README
1README - Frank Knobbe <frank@knobbe.us>
2-------------------------------------------------------------------------------
3
4
5Forthcoming. Please see INSTALL (and the old FAQ). Also, README.conf is useful
6for a list of options. Finally, some firewall dependent information is already
7available in README.<firewall> files. Others will be added shortly.
8
9
10
11-------------------------------------------------------------------------------
12$Id: README,v 1.2 2003/01/16 05:54:23 fknobbe Exp $
13
14
README.ciscoacl
1README.ciscoacl - Ali Basel <alib@sabanciuniv.edu>
2-------------------------------------------------------------------------------
3
4THE CISCOACL PLUGIN DOES NOT DOWNLOAD THE CONFIG FILE FROM THE ROUTERS PER
5DEFAULT!
6
7The ciscoacl plugin lets you deny the attackers using ACL on the Cisco routers.
8
9In order to use the ciscoacl plugin, first of all, you have to prepare an ACL file which has a special format.
10If you already use an ACL, you must add your ACL statements into that ACL file.
11Here is the format of that "acl_file":
12
13conf t
14interface interfacename <--- put your interface name here
15no ip access-group test_acl out <--- you can use "out" or "in" here. ("test_acl" is the name of your ACL)
16exit
17no ip access-list extended test_acl <--- the name of the acl (named ACLs)
18ip access-list extended test_acl
19snortsam-ciscoacl-begin <--- my plugin will insert the blocking statements here
20snortsam-ciscoacl-end
21... <--- if you already have an ACL, put it here
22permit ip any any <--- if you don't already have an ACL, use this line instead
23exit
24interface interfacename
25ip access-group test_acl out
26end
27
28
29All the ciscoacl plugin does is to insert (and remove when the blocking time expires) "deny ip host attacker-ip any" statements into the "acl_file" between "snortsam-ciscoacl-begin" and "snortsam-ciscoacl-end" and upload the "acl_file" into the router(s).
30
31In order to use the ciscoacl plugin, you have to supply a simple snortsam.conf config file which must have a "ciscoacl" config-line like the one below:
32
33/etc/snortsam.conf
34# ciscoacl plugin is not compatible with the threaded version due to the nature of ACLs.
35# DISABLE threads
36nothreads
37#
38accept IP_of_the_host_running_snort
39defaultkey secret
40ciscoacl IP_of_the_router_which_will_deny_with_ACL username/password enablepassword /full_path/acl_file
41logfile /var/log/snortsam.log
42loglevel 3
43
44
45The ciscoacl plugin offers three ways to upload to "acl_file" into the router:
461. The default method: telnet
47 When the default telnet method is used, the pluging makes a telnet connection, does the authentication, and issues thecommands on the "acl_file".
48
492. tftp
50 When the present ACL have a lot of lines, it takes long time to upload the "acl_file" using the first method above. I that case, tftp: should be used.
51 When this method is used, the ciscoacl plugin makes a telnet connection into the router, does the authentication, and issues the commands on an other file "tftp_file" which has the command "copy tftp: running-config", and the plugin provides the IP address of the tftp server and "acl_file" for the file to upload.
52 It takes only a couple of seconds to upload long acl.
53
543. expect
55 All the above methods use telnet when making the connection to routers. Since the telnet protocol isn't encrypted it's not a good idea anymore to use telnet, moreover disableing telnet connection is advised.
56 You may use expect interpreter (http://expect.nist.gov/) to automatize definitive tasks.
57 By using a simple expect script you may make a secure ssh connection into the router, and issue "copy tftp: running-config" command to uplad the "acl_file".
58 A sample expect script is provided at end of that document.
59
60
61
62To use the above methods, you have to supply the required definition in your ciscoacl config file.
63Here are the config format for these methods:
641. telnet
65 This is the default method:
66 ciscoacl IP_of_the_router_which_will_deny_with_ACL username/password enablepassword /full_path/acl_file
67 When you don't use tftp you must give the "acl_file" name with /full_path !
68
692. tftp
70 ciscoacl IP_of_the_router_which_will_deny_with_ACL username/password enablepassword acl_file|/full_path/tftp_file
71 You must append the "tftp_file" at the end with a "|" character.
72
73 THE ACL FILE MUST BE IN the "/tftpboot" folder, and READABLE.
74 snortsam must be runned inside the /tftpboot/ folder: "cd /tftpboot; snortsam"
75
76
773. expect
78 You have to prepare an expect file which makes an ssh connection into the router, and uploads the "acl_file" with tftp.
79 ciscoacl IP_of_the_router_which_will_deny_with_ACL username/password enablepassword acl_file|expect:/full_path/expect_file
80
81 THE ACL FILE MUST BE IN the "/tftpboot" folder, and READABLE.
82 snortsam must be runned inside the /tftpboot/ folder: "cd /tftpboot; snortsam"
83
84
85
86Steps For Using tftp
87--------------------
88If you have long ACLs you should use tftp: to upload your acl_file into the router.
89In order to use this method, you have to follow the steps below:
901. Prepare a file (I call it "tftp_file"):
91
92copy tftp: running-config
93IP_of_the_tftp_server
94
95Here tftp: means that you will use tftp: when uploading the ACL file "acl_file".
96
972. Install and run a tftp server on the snortsam box.
98
993. Add the tftp_file name (separate with "|", do NOT use any spaces) to the
100ciscoacl line in the /etc/snortsam.conf file:
101
102ciscoacl IP_of_the_router_which_will_deny_with_ACL username/password enablepassword acl_file|tftp_file
103
104**********************************************************************************
105* THE ACL FILE MUST BE IN the "/tftpboot" folder, and READABLE. *
106* snortsam must be runned inside the /tftpboot/ folder: "cd /tftpboot; snortsam" *
107**********************************************************************************
108
109That's all, from now on, your router will upload your acl_file with tftp, and this will be a lot faster.
110
111
112Steps For Using Expect:
113-----------------------
114Using expect is the most versatile method, because you may prepare an script according to your choice and needs.
115All the ciscoal plugin does after modifying the "acl_file" is to call your expect script, then the rest is depends to your expect script.
116Before using that method, expect package (http://expect.nist.gov) must be installed; most of the linux distributions have that package.
117Prepare an expect script and test it by hand before using with snortsam.
118
119Prepare the ciscoacl config line in the snortsam.config file like the one below:
120ciscoacl IP_of_the_router_which_will_deny_with_ACL username/password enablepassword acl_file|expect:/full_path/expect_file
121
122THE ACL FILE MUST BE IN the "/tftpboot" folder, and READABLE.
