Snortsam - A Firewall Blocking Agent for Snort
Welcome to SnortSam
SnortSam is a plugin for Snort™, an open-source light-weight Intrusion Detection System (IDS).
The plugin allows for automated blocking of IP addresses on following firewalls:
SnortSam has also been integrated with Sagan, which is a log analysis engine developed by Champ Clark. The Snortsam Output Plugin and related files (header, Twofish) are available at the Sagan GitHub repository.
SnortSam itself consists of two pieces -- the output plugin within Snort™ and an intelligent agent that runs on the firewall, or a host near the firewall.
The agent provides a variety of capabilities that go beyond other automated blocking mechanisms, such as:
SnortSam is open-source software, free of charge. It can be compiled under any platform and should function across
different platforms (please let me know if you encounter any problems). SnortSam can be
obtained through web download, FTP download, or CVS access. Links are provided in the download section.
- White-list support of IP addresses that will never be blocked.
- Time-override list.
- Maximum block time ceiling as well as minimum block time definition for reporting entities.
- Flexible, per rule blocking specification, including rule dependent blocking time interval.
- A SID filter list of allowed or denied SIDs based on reporting entity.
- Misuse/Attack detection engine (including roll-back support) that attempts to mitigate the risk of a self-inflicted Denial-Of-Service
in the IDS-Firewall integration.
- Repetitive (same IP) block prevention with customizable window to improve performance.
- TwoFish encrypted communication between Snort™ and the SnortSam agent.
- True OPSEC support using the Checkpoint SDK (opsec plugin).
- Block tracking and block expiration for firewalls that don't support timeouts.
- Multi-threading for faster processing and simultaneous block on multiple devices.
- File logging and email notification of events.
- ... and finally, using the client/server (snort/snortsam) architecture to build large, distributed response networks in a very scalable fashion.
© Copyright 2001-2013 Frank Knobbe. All rights reserved.
Snort and Sourcefire are registered trademarks of Sourcefire, Inc.