAM can
order changes in the access control lists of the following
network border devices:
- Checkpoint Firewall-1
- Cisco PIX Firewall
- Cisco Routers
- Netscreen firewall
- IP Filter (ipf)—Unix-based OS firewall
- Linux ipchains
- Linux iptables
- Watchguard firewall
SnortSAM consists of two components: a patch for the Snort sensor
itself and the SnortSAM application, which can be run on the Snort
sensor or another, dedicated SnortSAM system. SnortSAM allows the
Snort sensor to act as a gateway IDS by running multiple interfaces,
enabling routing, and running Iipchains or iptables. When an alert is
detected, the ipchains or iptables access lists are modified to block
traffic from the offending network. More commonly, a Snort sensor is
configured to modify the access control lists for existing border
devices using SnortSAM. The requested blocks can be given a specific
lifetime, so that they do not last forever.
8.5.1 Installing SnortSAM
The first step in installing
SnortSAM
is to download and unpack the source code. There are some precompiled
SnortSAM binaries for a wide range of operating systems that you can
use, but I prefer to compile my own. After downloading the source,
create a directory (I usually put the source in
/usr/local/src/snortsam/ ), and copy the gzipped
tarball to the directory. To install SnortSAM on your designated
SnortSAM system (could be the system running Snort or a separate
system altogether—please note that version numbers will change
over time), use this:
# cd /usr/local/src/snortsam
# tar -zxvf snortsam-src-2.23.tar.gz
# cd snortsam
# chmod +x makesnortsam.sh
# ./makesnortsam.sh
This creates the binary called snortsam that you
can copy to a directory such as /usr/local/bin.
The above process creates a binary on FreeBSD, Linux, and Solaris. To
compile for Windows, open the file called
SnortSam.dsp with Visual C++ and select the
project that you want to compile (Normal, in all likelihood).
8.5.2 Patching Snort to Enable Support for SnortSAM
Download snortsam-patch.tar.gz from http://www.snortsam.net/files/snort-plugin/snortsam-patch.tar.gz
and make a directory to store the
patch source (I use
/usr/local/src/snortsam-patch/ ). Copy the patch
source to this directory. To apply the patch to Snort (substitute the
path to the Snort source directory), use this:
# cd /usr/local/src/snortsam-patch/
# tar -zxvf snortsam-patch.tar.gz
# chmod +x patchsnort.sh
# ./patchsnort.sh /usr/local/src/snort/snort2.1.x/
Then recompile Snort.
8.5.3 Starting SnortSAM
Running
SnortSAM
is simple since it only needs to be supplied with one argument: the
location of the snortsam.conf file. The file
needs to be built from scratch (I suggest locating it in
/usr/local/etc/ ). You only need to include the
applicable options for your environment. Append the desired
configuration options in the snortsam.conf file.
When supplying a pres-hared key, this is simply a string of
characters that both the server and sensor knows, used to encrypt the
traffic. The snortsam.conf file can include the following
options:
- accept < addresses from which to accept alerts>/< net mask>,< pre-shared key>
-
Designates the address of Snort sensors that are allowed to send the
SnortSAM server blocking requests. The pre-shared key is used to
encrypt the communication between the sensor and the SnortSAM server
(the two-fish algorithm is used). Here's an example:
accept 192.168.1.0/24, supersecretkey
- defaultkey < pre-shared key>
-
This is a pre-shared key that needs to be configured in the
snort.conf file on the sensors, as well.
SnortSAM uses the default key if one is not specified for a
particular sensor. Here's an example:
defaultkey supersecretdefaultkey
- port < port number>
-
The port number that SnortSAM uses to communicate with Snort sensors
(898 is the default). Here's an example:
port 6666
- dontblock < address or DNS hostname>
-
Specifies hosts that should never be blocked. This list is referred
to as the White List in the documentation. It can be a single IP
address, a range of address (address/mask bits—for example,
10.10.10.0/24), or a hostname. There can only be one entry per line,
but there can be an unlimited number of lines.
Here's an example:
dontblock a.root-servers.net
dontblock 192.168.0.0/16
- logfile < filename>
-
A file that SnortSAM can use to log its activity.
Here's an example:
logfile snortsam.log
- loglevel < level>
-
This defaults to level 2. The default is suggested, but the options
are as follows.
0:
|
Quiet
|
No logging occurs.
|
1:
|
Sparse
|
Only errors are logged.
|
2:
|
Normal
|
Errors and blocks are logged.
|
3:
|
Verbose
|
Additional information (such as connections/disconnections) are
logged as well.
|
Here's an example:
loglevel 1
- include < filename>
-
You can specify additional files to include in the configuration.
SnortSAM comes with a list of the root name servers to include in
your white list called rootservers.cfg. You
could keep another file called donotblock.conf
that contains the entire white list and include it, as well.
Here's an example:
include rootservers.cfg
- daemon
-
This option takes no arguments. If it is present, SnortSAM runs in
Daemon mode—similar to the -D option in
Snort. Here's an example:
daemon
- skipinterval <time period>
-
This defaults to a value of 10 seconds. It causes SnortSAM to ignore
the same block request if it falls within the specified time period.