123snortsam must be runned inside the /tftpboot/ folder: "cd /tftpboot; snortsam"
124
125
126
127Troubleshooting:
128-----------------
129It is very useful to have a look at the snortsam.log file, to see what happens:
130
131# tail -f /var/log/snortsam.log
132
133If you want to use more than one router for blocking the attackers, you have
134to supply another config line and acl-file for each router:
135
136# cat /etc/snortsam.conf
137accept IP_of_the_host_running_snort
138defaultkey secret
139ciscoacl IP_of_the_router_which_will_deny_with_ACL username/password enablepassword /full_path/acl_file
140ciscoacl IP_of_the_another_router_which_will_deny_with_ACL username/password enablepassword /full_path/acl_file2
141logfile /var/log/snortsam.log
142loglevel 3
143
144THE CISCOACL PLUGIN DOES NOT DOWNLOAD THE ACL FROM THE ROUTER!
145
146
147Example Expect Script:
148----------------------
149"_upload" MUST BE ADDED TO THE "acl_file" name like below:
150username, PASSWORD and ENABLE_PASSWORD must be changed according to your settings.
151
152#!/usr/bin/expect -f
153set timeout -1
154eval spawn "ssh username@IP_of_the_router\r"
155expect "*assword: "
156send -- "PASSWORD\r"
157expect "*>"
158send -- "en\r"
159expect "*assword: "
160send -- "ENABLE_PASSWORD\r"
161expect "*#"
162send -- "copy tftp: running-config\r"
163expect "*[]? "
164send -- "IP_of_the_tftp_server\r"
165expect "*[]? "
166send -- "ACL_FILE_upload\r"
167expect "*]? "
168send -- "running-config\r"
169expect "*#"
170send -- "exit\r"
171expect eof
172
173
174
175Ali BASEL
176alib@sabanciuniv.edu
177
178
179
180-------------------------------------------------------------------------------
181$Id: README.ciscoacl,v 2.4 2005/07/10 21:27:05 fknobbe Exp $
182
183
README.conf
1README.conf - Frank Knobbe <frank@knobbe.us>
2-------------------------------------------------------------------------------
3
4This is a summary of configuration options in the SnortSam configuration file.
5On Windows systems it is called snortsam.cfg by default and is located in the
6same directory where SnortSam.exe resides. On Unix systems, the default is
7/usr/local/etc/snortsam/snortsam.conf.
8
9The config file is a text file containing one or more of the following lines.
10
11
12SnortSam specific options:
13--------------------------
14
15# a remark
16
17 Lines starting with # or ; are remarks. All text after # (or ;) is
18 truncated which means that you can list an # after a valid option as well.
19 If you intend to use a # (or ;) as part of an option, you have to escape it
20 with a back-slash, for example:
21
22 <option> This is a \# valid char # But this is a comment
23
24 This would translate after parsing to:
25
26 <option> This is a # valid char
27
28
29
30defaultkey <key>
31
32 Set's the default key for ALL allowed hosts to <key>.
33 The default key is used when no other key is specified in an ACCEPT option.
34 You have to use the same key in the snort.conf file in the
35 "output alert_fwsam line". If the keys, or passwords if you will, don't
36 match, SnortSam can not decrypt the request from Snort and ignore it.
37
38 Example: defaultkey mydefaultpassword
39
40 If omitted, SnortSam will use a default key (in which case it would have to
41 omitted in snort.conf as well).
42
43
44
45port <port>
46
47 This sets the listening port to <port>.
48
49 Example: port 666
50
51 It defaults to 898 if this line is omitted.
52
53
54
55accept <host>/<mask>,<key>
56
57 This option lists Snort sensors that SnortSam is accepting packets from.
58 You can specify hostname, IP address, IP address and network mask, and
59 optionally an encryption key used configured for that host or network.
60
61 Examples: accept 10.10.0.0/16, officepassword
62 accept snort1, hostpassword
63 accept 192.168.1.1
64
65 If the password is omitted, the default key specified with DEFAULTKEY will
66 be used. You can only specify one host per line, but you can supply
67 unlimited lines.
68
69
70
71keyinterval <time>
72
73 This causes the agent to request/create a new encryption key every <time>.
74 If this line is omitted, the key lifetime defaults to 4 hours. You can use
75 'hours', 'days', 'months', 'weeks', 'years' in the duration.
76
77 Example: keyinterval 30 minutes
78
79
80
81dontblock <host>/<mask>
82dontunblock <host>/<mask>
83
84 This adds the host or network to the white-list of hosts/networks that will
85 never be blocked or unblocked. Blocking or unblocking request for hosts
86 on this list are ignored.
87
88 Examples: dontblock a.root-servers.net
89 dontblock 192.168.10.0/24
90
91 Only one host/network per line can be specified, but you can list unlimited
92 lines
93
94
95
96onlyblock <host>/<mask>
97onlyunblock <host>/<mask>
98
99 If this is specified, Snortsam will only block IP address that match this
100 list of IP's or networks. All other block requests are ignored. The same
101 applies to unblocks if the "onlyunblock" keyword is specified. Uses for
102 the latter might be limited, but it's available. DONTBLOCK still applies
103 within this list.
104
105 Examples: onlyblock 10.0.0.0/8
106
107 Only one host/network per line can be specified, but you can list unlimited
108 lines
109
110
111
112override <host>/<mask>,<time>
113
114 Each Snort rule requests its own time interval for the blocking request.
115 Here on the agent, you can override the duration with a specified value.
116 This is good for proxy servers, or other situations, where an attacker
117 'shares' an IP address with other hosts/users that you don't want to
118 block for long. (You don't want to block ALL of AOL for a week... :)
119
120 Examples: override proxy.aol.com, 5 min
121 override 192.168.1.0/24, 10 sec
122
123
124
125upperlimit <host>/<mask>,<time>
126limit <host>/<mask>,<time>
127
128 This statement allows you to set a maximum time duration for all SID/blocks
129 dependent on the reporting sensor. It acts like 'override', but instead of
130 setting a new duration, this statement limits the duration to the defined
131 maximum blocktime. Note that the host/network refers to a Snort sensor
132 (or a forwarding Snortsam station) and does not refer to the IP address to
133 be blocked like 'override' does.
134
135 Example: limit 192.168.1.0/24, 2 weeks
136
137
138
139lowerlimit <host>/<mask>,<time>
140atleast <host>/<mask>,<time>
141
142 This statement allows you to set a minimum time duration for all SID/blocks
143 dependent on the reporting sensor. It is the complement to 'limit', but
144 instead of reducing the duration to a maximum limit, it bumps up any
145 duration that is lower to this minimum duration.
146
147 Example: limit 192.168.1.0/24, 1 day
148
149
150
151denysidfrom <host>/<mask>: <sid>,<sid>,...
152
153 This statement causes Snortsam to ignore blocking requests for particular
154 SID based on a given sensor. Either a single SID or multiple SIDs can be
155 listed. When listing multiple SIDs, make sure you separate them with commas
156 and not just spaces.
157
158 Examples: denysidfrom 192.168.1.0/24: 1345
159 denysidfrom othersnortsam.someone.net: 1411, 1422, 0, 2002123
160
161 (Note the use of SID 0 which is typically used for manual blocks/unblocks
162 when no SID is specified, for example, on the command line when using the
163 samtool.)
164
165
166
167allowsidfrom <host>/<mask>: <sid>,<sid>,...
