Solved

installing snortsam on my Snort IDS machine

Posted on 2011-09-07
4
1,725 Views
Last Modified: 2013-11-29
I currently have snort installed on my network as an IDS.  I need to figure out how to turn this IDS into an IPS.  I am looking into snortsam for this.  I don't want to use snort inline because I can't restructure my network.  I like snortsam because it works as an application from what I reading.  I was on snortsam's website and saw it was compatible with the Cisco Pix, but it didn't say anything about the ASA.  I have a Cisco ASA5520.  Does snortsam work with the Cisco ASA?  Anyone with snortsam experience, do you like the performance of snortsam?  Can you point me in a direction of some clear directions to get snortsam to work.  I would like to install snortsam on the same machine as snort.  I am using ubuntu 10.04.  Thanks.
0
Comment
Question by:denver218
  • 2
  • 2
4 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 36502967
SnortSam will work with an ASA, SnortSam does require you to modify your rules more often than not, especially the rules that will take a IPS blocking action. Performance isn't a real issue, SnortSam simply puts an ACL on your router/firewall or even switch if you wish. SnortSam will unblock after a set amount of time if that rule is configured to do so.
http://doc.emergingthreats.net/bin/view/Main/SnortSamDocumentation
http://doc.emergingthreats.net/bin/view/Main/SnortSamREADMErules
You want to be sure that you define the host's and networks that are not to be blocked, and this means you must have a solid definition in your snort.conf of your network's hosts and ip ranges. (home_net, dns_servers etc...)
If you can test in a lab your much better off than in production, rolling back isn't a big deal, however if something goes awry in production it's not the recovery that get's noticed, it's the problem that does :)
-rich
0
 
LVL 4

Author Comment

by:denver218
ID: 36503171
Thanks.  We host a few applications for some of our customers in a datacenter.  Like I said, I do have a Cisco ASA in place right now for Security, VPNs, etc,  but I've been tasked with implementing an IPS solution as well.  I have $0 for my budget so plan plan is to install snortsam on my existing Snort IDS server.   My biggest concern is traffic being blocked that shouldn't be blocked.  Can you further explain how snortsam works in conjunction with the ASA.  Thanks.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 500 total points
ID: 36503472
When a rule fires, snort will issue a command to the snortsam plugin to block that traffic. SnortSam ssh's into your firewall, and applies an ACL to block that traffic. SnortSam keeps a timer of when that block was put in place, after the time expires (and if it expires), it will again ssh into the firewall and remove that block. It's best to read all the documentation before attempting, and even better to do so in a lab or test environment. You can ignore/whitelist subnets and host's from being subject to a block using snortsam, so even if a rule is triggered, it won't issue a block. Snort rules and their arguments are in full effect even when recompiled to support SnortSam, meaning things like rule threshold apply to those rules before they are "fired". So if you have a rule that looks for RDP connections, and it has a threshold of 3, that rule won't fire until the 3rd RDP connection is made. Or if your using Emerging-Threat rules, and looking for the Ask.com toolbar for example, if you have a threshold on it, it won't trigger until the threshold is met.
-rich
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 36510502
Thank You for the explanation.  I will starting playing with snortsam in my Lab
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Worried about if Apple can protect your documents, photos, and everything else that gets stored in iCloud? Read on to find out what Apple really uses to make things secure.
Pop culture is prime bait for hackers seeking to infect user’s computers and mobile devices with malicious malware. Hackers know exactly what the latest trends are online and know how to use them to their advantage.
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question