SnortSam Watchguard Configuration
The Watchguard plugin supports all
WatchGuard? Firebox System 5.0 or later
versions. But NOT the SOHO-Box.
The Watchguard Plugin requires the additional software 'fbidsmate', which is
available from the Watchguard website. Download is only permitted if you have
an active service contract. Perhaps you find similar files elsewhere on the
Internet. There are three different versions depending on the target OS.
ec56fa37eaba84d0a52dd111db76dcf9 fbidsmate.exe (for Windows NT/98/2000)
15245ba11f109d35fddf424aea42afe9 fbidsmate (for Solaris)
74d0b4842b7149474f23c7ab83a2962c fbidsmate (for Linux)
To start support for Watchguard you have to add one line to the snortsam.conf
for each Watchguard you want to initiate the block on. Use the following
syntax:
watchguard <path/to/fbidsmate> <ip-of-firebox>
Also you can store the configuration passphrase in encrypted form,
so you don't have to leave it in the clear in your snortsam.conf. Then you
can use the following syntax:
watchguard <path/to/fbidsmate> <ip-of-firebox> file
To create this configpassfile
./fbidsmate import_passphrase
This stores the passphrase in the indicated file with 3DES encryption.
Example:
./fbidsmate import_passphrase mySecretPass /etc/fbidsmate.passphrase
Here an example snortsam.conf with viewable password
# cat /etc/snortsam.conf
accept 10.10.0.26
defaultkey secret
watchguard /bin/fbidsmate 10.1.0.1 mySecretPass
logfile /var/log/snortsam.log
loglevel 3
Here the same example snortsam.conf with password encrypted in file
# cat /etc/snortsam.conf
accept 10.10.0.26
defaultkey secret
watchguard /bin/fbidsmate 10.1.0.1 file /etc/fbidsmate.passphrase
logfile /var/log/snortsam.log
loglevel 3
Thomas Maier
Thomas.Maier@arcos.de
-- MattJonkman - 09 Mar 2007