168
169 This statement is the invert of 'denysidfrom'. It will cause Snortsam to
170 only accept the SIDs listed and by default ignore all other SIDs.
171 If a conflict exist by the same SID appearing in an 'allowsidfrom' line and
172 a 'denysidfrom' line, the deny takes priority.
173
174 Example: allowsidfrom 10.0.0.0/8: 3200, 3201, 3203, 4332, 4333, 4334
175
176
177
178rollbackhosts <amount>
179
180 This tells SnortSam to keep a record of <amount> last blocks for each
181 Snort sensor. These blocks will be rolled back, meaning the hosts
182 unblocked, in the event that the blocking threshold is exceeded.
183
184 Example: rollbackhosts 50
185
186 If omitted, SnortSam will not keep a record of the IP addresses that have
187 been blocked for rollback purposes.
188
189
190
191rollbackthreshold <amount> / <time>
192
193 This specifies the blocking threshold. If the threshold is exceeded (more
194 than <amount> blocking requests in <time>), SnortSam will unblock the last
195 <x> hosts specified by the ROLLBACKHOSTS statement.
196
197 Example: rollbackthreshold 20 / 30 secs
198
199
200
201rollbacksleeptime <time>
202
203 When the rollback threshold has been exceeded, SnortSam will ignore
204 blocking requests until the level drops back below the threshold. Using
205 this option you can specify an additional time period that SnortSam will
206 wait until it starts acting on blocking requests again.
207
208 Example: rollbacksleeptime 1 minute
209
210 If omitted, and the rollback mechanism is used, it defaults to 15 minutes.
211
212
213
214skipinterval <time>
215
216 SnortSam skips repetitive, identical blocking requests (for performance
217 reasons). Here you specify the time interval for which blocks are
218 considered repetitive.
219
220 Example: skipinterval 30 secs
221
222 If omitted, SnortSam will use a default time period of 10 seconds in which
223 it considers requests to be repetitive.
224
225
226
227skiphosts <amount>
228
229 Tells SnortSam how many hosts it should remember for repetitive block
230 checks.
231
232 Example: skiphosts 10
233
234 If omitted, SnortSam will remember a default of 10 hosts.
235
236
237
238logfile <filename>
239
240 SnortSam will use this file to log certain events such as program start,
241 block/unblock actions performed and error events. If only a file name is
242 specified (without a path), the file will be created a) on Windows systems
243 in the same directory where SnortSam.exe resides, and b) on Unix systems
244 in /var/log.
245
246 Example: logfile snortsam.log
247
248 No logging occurs if this line is omitted.
249
250
251
252loglevel <level>
253
254 The file logging level can be set to 0, 1, 2, or 3:
255 0: Quiet - No logging occurs.
256 1: Sparse - Only errors are logged.
257 2: Normal - Errors and blocks are logged.
258 3: Verbose - Additional information (such as connections/disconnections)
259 are logged as well.
260
261 Example: loglevel 2
262
263 If omitted, a level of 2 (normal logging) is assumed.
264
265
266
267screenlevel <level>
268
269 The logging level, just like loglevel, but for screen output.
270 (See above for values)
271
272 Example: screenlevel 3
273
274 If omitted, a level of 2 (normal logging) is assumed.
275
276
277
278include <file>
279
280 This statement includes another configuration file. Only one level of
281 inclusion is supported.
282
283 Example: include dontblocklist.cfg
284
285
286
287statefile <filename>
288
289 SnortSam will use this file name for the state file instead of the default.
290 This avoids conflicts on hosts with mutliple Snortsam instances.
291
292 The default of /var/db/snortsam.state (or snortsam.sta on Windows) is used
293 if this line is omitted.
294
295 Example: statefile /var/db/2nd-snortsam.state
296
297
298
299avoidstatefile
300
301 Starting with version 2.8, SnortSam will always keep a state file so the
302 additions to dontblock-list can be checked against current blocks (and
303 unblocked automatically if a host is on the DONTBLOCK list, but had been
304 blocked before). If you are using SnortSam only to block on Checkpoint
305 firewalls, you could avoid the state file since FW-1 will time-out blocks
306 by itself. To do that, just use this statement in the config file.
307
308 Example: avoidstatefile
309
310 Note that if you load a plugin that requires SnortSam to unblock the
311 blocks, and thus requires the state file, it will be created regardless if
312 this option is present.
313
314
315
316disablereverselookups
317
318 This option turns off reverse name resolution in logging plugins, currently
319 only used by the email plugin.
320
321 Example: disablereverselookups
322
323
324
325disablepersistentconnections
326disablepersistenttcp
327
328 This option turns off persistent TCP connections for the FORWARD plugin as
329 introduced with version 2.51. It also does not use persistent connections
330 for connecting hosts like the Snort plugin, a remote forwarder, or the
331 samtool. In essence, Snortsam will behave like pre-2.51 versions.
332 The default is now to leave persistent-TCP disabled. See also below.
333
334 Example: disablepersistentconnections
335
336
337
338enablepersistentconnections
339enablepersistenttcp
340
341 This option turns on persistent TCP connections for the FORWARD plugin as
342 introduced with version 2.51. It also accepts persistent connections from
343 connecting hosts like the Snort plugin, a remote forwarder, or the samtool.
344 In essence, Snortsam will behave like pre-2.51 versions.
345
346 By default, persistens TCP connections are disabled now, and you need this
347 option to forcefully enable it. Beware, persistent TCP connections are
348 still experimental and may cause problems.
349
350 Example: enablepersistentconnections
351
352
353
354disableseqnocheck
355
356 This option turns off sequence number checking in SnortSam. SeqNo
357 violations are currently not punished (by banning the offending Snort
358 sensor), but it was planned to do so in the future to increase security.
359 Use this option to turn packet sequence number checking off.
360
361 Example: disableseqnocheck
362
363
364
365holdsnort
366
367 This option requires version 1.13 or higher of the Snort plugin. It places
368 Snort 'on hold' during processing of the blocking request, and resumes
369 Snort once the block is completed.
370
371 Example: holdsnort
372
373 THIS WILL SLOW SNORT DOWN! USE ONLY FOR TESTING OR IN CONJUNCTION WITH
374 BARNYARD!
375
376
377
378nothreads
379
380 This option disables the multi-threading capability and causes SnortSam
381 not to use thread functions at all. Instead, all plugins are executed
382 sequentially within the main process. This makes SnortSam behave like the
383 old, single-threaded version 1. It is useful for testing, or if you
384 encounter problems with plugins that have problems with POSIX threads.
385
386 Example: nothreads
387
388
389
390forcethreads
391
392 This option forces use of multi-threading capability on systems that have
393 it disabled by default, which currently is all Linux versions.
394
395 Example: forcethreads
396
397
398
399daemon
400
401 This option causes Snortsam to turn into a daemon upon startup. It is
402 similar to the -D option of many other tools and services.
403
404 Example: daemon
405
406
407
408bindip
409
410 This option causes Snortsam to bind only to one IP address (or interface)
411 instead of listening on all interfaces/addresses.
