Welcome to SnortSam

SnortSam is a plugin for Snort, an open-source light-weight Intrusion Detection System (IDS). The plugin allows for automated blocking of IP addresses on following firewalls:

  • Checkpoint Firewall-1
  • Cisco PIX firewalls
  • Cisco Routers (using ACL's or Null-Routes)
  • Former Netscreen, now Juniper firewalls
  • IP Filter (ipf), available for various Unix-like OS'es such as FreeBSD?
  • FreeBSD?'s ipfw2 (in 5.x)
  • OpenBSD?'s Packet Filter (pf)
  • Linux IPchains
  • Linux IPtables
  • Linux EBtables
  • WatchGuard? Firebox firewalls
  • 8signs firewalls for Windows
  • MS ISA Server firewall/proxy for Windows
  • CHX packet filter
  • Ali Basel's Tracker SNMP through the SNMP-Interface-down plugin
  • ...and more to come...

SnortSam itself consists of two pieces -- the output plugin within Snort™ and an intelligent agent that runs on the firewall, or a host near the firewall. The agent provides a variety of capabilities that go beyond other automated blocking mechanisms, such as:

  • White-list support of IP addresses that will never be blocked.
  • Time-override list.
  • Maximum block time ceiling as well as minimum block time definition for reporting entities.
  • Flexible, per rule blocking specification, including rule dependent blocking time interval.
  • A SID filter list of allowed or denied SIDs based on reporting entity.
  • Misuse/Attack detection engine (including roll-back support) that attempts to mitigate the risk of a self-inflicted Denial-Of-Service in the IDS-Firewall integration.
  • Repetitive (same IP) block prevention with customizable window to improve performance.
  • TwoFish encrypted communication between Snort™ and the SnortSam agent.
  • True OPSEC support using the Checkpoint SDK (opsec plugin).
  • Block tracking and block expiration for firewalls that don't support timeouts.
  • Multi-threading for faster processing and simultaneous block on multiple devices.
  • File logging and email notification of events.
  • ... and finally, using the client/server (snort/snortsam) architecture to build large, distributed response networks in a very scalable fashion.

SnortSam is open-source software, free of charge. It can be compiled under any platform and should function across different platforms (please let me know if you encounter any problems), and can be obtained through web download, FTP download, or CVS access. Links are provided in the download section.

Documentation included in the tarball is available under SnortSamDocumentation.

Examples of SnortSamUseCases?, SnortSamHowTos, and a SnortSamFAQ are excellent places to begin learning what SnortSam can do for you!

-- MattJonkman - 09 Mar 2007

Topic revision: r2 - 2007-03-12 - MattJonkman
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats