installing snortsam on my Snort IDS machine

Posted on 2011-09-07
Medium Priority
Last Modified: 2013-11-29
I currently have snort installed on my network as an IDS.  I need to figure out how to turn this IDS into an IPS.  I am looking into snortsam for this.  I don't want to use snort inline because I can't restructure my network.  I like snortsam because it works as an application from what I reading.  I was on snortsam's website and saw it was compatible with the Cisco Pix, but it didn't say anything about the ASA.  I have a Cisco ASA5520.  Does snortsam work with the Cisco ASA?  Anyone with snortsam experience, do you like the performance of snortsam?  Can you point me in a direction of some clear directions to get snortsam to work.  I would like to install snortsam on the same machine as snort.  I am using ubuntu 10.04.  Thanks.
Question by:denver218
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 38

Accepted Solution

Rich Rumble earned 2000 total points
ID: 36502967
SnortSam will work with an ASA, SnortSam does require you to modify your rules more often than not, especially the rules that will take a IPS blocking action. Performance isn't a real issue, SnortSam simply puts an ACL on your router/firewall or even switch if you wish. SnortSam will unblock after a set amount of time if that rule is configured to do so.
You want to be sure that you define the host's and networks that are not to be blocked, and this means you must have a solid definition in your snort.conf of your network's hosts and ip ranges. (home_net, dns_servers etc...)
If you can test in a lab your much better off than in production, rolling back isn't a big deal, however if something goes awry in production it's not the recovery that get's noticed, it's the problem that does :)

Author Comment

ID: 36503171
Thanks.  We host a few applications for some of our customers in a datacenter.  Like I said, I do have a Cisco ASA in place right now for Security, VPNs, etc,  but I've been tasked with implementing an IPS solution as well.  I have $0 for my budget so plan plan is to install snortsam on my existing Snort IDS server.   My biggest concern is traffic being blocked that shouldn't be blocked.  Can you further explain how snortsam works in conjunction with the ASA.  Thanks.
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 2000 total points
ID: 36503472
When a rule fires, snort will issue a command to the snortsam plugin to block that traffic. SnortSam ssh's into your firewall, and applies an ACL to block that traffic. SnortSam keeps a timer of when that block was put in place, after the time expires (and if it expires), it will again ssh into the firewall and remove that block. It's best to read all the documentation before attempting, and even better to do so in a lab or test environment. You can ignore/whitelist subnets and host's from being subject to a block using snortsam, so even if a rule is triggered, it won't issue a block. Snort rules and their arguments are in full effect even when recompiled to support SnortSam, meaning things like rule threshold apply to those rules before they are "fired". So if you have a rule that looks for RDP connections, and it has a threshold of 3, that rule won't fire until the 3rd RDP connection is made. Or if your using Emerging-Threat rules, and looking for the Ask.com toolbar for example, if you have a threshold on it, it won't trigger until the threshold is met.

Author Closing Comment

ID: 36510502
Thank You for the explanation.  I will starting playing with snortsam in my Lab

Featured Post

What Is Blockchain Technology?

Blockchain is a technology that underpins the success of Bitcoin and other digital currencies, but it has uses far beyond finance. Learn how blockchain works and why it is proving disruptive to other areas of IT.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The conference as a whole was very interesting, although if one has to make a choice between this one and some others, you may want to check out the others.  This conference is aimed mainly at government agencies.  So it addresses the various compli…
A look at what happened in the Verizon cloud breach.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question