412
413 Example: bindip 192.168.0.1
414
415
416
417
418Firewall specific options:
419--------------------------
420
421fwexec <path/fw.exe>
422
423 If specified, SnortSam will call the fw.exe executable to create the blocks
424 on Firewall-1. Normally you would use either 'fwsam' or 'opsec' (see
425 below). This line is useful if there are problems with OPSEC or you don't
426 want to send packets to the firewall. SnortSam will have to run on the
427 FW-1 host of course.
428
429 Example: fwexec c:\winnt\fw\bin\fw.exe
430
431
432
433fwsam <host>
434
435 This statement tells SnortSam to use the self-assembled OPSEC packet to
436 initiate blocks. You have to specify the name or IP address of the
437 firewall to which to send the block. You can only list one IP address per
438 line, but supply unlimited lines (one for each firewall you have).
439
440 Examples: fwsam 127.0.0.1
441 fwsam wanfw.corp.com
442
443
444
445fwsamipflip
446
447 The fwsam method should block the correct IP address if SnortSam is run on
448 the firewall host itself. However, if SnortSam runs on a small-endian box,
449 and FW-1 runs on a big-endian box, it may block the reversed IP address.
450 Use this option to flip it back to normal.
451
452 Example: fwsamipflip
453
454
455
456opsec <file>
457
458 This statement tells SnortSam to use the OPSEC API functions of the OPSEC
459 plug-in, configured through the <file> config file (opsec.conf is available
460 as an example. Also see README.opsec). Use this instead of fwsam for use of
461 the official OPSEC API. You can add more than one config to allow more than
462 one firewall to execute the block (each firewall would need its own conf
463 file). Currently, only clear-text is supported, but you may have luck with
464 auth_port or SSL. If so, please let me know.
465
466 Examples: opsec opsec.conf
467 opsec wan_firewall.conf
468
469 In opsec.conf, or whatever your file is named, change the IP of the server
470 to reflect your firewalls IP (or leave at 127.0.0.1 if you run SnortSam on
471 the firewall itself).
472
473
474 NOTE TO ABOVE METHODS:
475
476 If you are blocking on Checkpoint Firewall-1, use ONE OF THE THREE METHODS
477 listed above. You don't have to specify them all. It is your choice which
478 method to use (although I personally recommend fwsam).
479
480
481
482pix <ip> <telnetpw> <enablepw>
483pix <ip> <username>/<password> <enablepw>
484
485 This statement tells SnortSam to use the PIX plugin. SnortSam will telnet
486 into the PIX at address <ip>, log in with the given telnet and enable
487 password, and use the SHUN command to block IP addresses. If the second
488 parameter contains a /, SnortSam will use the word before the / as the
489 username and the remainder as the user password. This is useful when a PIX
490 has been configured to use RADIUS or TACACS for login authentication.
491
492 Examples: pix 1.2.3.4 letmein enableme
493
494 If the enable password is omitted, the telnet password will be used at the
495 telnet and enable prompt.
496
497
498
499ciscoacl <ip> <telnetpw> <enablepw> <acl_filename>
500ciscoacl <ip> <username>/<password> <enablepw> <acl_filename>
501
502 This statement tells SnortSam to use the Cisco ACL plugin to block IP's on
503 a Cisco router. SnortSam will telnet into router at address <ip>, log in
504 with the <telnetpw> as the password at the telnet prompt, or use
505 <username> and <password> if TACACS is used for authentication, and modify
506 the Access Control List. You need to supply your baseline configuration
507 file <acl_filename> in the configuration line. SnortSam will insert ACL
508 statements so that access from and to the intruding IP address is denied,
509 and upload the config to the router.
510
511 Example: ciscoacl 1.2.3.4 telnetpw enablepw myconfig
512
513 If the router is configured to authenticate access with TACACS, you would
514 use:
515 ciscoacl 1.2.3.4 user/password enablepw myconfig
516
517
518
519cisconullroute <ip> <telnetpw> <enablepw>
520cisconullroute <ip> <username>/<password> <enablepw>
521
522 This statement tells SnortSam to use the Cisco Null-Route plugin to block
523 IP's on a Cisco router. SnortSam will telnet into router at address <ip>,
524 log in with the <telnetpw> as the password at the telnet prompt, or use
525 <username> and <password> if TACACS is used for authentication, and issue
526 a route command that will "null-route" the IP to be blocked. It will then
527 save the configuration to memory. Once the block has expired, Snortsam
528 again log in and remove the added route, saving the config to memory.
529
530 Example: cisconullroute 1.2.3.4 telnetpw enablepw
531
532 If the router is configured to authenticate access with TACACS, you would
533 use:
534 cisconullroute 1.2.3.4 user/password enablepw
535
536
537
538cisconullroute2 r=<ip> p=telnetpw e=enablepw
539cisconullroute2 r=<ip> p=telnetpw e=enablepw t=<tag>
540cisconullroute2 r=<ip> u=username p=password e=enablepw t=<tag> a=y
541
542 This statement tells SnortSam to use the Cisco Null-Route2 plugin to block
543 IP's on a Cisco router. This is a more flexible version of the
544 Cisco Null-Route plugin (see above) with a few more options.
545 You can specify a 'route tag' to mark the route on the router.
546 Eg. t=667, would result in 'ip route x.x.x.x 255.255.255.255 Null0 tag 667'.
547 You can also set the auto-enable option to y (a=y), if SnortSam should NOT
548 run the enable command because it enters directly in eg. priv-level 15
549
550 Parameters:
551 r=<router ip> (required)
552 u=<username> (optional)
553 p=<password> (required)
554 e=<enable password> (optional)
555 t=<route tag> (optional [1-4294967295])
556 a=<auto-enable> (optional, [yn])
557
558 Example:
559 cisconullroute2 r=1.2.3.4 u=username p=password e=enablepw t=666 a=y
560 cisconullroute2 r=1.2.3.4 p=telnetpw e=enablepw t=666
561 cisconullroute2 r=1.2.3.4 p=telnetpw e=enablepw
562
563
564
565email <smtpserver>:<port> <recipient> <sender>
566
567 This statement sends an email for every block and unblock event. You
568 specify your SMTP server by name or IP address, and the email address you
569 want to send the notification to. Only one recipient per line is supported,
570 more than one line be be specified. By default, SnortSam will send the
571 email from SnortSam@<hostname>, but you can override the sender by adding
572 a specific sender after the recipient. Also, you can optionally specify
573 a custom port in case you run SMTP on a different port. (Default is 25)
574
575 Example: email mailserver.mydom.com root@mydom.com
576 email 127.0.0.1 admin@mydom.com SnortSam@mydom.com
577 email localhost:10025 ops@mydom.com
578
579
580
581email-blocks-only <smtpserver>:<port> <recipient> <sender>
582
583 This statement is the same as "email" except that it only sends emails for
584 block events, not unblock events. This was easier to implement as a plugin
585 since "email" requires the creation of a state file while
586 "email-blocks-only" does not (see also "avoidstatefile").
