[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


installing snortsam on my Snort IDS machine

Posted on 2011-09-07
Medium Priority
Last Modified: 2013-11-29
I currently have snort installed on my network as an IDS.  I need to figure out how to turn this IDS into an IPS.  I am looking into snortsam for this.  I don't want to use snort inline because I can't restructure my network.  I like snortsam because it works as an application from what I reading.  I was on snortsam's website and saw it was compatible with the Cisco Pix, but it didn't say anything about the ASA.  I have a Cisco ASA5520.  Does snortsam work with the Cisco ASA?  Anyone with snortsam experience, do you like the performance of snortsam?  Can you point me in a direction of some clear directions to get snortsam to work.  I would like to install snortsam on the same machine as snort.  I am using ubuntu 10.04.  Thanks.
Question by:denver218
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
LVL 38

Accepted Solution

Rich Rumble earned 2000 total points
ID: 36502967
SnortSam will work with an ASA, SnortSam does require you to modify your rules more often than not, especially the rules that will take a IPS blocking action. Performance isn't a real issue, SnortSam simply puts an ACL on your router/firewall or even switch if you wish. SnortSam will unblock after a set amount of time if that rule is configured to do so.
You want to be sure that you define the host's and networks that are not to be blocked, and this means you must have a solid definition in your snort.conf of your network's hosts and ip ranges. (home_net, dns_servers etc...)
If you can test in a lab your much better off than in production, rolling back isn't a big deal, however if something goes awry in production it's not the recovery that get's noticed, it's the problem that does :)

Author Comment

ID: 36503171
Thanks.  We host a few applications for some of our customers in a datacenter.  Like I said, I do have a Cisco ASA in place right now for Security, VPNs, etc,  but I've been tasked with implementing an IPS solution as well.  I have $0 for my budget so plan plan is to install snortsam on my existing Snort IDS server.   My biggest concern is traffic being blocked that shouldn't be blocked.  Can you further explain how snortsam works in conjunction with the ASA.  Thanks.
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 2000 total points
ID: 36503472
When a rule fires, snort will issue a command to the snortsam plugin to block that traffic. SnortSam ssh's into your firewall, and applies an ACL to block that traffic. SnortSam keeps a timer of when that block was put in place, after the time expires (and if it expires), it will again ssh into the firewall and remove that block. It's best to read all the documentation before attempting, and even better to do so in a lab or test environment. You can ignore/whitelist subnets and host's from being subject to a block using snortsam, so even if a rule is triggered, it won't issue a block. Snort rules and their arguments are in full effect even when recompiled to support SnortSam, meaning things like rule threshold apply to those rules before they are "fired". So if you have a rule that looks for RDP connections, and it has a threshold of 3, that rule won't fire until the 3rd RDP connection is made. Or if your using Emerging-Threat rules, and looking for the Ask.com toolbar for example, if you have a threshold on it, it won't trigger until the threshold is met.

Author Closing Comment

ID: 36510502
Thank You for the explanation.  I will starting playing with snortsam in my Lab

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ransomware, the malware that locks down its victim’s files until they pay up, has always been a frustrating issue to deal with. However, a recent mobile ransomware will make the issue a little more personal… by sharing the victim’s mobile browsing h…
An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question