Automated Dynamic Firewalling with SnortSam
Use SnortSam to prevent intrusions by putting dynamic firewall rules in place to stop in-progress attacks.
An alternative to running Snort on
your firewall and having it activate filtering rules on the machine
it’s running on
is to have Snort communicate which filtering rules should be put in
place when the an intrusion is detected on an external firewall. To
do this, you can use
SnortSam uses Snort’s plug-in
architecture and extends Snort with the ability to notify a remote
firewall, which then dynamically applies filtering rules to stop
attacks that are in progress. Unlike
Snort_inline, which is highly dependent on
SnortSam supports a wide variety of
firewalls, such as Checkpoint, Cisco, Netscreen, Firebox,
OpenBSD’s pf, and even Linux’s
ipchains and iptables interfaces to Netfilter.
SnortSam is made up of two components, a Snort
plug-in and a daemon.
To set up
SnortSam, first download the source
distribution and then unpack it. After you’ve done
that, go into the directory it created and run this command:
This will build the
snortsam binary, which you can
then copy to a suitable place in your path (e.g.,
Now download the patch for Snort, which you can get from the same
SnortSam. After you’ve
done that, unpack it:
tar xvfz snortsam-patch.tar.gzNOTE patchsnort.sh patchsnort.sh.asc snortpatch8 snortpatch8.asc snortpatch9 snortpatch9.asc ...