Hack 88 Automated Dynamic Firewalling with SnortSam
Use SnortSam to prevent intrusions by putting
dynamic firewall rules in place to stop in-progress
attacks.
An alternative to running Snort on
your firewall and having it activate filtering rules on the machine
it's running on [Hack #87]
is to have Snort communicate which filtering rules should be put in
place when the an intrusion is detected on an external firewall. To
do this, you can use SnortSam (http://www.snortsam.net).
SnortSam uses Snort's plug-in
architecture and extends Snort with the ability to notify a remote
firewall, which then dynamically applies filtering rules to stop
attacks that are in progress. Unlike
Snort_inline, which is highly dependent on
Linux, SnortSam supports a wide variety of
firewalls, such as Checkpoint, Cisco, Netscreen, Firebox,
OpenBSD's pf, and even Linux's
ipchains and iptables interfaces to Netfilter.
SnortSam is made up of two components, a Snort
plug-in and a daemon.
To set up SnortSam, first download the source
distribution and then unpack it. After you've done
that, go into the directory it created and run this command:
$ sh makesnortsam.sh
This will build the snortsam binary, which you can
then copy to a suitable place in your path (e.g.,
/usr/bin or
/usr/local/bin).
Now download the patch for Snort, which you can get from the same
site as SnortSam. After you've
done that, unpack it:
$ tar xvfz snortsam-patch.tar.gz
NOTE
patchsnort.sh
patchsnort.sh.asc
snortpatch8
snortpatch8.asc
snortpatch9
snortpatch9.asc
snortpatchb
snortpatchb.asc
Next, run patchsnort.sh and specify the directory
where you're keeping Snort's
source:
$ sh patchsnort.sh snort-2.0.5
Patching Snort version 2.0...
patching file spo_alert_fwsam.c
patching file spo_alert_fwsam.h
patching file twofish.c
patching file twofish.h
patching file plugbase.c
Hunk #1 succeeded at 29 with fuzz 2 (offset -73 lines).
Hunk #2 succeeded at 639 with fuzz 2 (offset 77 lines).
Patching Makefiles...
Done
Now compile Snort as you would normally [Hack #82] .
Before running SnortSam, you must create a
configuration file for it.
SnortSam's configuration syntax
is pretty easy to use, but there are quite a few options, so only a
subset of the available ones will be discussed here.
One useful option is accept, which lets
you tell SnortSam what Snort sensors are allowed
to connect to it. This option can take a CIDR-format address range, a
hostname, or a single IP address. You can optionally specify a
password as well. If you don't specify a password,
the one specified by the defaultkey option
is used.
For example, if you wanted to allow all hosts from the network
192.168.1.0/24 with the password qwijybo, you could put a line like
this in your configuration file:
accept 192.168.1.0/24, qwijybo
To specify multiple hosts on network address ranges, you can use
multiple accept entries.
Another useful option is
dontblock. This enables you to construct a
whitelist of hosts and networks that SnortSam
will not block under any circumstances. This option takes hostnames,
single IP addresses, and CIDR addresses; you can also use multiple
dontblock entries, just as you can with
accept.
To improve SnortSam's
performance, you may want to use the
skipinterval option. This option lets you
tell SnortSam how long to skip identical
blocking requests before it will resume applying rules for that
request. This ensures that SnortSam
isn't constantly requesting the firewall
to block the same IP address and port over and over again. The
skipinterval option takes a single number as its
argument, which specifies how many seconds to wait.
You'll
probably
want to keep tabs on what
SnortSam's doing, since
you're allowing it to modify your
firewall's rules. One way is to use the
logfile option, which will cause
SnortSam to log events such as program start,
blocking and unblocking requests, and any errors that were
encountered. This option takes a single argument, which is the
filename that the logs will be written to. The log file that you
specify will be created in /var/log.
A couple of other useful options are
daemon and bindip. The
daemon option simply tells SnortSam
to fork into the background and run as a daemon; it does
not take any arguments. The bindip option, on the
other hand, allows you to specify which IP address to listen on,
which is useful when the machine that SnortSam
is running on has multiple addresses available.
For instance, if you wanted SnortSam to listen
only on 192.168.1.15, you would use a line like this:
bindip 192.168.1.15
In addition, the default port that
SnortSam listens on is 898, but you can change
this with the port option.
After you're done with
SnortSam's options,
you'll need to tell it what kind of firewall to
communicate with and how to do it. To use SnortSam
with a Checkpoint Ffwexec or
fwsamW-1 firewall, you can specify either the
fwexec or fwsam keywords. Use
fwexec when you when you want to run
SnortSam on the host that the firewall is
install fwexec or fwsamed on, and use fwsam when
you want to communicate with a remote firewall.
The fwexec keyword takes the full pathname to the
fw executable as its only argument, whereas the
fwsam keyword uses the hostname or IP of the
firewall. In addition, you'll need to modify the
fwopsec.conf file on your firewall to include
the following line:
sam_server port 1813
To use SnortSam with a PIX firewall,
you'll need to use the pix
keyword and specify the IP address of the firewall as well as the
Telnet and enable mode passwords.
For example:
pix 192.16.1.2 telnetpw enablepw
Or, if your firewall is set up to do user authentication, you can use
user/password in place of the Telnet password.
If you want to use SnortSam with
OpenBSD's PF or Linux's
iptables, you'll
need to use the pf or iptables
keywords. For basic usage, all you need to do is specify the
interface on which to block packets.
To
configure the Snort side of things, you'll need to
add the alert_fwsam output plug-in to the output
plug-ins that you're already using. This plug-in
takes a hostname and an optional port to connect to, along with a
password. If SnortSam is using the default port,
you don't need to specify the port here.
For example:
output alert_fwsam: firewall/mypassword firewall2:1025/mypassword
Notice that you can list multiple instances of SnortSam
to send block requests to by separating them with
whitespace.
Any rules that you want to trigger a
firewall rule should be modified to use the fwsam
rule option. This option takes as its arguments what to block and for
how long the block should be in effect. To block the source of the
packet that caused the alert, use src; to block
the destination, use dst. If you want to block
both, use either. For the duration you can use a
number along with a modifier specifying what unit
it's in (i.e., seconds,
minutes, hours,
days, weeks,
months, or years), or you can
use 0 to specify an indefinite period of time.
For instance, to block the source address of the packet that
triggered a rule for five minutes, you could add this to your rule
options:
fwsam: src, 5 minutes;
Now that everything is configured, start
SnortSam by running a command similar to this:
# snortsam /usr/local/etc/snortsam.conf
Of course, you'll need to substitute the full path
to your configuration file if it's not
/usr/local/etc/snortsam.conf. As for Snort, just
start it as you normally would.
For more information on using SnortSam with
other types of firewalls, be sure to check out the
README files included with the source
distribution.
| 
No comments:
Post a Comment