587
588 Example: email mailserver.mydom.com root@mydom.com
589
590
591
592netscreen <ip> <login id> <login password> <optional groupname> <opt zone name>
593
594 This statement will activate the Netscreen plugin. It is similar to the PIX
595 plugin in that is telnets into the firewall, but instead of issuing a shun
596 command (which the Netscreen doesn't have), it adds the IP to be blocked to
597 a group which you can use for a global 'deny' rule. For more info, please
598 see README.netscreen.
599
600 Example: netscreen 10.0.0.1 admin mypassword MyBlockGroup MyZone
601
602 If the group name is omitted, SnortSam will add/remove IP's to/from the
603 default group called 'SnortSam'.
604 Also, one can override the default zone name with a custom zone name. The
605 MyZone parameter is optional. If used, a block group name must also be
606 specified.
607
608
609
610ipf <adapter> <loglevel>
611
612 This plugin will execute the command ipf locally and block the host by
613 adding a rule to the ipf policy. You have to specify the adapter to block
614 on (for example, fxp0) and you can optionally add a logging facility
615 (default is local7.info).
616
617 Example: ipf ep0 local7.info
618
619
620
621pf <adapter> <logoption>
622
623 This plugin will use an ioctl syscall to control the pf device in order to
624 block the host by adding a rule to the active rule set of pf. You have to
625 specify the adapter to block on (for example, fxp0) and you can optionally
626 add a log option (log, logall).
627
628 Example: pf dc0 log
629
630
631
632pf2 <anchor> <table> <kill>
633
634 This plugin will use an ioctl syscall to control the pf device in order to
635 block the host by adding the host IP into a pf table. Additional active pf
636 states to/from the host will be killed.
637
638 Example: pf2 anchor=snortsam table=block kill=all
639
640
641
642ipchains <adapter> <logoption>
643
644 This plugin will use an setsockopt call to control the ipchains options
645 in order to block the host by adding a rule to the active rule set.
646 You have to specify the adapter to block on (for example, eth0) and you can
647 optionally add a log option (log, logall).
648
649 Example: ipchains eth0 log
650
651
652
653iptables <adapter> <logoption>
654
655 This plugin will call the iptables executable in order to block the host by
656 adding a rule to the active rule set. You have to specify the adapter to
657 block on (for example, eth0) and you can optionally add a log option.
658
659 Example: iptables eth0 syslog.info
660
661
662
663ebtables <adapter> <logoption>
664
665 This plugin will call the ebtables executable in order to block the host by
666 adding a rule to the active rule set. You have to specify the adapter to
667 block on (for example, eth0) and you can optionally add a log option.
668
669 Example: ebtables eth0 syslog.info
670
671
672
673watchguard <path/to/fbidsmate> <ip-of-firebox> <configpassword>
674watchguard <path/to/fbidsmate> <ip-of-firebox> file <configpassfile>
675
676 This plugin will call the fbidsmate program to block the host on Watchguard
677 firewalls. You have to specify the path to the fbidsmate program, the
678 IP address of the firewall, and either a clear-text password, or the name
679 of a file containing the encrypted password. For more information, please
680 see the README.wgrd file.
681
682 Examples: watchguard /bin/fbidsmate 10.1.0.1 mySecretPass
683 watchguard /bin/fbidsmate 10.1.0.1 file /etc/fbidsmate.passphrase
684
685
686
6878signs <path/dfw.exe> <tarpit>
688
689 SnortSam will call the specified dfw.exe executable to create the block
690 on the 8signs firewall. Snortsam will always block IPs without expiration
691 (-expiry n) because the 8signs firewall can only block for a day, a week,
692 or permanently. Snortsam blocks permanently and then times-out the blocks
693 itself, issuing an unban of the IP to 8signs, so that normal time
694 intervals are possible (for example, 10 minute blocks).
695 Optionally, the word "tarpit" can be appended to cause 8signs to ban and
696 tarpit the IP address.
697
698 Examples: 8signs c:\progra~1\8signs~1\dfw.exe
699 8signs c:\progra~1\8signs~1\dfw.exe tarpit
700
701
702
703isa <log>
704
705 SnortSam will use the API in msfpccom.dll to control the Microsoft ISA
706 Server interface in order to add blocking rules to the ISA firewall
707 rules.
708 Optionally, the word "log" can be appended to cause ISA Server to log
709 connection attempts from the blocked IP address.
710
711 Examples: isa
712 isa log
713
714
715
716chx-i <path/fltcon.exe> <log>
717
718 SnortSam will call the specified fltcon.exe executable (or just fltcon if
719 none is specified, in which case fltcon would need to be in the PATH) to
720 create the block on the CHX-I packet filter. Snortsam can only block, and
721 can not forcefully unblock IP addresses. In order to frocefully remove
722 a blocked host, just restart the CHX-I service and all blocked IP addresses
723 are released.
724 Optionally, the word "log" can be appended to cause CHX-I to log blocked
725 packets.
726
727 Examples: chx-i c:\somewhere\fltcon.exe
728 chx-i fltcon.exe log
729
730
731
732ipfw2 <adapter> <inbound-table> <outbound-table>
733
734 This plugin will add/remove IP addresses to be blocked/unblocked into the
735 corresponding table(s). Tables are a new feature of ipfw2. You have to set
736 up these tables manually before starting Snortsam exactly like this:
737
738 deny ip from any to table(<inbound-table>) via <adapter>
739 and: deny ip from table(<outbound-table>) to any via <adapter>
740
741 If these tables are not present in your ipfw2 rule set, Snortsam will not
742 start and report an error. With the tables present, configure Snortsam
743 accordingly.
744
745 Example: ipfw2 ep0 1 2
746
747 With tables rules like:
748 00010 deny ip from any to table(1) via ep0
749 00011 deny ip from table(2) to any via ep0
750
751
752
753forward <snortsam-ip>:<port>/<password>
754
755 This plugin will forward a block/unblock request to another Snortsam agent
756 running on this or another host. This allows you link Snortsams in a chain,
757 providing for a completely distributed blocking infrastructure. You can
758 configure two Snortsam agents to forward to each other. The loop is avoided
759 by the repetitive block prevention. IF YOU DISABLE REPETITIVE BLOCK
760 SETTINGS, YOU WILL CREATE AN ENDLESS LOOP CAUSING RESOURCE EXHAUSTION OR
761 STARVATION OR A DENIAL-OF-SERVICE CONDITION!
762 Take note that any white-list or override lists are processed before the
763 request is forwarded. The planned "passthrough" plugin will avoid this
764 limitation in the future. It is recommended to create separate Snortsam
765 instances for "distribution hubs" which don't have white-list or override
766 restrictions.
767
768 Example: forward secondsnortsam.domain.net
769 forward other-snortsam.mynet.com/otherpass
770 forward 127.0.0.1:890
771
772-------------------------------------------------------------------------------
773$Id: README.conf,v 2.30 2009/11/27 01:39:39 fknobbe Exp $
774
README.iptables
1README.iptables - Fabrizio Tivano <fabrizio@sad.it>
2-------------------------------------------------------------------------------
3
4The Iptables plugin works on all linux box, iptables installed.
