installing snortsam on my Snort IDS machine

Posted on 2011-09-07
Last Modified: 2013-11-29
I currently have snort installed on my network as an IDS.  I need to figure out how to turn this IDS into an IPS.  I am looking into snortsam for this.  I don't want to use snort inline because I can't restructure my network.  I like snortsam because it works as an application from what I reading.  I was on snortsam's website and saw it was compatible with the Cisco Pix, but it didn't say anything about the ASA.  I have a Cisco ASA5520.  Does snortsam work with the Cisco ASA?  Anyone with snortsam experience, do you like the performance of snortsam?  Can you point me in a direction of some clear directions to get snortsam to work.  I would like to install snortsam on the same machine as snort.  I am using ubuntu 10.04.  Thanks.
Question by:denver218
  • 2
  • 2
LVL 38

Accepted Solution

Rich Rumble earned 500 total points
ID: 36502967
SnortSam will work with an ASA, SnortSam does require you to modify your rules more often than not, especially the rules that will take a IPS blocking action. Performance isn't a real issue, SnortSam simply puts an ACL on your router/firewall or even switch if you wish. SnortSam will unblock after a set amount of time if that rule is configured to do so.
You want to be sure that you define the host's and networks that are not to be blocked, and this means you must have a solid definition in your snort.conf of your network's hosts and ip ranges. (home_net, dns_servers etc...)
If you can test in a lab your much better off than in production, rolling back isn't a big deal, however if something goes awry in production it's not the recovery that get's noticed, it's the problem that does :)

Author Comment

ID: 36503171
Thanks.  We host a few applications for some of our customers in a datacenter.  Like I said, I do have a Cisco ASA in place right now for Security, VPNs, etc,  but I've been tasked with implementing an IPS solution as well.  I have $0 for my budget so plan plan is to install snortsam on my existing Snort IDS server.   My biggest concern is traffic being blocked that shouldn't be blocked.  Can you further explain how snortsam works in conjunction with the ASA.  Thanks.
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 500 total points
ID: 36503472
When a rule fires, snort will issue a command to the snortsam plugin to block that traffic. SnortSam ssh's into your firewall, and applies an ACL to block that traffic. SnortSam keeps a timer of when that block was put in place, after the time expires (and if it expires), it will again ssh into the firewall and remove that block. It's best to read all the documentation before attempting, and even better to do so in a lab or test environment. You can ignore/whitelist subnets and host's from being subject to a block using snortsam, so even if a rule is triggered, it won't issue a block. Snort rules and their arguments are in full effect even when recompiled to support SnortSam, meaning things like rule threshold apply to those rules before they are "fired". So if you have a rule that looks for RDP connections, and it has a threshold of 3, that rule won't fire until the 3rd RDP connection is made. Or if your using Emerging-Threat rules, and looking for the toolbar for example, if you have a threshold on it, it won't trigger until the threshold is met.

Author Closing Comment

ID: 36510502
Thank You for the explanation.  I will starting playing with snortsam in my Lab

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Big data transfers via information superhighways require special attention and protection. Learn more about the IT-regulations of the country where your server is located. Analyze cloud providers and their encryption systems for safe data transit. S…
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now