SnortSAM is a plug-in for Snort that can be found at http://www.snortsam.net. It was developed by a team of people who saw the value in coupling a strong attach detection mechanism with the ability to change access controls on border devices—stopping an attack in progress. SnortSAM can order changes in the access control lists of the following network border devices:
|Cisco PIX Firewall|
|IP Filter (ipf)—Unix-based OS firewall|
SnortSAM consists of two components: a patch for the Snort sensor itself and the SnortSAM application, which can be run on the Snort sensor or another, dedicated SnortSAM system. SnortSAM allows the Snort sensor to act as a gateway IDS by running multiple interfaces, enabling routing, and running Iipchains or iptables. When an alert is detected, the ipchains or iptables access lists are modified to block traffic from the offending network. More commonly, a Snort sensor is configured to modify the access control lists for existing border devices using SnortSAM. The requested blocks can be given a specific lifetime, so that they do not last forever.
The first step in installing SnortSAM is to download and unpack the source code. There are some precompiled SnortSAM binaries for a wide range of operating systems that you can use, but I prefer to compile my own. After downloading the source, create a directory (I usually ...