5
6
7Default configuration is for any linux iptables-firewall with default DROP rule,
8and working with 2 interfaces:
9
10eth0 = internal net
11eth1 = external net
12
13you can also change the target ethernet card by adding the correct ethX name on
14the snortsam.conf file.
15
16
17The standard block command is:
18iptables -I FORWARD -i eth1 -s {ip_addr_to_be_blocked} -j REJECT
19
20The standard unblock command is:
21iptables -D FORWARD -i eth1 -s {ip_addr_to_be_unblocked} -j REJECT
22
23
24To start support for Iptables you have to add one line to the snortsam.conf
25like:
26
27iptables eth1 log
28
29
30
31You can also make your iptables block/unblock command by editing the module
32ssp_iptables.c (PAY ATTENTION AT THE CORRECT IPTABLES SYNTAX!!!) and then
33recompile it.
34
35
36
37Fabrizio Tivano
38fabrizio@sad.it
39
40-------------------------------------------------------------------------------
41$Id: README.iptables,v 1.1 2003/04/13 19:47:33 fknobbe Exp $
42
43
README.netscreen
1README.netscreen - Christopher Lyon <cslyon@netsvcs.com>
2-------------------------------------------------------------------------------
3
4Comments, questions, additions, input and constructive criticism are always
5welcome.
6
7Please read the entire file and perform a backup of your configuration before
8making any changes on your Netscreen. If you don't know how to perform a backup
9of your configuration, please obtain a users manual. Just a hint, a 'get config'
10command gets the entire configuration from your unit so if you can telnet into
11the Netscreen that is the command you need to run. Take the output on your
12screen and save it to a text file. We don't assume any reasonability if you
13blow up your Netscreen using these commands. We are just trying to help you get
14started and we can't take reasonability for anything that you did, haven't done,
15or are going to do. So, don't blame us, me or anybody on the SnortSam team.
16
17
18SnortSam Configuration
19
20Usage for the Netscreen option in the config is:
21
22netscreen <firewall-ip> <login-id> <login-pw> <optional-group-name>
23
24
25Netscreen Configuration
26
27In order to get this working there are a few things that must be setup first on
28the Netscreen. The first thing is to setup a group on the Netscreen.
29The default name for the group is called 'SnortSam'. That is unless you change
30it in the conf file. The way SnortSam interacts with the Netscreen is that is
31adds and removes IP addresses to and from this group on the Netscreen.
32
33Note: We picked groups instead of adding and deleting rules to the policy
34because of the way Netscreen does the rules and how they are added, and then
35moved when doing them from the CLI. If you are using routed mode you might
36need more than one rule to do blocking, depending upon if you have any inbound
37services. A group instead of adding rules would be a better fit. Keep in mind
38that the Netscreen, like other firewalls, reads the rules from top down. So
39you want to keep these rules that we are entering closest to the top, so that
40they can be most effective.
41
42
43Routed and Transparent Mode Considerations
44
45There are two modes that your Netscreen can operate in, routed mode and
46transparent mode. Routed mode is when you have separate layer 3 networks on
47each interface. Your trusted interface has two modes that it can use, but only
48if you are in routed mode. Those two modes are NAT and route. If you are using
49private addresses on your trusted interface then it should be set to NAT mode.
50Please note that if you are using NAT mode there are special considerations
51to make. Since there is only one group support for SnortSam right now, the best
52that we can do is block traffic going to your DMZ if you have one. Keep in mind
53that there is a default deny rule on your incoming policy, so blocking there
54using SnortSam really doesn't do anything. If you have any one-to-one network
55address translation going between your trusted and untrusted network, you will
56need to pick which is more important to block (for now). If you want to block
57on your untrusted interface like the examples below you will need to create a
58policy with an explicit deny for each inbound service. SnortSam will add the IP
59addresses to the group. The Netscreen 5's or 5xp make great screening walls for
60relatively low speed connections. I am talking about less than 3 meg links.
61They are cheap and you can still get Netscreen 5's.
62
63If you are using transparent mode then you have dropped the Netscreen in
64between your internet router and your hosts or firewall. That would mean that
65you have a single IP address for management of the box. Unless you mess up the
66default configuration, nobody can get to the Netscreen from the outside in
67transparent mode directly. This, in my opinion, is a great way to do a
68screening wall. The best configuration is to put your IDS sensor between your
69screening wall and your firewall where SnortSam is doing the blocking,
70because you will be blocking everything before it hits your firewall. The
71configurations below assumes that you are using transparent mode but if you
72want to use routed mode there will be a few things that you will need to change.
73
74
75Netscreen CLI commands (Basic)
76
77The commands below assume that you are using transparent mode. If you are not
78using transparent mode, you have to keep in mind that the commands will need to
79modified to work. Once you have established a telnet session into the Netscreen,
80you should see a -> prompt. The first command is to create a group. If you can't
81telnet to the Netscreen, you must make sure that you can, or else SnortSam will
82not be able to block. Go to the web GUI, and under the interface tab go to
83'trusted'. Make sure that telnet is checked. You might need to reboot the
84Netscreen in order for that to take effect.
85
86Group Command:
87
88Set group address untrust "SnortSam" comment "Put your comment here"
89
90Now, the second command depends upon how many incoming rules you have. If you
91do a 'get config' at the Netscreen CLI prompt, and look at the set policy
92commands, you will see the rules that are currently being used. Note that the
93rules are not in order by their id, but in the order of how they are enforced.
94Remember, they are read from the top down and the id number is only used to
95reposition the rules. So if your policy rules read like the ones below, you will
96need to insert a rule before id 1. We don't care about the outgoing policy for
97now, just the incoming policy.
98
99Partial 'get config':
100set policy id 0 outgoing "Inside Any" "Outside Any" "ANY" Permit log
101set policy id 1 incoming "Outside Any" "Inside Any" "ANY" Permit
102
103
104Policy Rule Command:
105set policy before 1 incoming "SnortSam" "Inside Any" "ANY" Deny
106
107By default, the group name 'SnortSam' is used. But if you want to use
108something else you can do so via the SnortSam configuration file. Note we use
109the 'before 1 incoming' in the rule above. But if your first incoming rule is
110id 5, then the command would be 'before 5 incoming'. You can add the following
111after the deny if you want, but keep in mind all these take up more memory and
112processor resources.
113
114count enable counting
115log enable logging
116schedule set scheduler
117traffic traffic parameters
118
119After you have executed the command, your policy rules should look like this:
120
121set policy id 0 outgoing "Inside Any" "Outside Any" "ANY" Permit log
122set policy id 2 incoming "SnortSam" "Inside Any" "ANY" Deny
123set policy id 1 incoming "Outside Any" "Inside Any" "ANY" Permit
124
125That is it for the Netscreen configuration.
