SnortSam   (FW-1 config, Example 1, Example 2, Example 3, Example 4)

FW-1 config: To allow SnortSam to talk to FW-1 with an OPSEC packet, modify the file fwopsec.conf and change line 1 from sam_server auth_port 18183 to sam_server port 18183. (This file is located in /fw1/4.1/conf/ on FW-1 version 4.1, and in /fw/conf on FW-1 version 4.0).

For Firewall-1 NG you need to modify the file /fw1/ng/conf/fwopsec.conf as follows:
sam_server auth_port 0
sam_server port 18183

Example 1: The agent can be setup quickly. Just copy snortsam.exe into a directory on the firewall. Then create a file called snortsam.cfg in the same directory. In our example, the Snort box has the IP address 192.168.0.25, so the configuration file would have to include:

accept 192.168.0.25, mypassword   # Replace with the IP of your Snort box


SnortSam will now be listening to requests from <ip_address_of_snort_box> and block requested IP addresses. (Note: You can add more than one accept line if you have more than one Snort™ sensor)

Example 2: To add hosts or networks that you never want to block, just add them with the dontblock statement to the configuration file. The following example will prevent the firewall from blocking the DNS root servers:

dontblock a.root-servers.net
dontblock b.root-servers.net
dontblock c.root-servers.net
(etc...)


You can also use the following config file for inclusion into your snortsam configuration file using the include statement (include rootservers.cfg).

Example 3: If you also want to prevent your internal machines from accidentally being blocked, add following lines to the configuration file:

dontblock 10.0.0.0/8
dontblock 172.16.0.0/12
dontblock 192.168.0.0/16


Example 4: If your Snort™ box monitors the Internet, you might want to include the Rollback support. Let's say you don't expect more than 10 blocking requests within 30 seconds. If the threshold is exceeded, something odd is going on. You want unblock the last 20 blocked IP addresses and wait until the level falls back below the set threshold. To do this, just add following lines to the configuration file:

rollbackthreshold 10/30
rollbackhosts 20

Snort™ Configuration   (snort.conf, Example Rule 1, Example Rule 2)

Snort.conf: In order to have Snort™ send requests to the SnortSam agent, it needs to be listed in the Snort™ config file. In our example, the IP address of the firewall is 192.168.0.1. Open snort.conf and add following line:

output alert_fwsam: 192.168.0.1/mypassword


Note: To enter additional firewalls just separate them with a space.
output alert_fwsam: 192.168.0.1/mypassword 192.168.0.5/wanfwkey


Example 1: Let's say you want to block intruders that scan for the .printer vulnerability in IIS5 for 1 hour. Modify the existing Snort™ rule (to be found web-iis.rules. The rules should read:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .printer access"; uricontent:".printer"; nocase; flags:A+; reference:cve,CAN-2001-0241; reference:arachnids,533; classtype:attempted-recon; sid:971; rev:1;)


Now, append the statement fwsam: 1 hour;. The rule should read now:

alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS 80 (msg:"WEB-IIS ISAPI .printer access"; uricontent:".printer"; nocase; flags:A+; reference:cve,CAN-2001-0241; reference:arachnids,533; classtype:attempted-recon; sid:971; rev:1; fwsam: src, 1 hour;)


Note that the keyword SRC is used. If you look at the Snort™ rule, read it as alert tcp SRC -> DST. There are rules in Snort™ where $EXTERNAL_NET is on the other side of the ->. In these cases we want to use the keyword DST. The next example will show this.

Example 2: Let's say you have telnet server (or perhaps a router) within your home net. Someone from the outside has tried to login repeatedly, and the internal device now closes the telnet session, sending the phrase 'Login failed'. You want to block the intruder for a day from preventing him to hack his way in. You would have to modify the existing Snort™ rule below as specified:

alert tcp $HOME_NET 23 -> $EXTERNAL_NET any (msg:"TELNET Bad Login"; flags: A+; content: "Login failed"; nocase; classtype:bad-unknown; sid:492; rev:2; fwsam: dst, 1 day)