Solved

installing snortsam on my Snort IDS machine

Posted on 2011-09-07
4
1,748 Views
Last Modified: 2013-11-29
I currently have snort installed on my network as an IDS.  I need to figure out how to turn this IDS into an IPS.  I am looking into snortsam for this.  I don't want to use snort inline because I can't restructure my network.  I like snortsam because it works as an application from what I reading.  I was on snortsam's website and saw it was compatible with the Cisco Pix, but it didn't say anything about the ASA.  I have a Cisco ASA5520.  Does snortsam work with the Cisco ASA?  Anyone with snortsam experience, do you like the performance of snortsam?  Can you point me in a direction of some clear directions to get snortsam to work.  I would like to install snortsam on the same machine as snort.  I am using ubuntu 10.04.  Thanks.
0
Comment
Question by:denver218
  • 2
  • 2
4 Comments
 
LVL 38

Accepted Solution

by:
Rich Rumble earned 500 total points
ID: 36502967
SnortSam will work with an ASA, SnortSam does require you to modify your rules more often than not, especially the rules that will take a IPS blocking action. Performance isn't a real issue, SnortSam simply puts an ACL on your router/firewall or even switch if you wish. SnortSam will unblock after a set amount of time if that rule is configured to do so.
http://doc.emergingthreats.net/bin/view/Main/SnortSamDocumentation
http://doc.emergingthreats.net/bin/view/Main/SnortSamREADMErules
You want to be sure that you define the host's and networks that are not to be blocked, and this means you must have a solid definition in your snort.conf of your network's hosts and ip ranges. (home_net, dns_servers etc...)
If you can test in a lab your much better off than in production, rolling back isn't a big deal, however if something goes awry in production it's not the recovery that get's noticed, it's the problem that does :)
-rich
0
 
LVL 4

Author Comment

by:denver218
ID: 36503171
Thanks.  We host a few applications for some of our customers in a datacenter.  Like I said, I do have a Cisco ASA in place right now for Security, VPNs, etc,  but I've been tasked with implementing an IPS solution as well.  I have $0 for my budget so plan plan is to install snortsam on my existing Snort IDS server.   My biggest concern is traffic being blocked that shouldn't be blocked.  Can you further explain how snortsam works in conjunction with the ASA.  Thanks.
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 500 total points
ID: 36503472
When a rule fires, snort will issue a command to the snortsam plugin to block that traffic. SnortSam ssh's into your firewall, and applies an ACL to block that traffic. SnortSam keeps a timer of when that block was put in place, after the time expires (and if it expires), it will again ssh into the firewall and remove that block. It's best to read all the documentation before attempting, and even better to do so in a lab or test environment. You can ignore/whitelist subnets and host's from being subject to a block using snortsam, so even if a rule is triggered, it won't issue a block. Snort rules and their arguments are in full effect even when recompiled to support SnortSam, meaning things like rule threshold apply to those rules before they are "fired". So if you have a rule that looks for RDP connections, and it has a threshold of 3, that rule won't fire until the 3rd RDP connection is made. Or if your using Emerging-Threat rules, and looking for the Ask.com toolbar for example, if you have a threshold on it, it won't trigger until the threshold is met.
-rich
0
 
LVL 4

Author Closing Comment

by:denver218
ID: 36510502
Thank You for the explanation.  I will starting playing with snortsam in my Lab
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When speed and performance are vital to revenue, companies must have complete confidence in their cloud environment.
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question