Here's an example:
skipinterval 60 secs
- skiphosts < integer>
-
Works with skipinterval and designates how many
blocks are kept in memory. Here's an example:
skiphosts 30
- rollbackhosts < integer>
-
Tells SnortSAM to keep a record of the designated number of blocking
requests for each Snort sensor. These traffic blocks are disabled if
the rollback threshold is exceeded. Here's an
example:
rollbackhosts 20
- rollbackthreshold < integer> / < time period>
-
If more than <integer> blocking
requests occur in a given <time
period>, SnortSAM
"unblocks" the number of blocks
designated in the rollbackhosts
directive.Here's an example:
rollbackthreshold 30 / 60 secs
- rollbacksleeptime < time period>
-
Tells SnortSAM to ignore new blocking requests for the specified
period of time, giving SnortSAM time to catch up and reduce the load.
Defaults to 15 minutes.Here's an example:
rollbacksleeptime 2 minutes
You need to include configuration information for the firewalls
SnortSAM will use to block offending addresses. Below are examples
for the Cisco PIX, ipchains, and iptables. For details on supporting
other firewalls (like Checkpoint or Watchguard, or Cisco Routers),
refer to the documentation:
- pix < ip_address_of_PIX_firewall> < telnet_password> < enable_password>
- pix < ip_address_of_PIX_firewall> < username/password> < enable_password>
-
Instructs SnortSAM to telnet to the PIX firewall located at the
designated address, log in with the supplied password (or, in the
second case, the TACACS or RADIUS username and password), enter
enable mode with the supplied password, and generate a SHUN command.
The SHUN command blocks the offending address, supplied by the
patched Snort sensor. If the enable password is not included on the
configuration line, the telnet password will be used for
both.Here's an example:
pix 10.10.10.1 p1xp455w0rd 3n4bl3p455w0rd
- ipchains < interface> < log_option>
-
SnortSAM uses this option when it's running on the
Linux router running ipchains. ipchains creates a
blocking rule for the reported naughty address on the specified
interface. Optionally, a log option can be designated
(log or
logall).Here's an example:
ipchains eth0
- iptables < interface> < log_option>
-
SnortSAM uses this option when it's on a Linux
router running iptables. It creates a blocking rule for the offending
address on the specified interface. Optionally, a log option can be
designated. Here's an example:
iptables eth1
Once the snortsam.conf is built, you can run
SnortSAM, designating the location of the file:
# /usr/local/bin/snortsam /usr/local/etc/snortsam.conf
8.5.4 Supporting the SnortSAM Output Plug-in
Add a line in the snort.conf on the Snort sensor
so it can send notifications to the
SnortSAM server (this might be the
sensor system itself). Add the following line to the
snort.conf file:
output alert_fwsam: <SnortSam Server IP address>:<port>/<pre-shared key>
This tells Snort to send SnortSAM blocking instructions to the
SnortSAM server located at the designated IP address. If the server
is using a nonstandard port, it can be designated here. Finally,
include the pre-shared key that you entered into the accept line in
the snortsam.conf file. These two keys must
match exactly. Here's an example:
output alert_fwsam: 192.168.1.1:6666/pr3sh4r3dk3y
8.5.5 Modifying Rules That Trigger Block Requests
Once you have the output plug-in configured, modify the
rules
that generate blocking requests. To do this, you'll
use a new rule option,
fwsam. It's made up of these
elements:
- <which host to block>
-
Can be src, source,
dst, dest, or
destination. Designates which address should be
blocked. In Snort rules, the source address is always before the
direction indicator (->). For some rules, the
"bad guys" would be the source and
for others, the destination. Examine what the rule is doing before
making this choice. See the examples below for an illustration.
- <duration>
-
Duration of block in seconds, minutes, hours, days, weeks, or years.
A value of 0, or the keyword PERM, INF, or ALWAYS blocks the host
permanently.
Here are some examples. The following blocks the destination address
for the packet that triggered the alert for 1 hour:
alert tcp $HOME_NET !21:23 -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES Microsoft
cmd.exe banner"; flow:from_server,established; content:"Microsoft Windows";
content:"(C) Copyright 1985-"; distance:0; content:"Microsoft Corp."; distance:0;
reference:nessus,11633; classtype:successful-admin; sid:2123; rev:1;
fwsam: dst, 1 hour;)
The following blocks the source address for the packet that triggered
the alert for 15 minutes:
alert udp $EXTERNAL_NET any -> $HOME_NET 1434 (msg:"MS-SQL Worm propagation
attempt"; content:"|04|"; depth:1; content:"|81 F1 03 01 04 9B 81 F1 01|";
content:"sock"; content:"send"; reference:bugtraq,5310; classtype:misc-attack;
reference:bugtraq,5311; reference:url,vil.nai.com/vil/content/v_99992.htm; sid:
2003; rev:2; fwsam: src, 15 minutes;)
|