126
127Known Issues:
128
129Some of the Netscreen's, depending upon the code version that you are using,
130may only let one person from the same IP address telnet into the box. So, if
131you are testing this out and want to see the modifications in real time, either
132use the web interface or a different box to view the modifications.
133
134This is more of an FYI than an issue but with the new code 4.x there might be
135some issues with this configuration. I am just saying this because I don't
136know, I haven't tested it. I should have a chance to test it in a week or two.
137The structure in 4.x is a little different so beware.
138
139
140Regards,
141Christopher Lyon
142cslyon@netsvcs.com
143
144
145
146-------------------------------------------------------------------------------
147$Id: README.netscreen,v 1.3 2003/01/16 05:54:23 fknobbe Exp $
148
149
README.pf
1README.pf 3.0 - Hector A. Paterno <apaterno@dsnsecurity.com>
2-------------------------------------------------------------------------------
3For additional notes from Olaf Schreck, see farther below.
4-------------------------------------------------------------------------------
5
61. Description.
7
8This plugin is for IP blocking on different versions of OpenBSD Operating
9System and FreeBSD 5.1 with pf4freebsd port installed and working.
10Since this lastest release it supports OpenBSD 3.3, 3.4 and FreeBSD 5.1 using
11tables, anchors, and rulesets, who recently made available in pf.
12It now uses a new kind of configuration options ( option=value option2=value2
13etc. ) Please see 3. Options to obtain a full list of available options.
14Note : This is not a pf tutorial, please read the pf documentation to understand
15the concepts of anchors, tables, rulesets etc. .
16
172. Compatibility.
18
19This lastest release supports, compiles, works, and has been tested on the
20following OS/Versions :
21
22OpenBSD 3.0
23OpenBSD 3.1
24OpenBSD 3.2
25OpenBSD 3.3
26OpenBSD 3.4
27OpenBSD current ( 12/02/2003 ).
28FreeBSD 5.1-RELEASE ( with http://pf4freebsd.love2party.net port ).
29FreeBSD 5.1-CURRENT ( with http://pf4freebsd.love2party.net port ).
30Now also:
31OpenBSD 3.5
32OpenBSD 3.6
33
343. Options.
35
36This is the list of options that you can set in the configuration file :
37
38auto=0/1
39log=0/1
40anchor=[string]
41eth=[string]
42(table=[string] - ignored. Listed for historical purposes only)
43
44auto:
45The auto option is used to tell the pf plugin to automatically (auto=1)
46initialize all the required anchor/tables/rulesets/rules in the packed
47filter (no pf.conf or manual modifications needed in the active ruleset).
48
49log:
50The rules created by the pf plugin will get the log option if this option is
51set to 1 (log=1), so every time a blocked ip try to make a connection,
52the correspont pf rule will generate a log entry on the pflog interface.
53
54anchor:
55Sets the anchor name used to hold the rulesets/tables/rules.
56
57table:
58Now ignored. Before Snortsam 2.30, it used to set the name of the table to
59hold the blocked IPs.
60
61eth:
62Sets the interface name used when the anchor is created or when
63the rules are added.
64
65Example :
66 pf auto=1 log=1 anchor=fwsamd table=blockedips eth=le1
67
68All configuration options are parsed, no matter the OS/Version used, but not
69all the parsed options are used, that depends on the OS/Version used, see
704. Notes to get a list of used/relevant options in your OS/Version.
71
72
734. Notes.
74
75-- OpenBSD 3.0, 3.1 and 3.2 -- :
76
77Under this OS/Versions only the "log", and "eth" options will be used by the pf
78plugin, so on every block call, a new entire rule will be created with the
79corresponding "log" and "eth" options at the head of the active ruleset.
80
81-- OpenBSD 3.3 -- :
82
83Under this OS/Version the "auto", "log", "eth", "table" options will be used
84in the following mode :
85
86Under OpenBSD 3.3 you will need to create 3 tables in the main ruleset
87(unless you use the auto=1 option), one for the IN, one for the OUT,
88and one for the INOUT.
89For example if you wish to call your table "blockedips", then you will
90need to create :
91
92blockedipsIN
93blockedipsOUT
94blockedipsINOUT
95
96tables and specify auto=0 ( the tables are already created by you ), and
97table=blockedips ( without the IN, OUT, INOUT ) in the pf section of your
98snortsam config file.
99
100You must also create the rules who point to this tables ( unless you use
101the auto=1 option ) :
102
103block in from <blockedipsIN> to any
104block out from any to <blockedipsOUT>
105block in from <blockedipsINOUT> to any
106block out from any to <blockedipsINOUT>
107
108The "eth" and "log" options are used in auto=1 mode, when the pf plugin is
109in charge of creating the rules. If you don't use the auto=1 mode, then this
110parameters can specified in the rules that you must create.
111
112So every block call will add an ip entry in the corresponding table, and
113automatically gets blocked by the corresponding rule who blocks that table.
114Under OpenBSD 3.3 all of this takes place in the main ruleset, no anchors or
115rulesets are used.
116
117-- OpenBSD 3.4, OpenBSD Current, FreeBSD 5.1-RELEASE, FreeBSD 5.1-CURRENT -- :
118
119Under this OS/Versions all the options are used by the pf plugin, It creates (
120unless you use auto=0 ) one call to the anchor specified by the "anchor"
121option in the main ruleset with the optional "eth" name, and 3 rulesets inside
122this "anchor" ( "IN", "OUT" and "INOUT" ), each ruleset has Its own table
123( specified by the "table" option ) and Its set of rules with the optional
124"log" option.
125
126If you dont wish to use the auto=1 option, you must create this sets of
127entries in your pf.conf file or by hand ( using pfctl command ) and set the
128choosen parameters in the pf section of the snortsam configuration file.
129
130If you got confused while try to create the anchor and rules to not to use the
131auto=1 option, try to use the "auto=1" option at first, and see the
132rules/rulesets/anchor/tables added automatically by the pf plugin as an example.
133
134
135
136Hector A. Paterno
137apaterno@dsnsecurity.com
138
139-------------------------------------------------------------------------------
140Note by Frank Knobbe:
141FreeBSD support is currently disabled with #ifdef's. If you have loaded the pf
142patch under FreeBSD 5.x, you need to remove the "#ifdef OpenBSD" in ssp_pf.c,
143ssp_pf.h and plugins.h. Don't forget to remove the corresponding "#endif".
144We need to clean this up later so that it doesn't throw errors on FreeBSD
145systems without the pf port and Solaris/AIX/whateverix.
146(What we really need is a make file... *sigh*)
147-------------------------------------------------------------------------------
148Updated 01-16-05, Note by Olaf Schreck <chakl@syscall.de>
149
150This is based on Hector's code, read above sections first!
151
152Use the following line in snortsam.conf:
153
154 pf anchor=fwsam auto=1 [ log=... eth=... table=ignored ]
155
156Choose any anchor name you like, I recommend "fwsam". Use auto=1
157unless you really want to do things manually, see below. Use log
158and eth as you did before, no changes to this stuff. You may still
159specify a table name, but it will be _ignored_, see "Changes" below.
