Use SnortSam to prevent intrusions by putting dynamic firewall rules in place to stop in-progress attacks.

An alternative to running Snort on your firewall and having it activate filtering rules on the machine it’s running on [Hack #87] is to have Snort communicate which filtering rules should be put in place when the an intrusion is detected on an external firewall. To do this, you can use SnortSam (http://www.snortsam.net).

SnortSam uses Snort’s plug-in architecture and extends Snort with the ability to notify a remote firewall, which then dynamically applies filtering rules to stop attacks that are in progress. Unlike Snort_inline, which is highly dependent on Linux, SnortSam supports a wide variety of firewalls, such as Checkpoint, Cisco, Netscreen, Firebox, OpenBSD’s pf, and even Linux’s ipchains and iptables interfaces to Netfilter. SnortSam is made up of two components, a Snort plug-in and a daemon.

To set up SnortSam, first download the source distribution and then unpack it. After you’ve done that, go into the directory it created and run this command:

$ sh makesnortsam.sh

This will build the snortsam binary, which you can then copy to a suitable place in your path (e.g., /usr/bin or /usr/local/bin).

Now download the patch for Snort, which you can get from the same site as SnortSam. After you’ve done that, unpack it:

$ tar xvfz snortsam-patch.tar.gz  NOTE patchsnort.sh patchsnort.sh.asc snortpatch8 snortpatch8.asc snortpatch9 snortpatch9.asc ...