160
161
162Testing
163-------
164
165Create snort signatures like this, probably in local.rules:
166
167 alert tcp any any -> $your_ip 11110 (msg:"TEST log 11110/tcp"; \
168 sid:1111110;)
169 alert tcp any any -> $your_ip 11111 (msg:"TEST block 11111/tcp"; \
170 sid:1111111; fwsam:src[in],5min;)
171
172- start snort and snortsam, verify the processes are running, check
173 their logfiles for any errors;
174- verify that the test sigs fire and that alerting works before
175 proceeding. I like to have snort log via syslog, do a "telnet
176 $your_ip 11110" from any remote machine first, and then *expect*
177 to see the "TEST log 11110/tcp" in syslog. If that doesn't work for
178 you, *fix your configuration first*, it is pointless to continue
179 without working alerting;
180- check that anchor, tables and rules exist after snortsam started,
181 read the pfctl manpage;
182 # pfctl -vsA
183 # pftcl -a fwsam -sT
184 # pfctl -a fwsam -t blockin -Ts
185 # pfctl -a fwsam -t blockin -sr
186- test snortsam blocking with "telnet $your_ip 11111" from any remote
187 machine. You should see a "TEST block 11111/tcp" alert in syslog, a
188 message "Blocking $src_ip" in snortsam.log, and $src_ip listed in the
189 output from "pfctl -a fwsam -t blockin -Ts". All traffic from $src_ip
190 to $your_ip should be blocked now. After 5 minutes you should see
191 "Unblocking $src_ip" in snortsam.log, $src_ip removed from the blockin
192 table, and traffic from $src_ip to $your_ip should be allowed again.
193
194At least, that would be *expected* behavior. Prepare for debugging with
195pfctl if it doesn't work out right.
196
197
198Changes
199-------
200
201The last version of ssp_pf was for OpenBSD 3.4. In 3.6 a change to the
202pf ioctl API was introduced for "nested anchors". Semantically, what
203used to be a "named ruleset" within an anchor, is now a sub-anchor to
204that anchor, which allows for tree-like ruleset structures. The hard
205part of this patch (for me) was figuring out where to put the anchor
206references.
207
208Changed some strcpy()s to strncpy(), deal with PF_MAX_*_SIZE correctly.
209
210Hardcoded the table names to "blockin", "blockout" and "blockinout".
211Laziness, what's the point of having configurable table names anyway?
212
213My first approach was to convert the named "IN", "OUT" and "INOUT"
214rulesets to sub-anchors. Didn't work for other reasons, and it smelled
215bloated. After all, we have 4 rules operating on 3 tables, a simple
216single anchor should be able to do that job just fine.. :)
217
218
219Using auto=0
220------------
221
222The pf plugin is written for auto=1, if you disable it you'll have to
223setup these things manually:
224
225 - the pf anchor "fwsam" inside the main ruleset
226 - 3 tables ("blockin", "blockout", "blockinout") inside the
227 "fwsam" anchor
228 - 4 rules like below inside the "fwsam" anchor
229 block in log quick from <blockin> to any
230 block out log quick from any to <blockout>
231 block in log quick from <blockinout> to any
232 block out log quick from any to <blockinout>
233
234
235-------------------------------------------------------------------------------
236$Id: README.pf,v 1.2 2005/01/16 22:55:27 fknobbe Exp $
237
238
README.pf2
1README.pf2 - Olli Hauer <ohauer@gmx.de>
2-------------------------------------------------------------------------------
3
41. Description.
5
6This plugin is for IP blocking on different versions of *BSD Operating System.
7
8The plugin supports anchors and tables, but they will not created for you!
9
10It now uses a new kind of configuration options ( option=value option2=value2
11etc. ) Please see 3. Options to obtain a full list of available options.
12Note : This is not a pf tutorial, please read the pf documentation to understand
13the concepts of anchors, tables, rulesets etc. .
14
15
162. Compatibility.
17
18This latest release supports the following OS/Versions :
19
20OpenBSD > 4.0
21FreeBSD > 6.0 with pf support (as module or compiled into the kernel)
22NetBSD ? with pf support (tested on NetBSD 5.0 i386)
23
24
253. Options.
26
27This is the list of pf2 options that you can set in the configuration file:
28----------------------------------------------------------------------------
29anchor=[string] default: anchor=snortsam
30
31 Sets the anchor name used to hold the tables/rulesets.
32 To disable the usage of anchor use anchor=none or anchor=notused.
33
34
35table=[string] default: table=block, which results in tables blockin and blockout
36
37 The tablename in/outside an anchor.
38 In addition to the table name the suffix 'in' and 'out' are added,
39 so a table defined table=badip results into 'badipin' and 'badipout'.
40
41
42kill=[string] default: kill=all
43
44 Kill the pf states from/to the IP address we receive to block,
45 else existing connections stay alive.
46 Valid options are:
47 all : kill all states to/from the IP address
48 dir : kill only states alerted with the direction
49 no : kill no states, (keep existing connections open)
50
51
52Example pf2 config lines in snortsam.cfg:
53------------------------------------------
541) pf2 anchor=snortsam table=block
55 - the tables blockin and blockout inside the anchor snortsam will be used.
56 - kill all existing pf states from/to the IP address.
57
582) pf2 anchor=notused table=badguy kill=dir
59 - the tables badguyin and badguyout outside any anchor will be used.
60 - kill only existing pf states in the received direction.
61
623) pf2 anchor=none kill=no
63 - tables blockin and blockout outside any anchor will be used.
64 - no pf states will be killed.
65
66
67pf.conf for examples above:
68---------------------------
691) # filter rules
70 anchor snortam
71 load config from "/etc/pf.conf.snortsam"
72
73 -- file /etc/pf.conf.snortsam --
74 # tables
75 table <blockin> persist
76 table <blockout> persist
77 # filter rules
78 block drop in quick log on bge0 from <blockin> to any
79 block drop in quick log on bge1 from any to <blockout>
80
81
822) # tables
83 table <badguyin> persist
84 table <badguyout> persist
85 # filter rules
86 block drop in quick log on $if_ext from <badguyin> to any
87 block drop in quick log on $if_int from any to <badguyout>
88
893) see example 2) but table names are blockin,blockout (the default)
90
91
92All configuration options are parsed, no matter the OS/Version used, but not
93all the parsed options are used, that depends on the OS/Version used, see
944. Notes to get a list of used/relevant options in your OS/Version.
95
96
974. Notes.
98
99The pf2 plugin does not create any rules, it is up to you to write the ruleset
100which make usage of the two tables defined.
101
102Testing
103-------
104The following signature expects snortsam configured with fwsam(in|out) as table
105name.
106
107Create snort signatures like this, probably in local.rules:
108
109 alert tcp any any -> $your_ip 11110 (msg:"TEST log 11110/tcp"; \
110 sid:1111110;)
111 alert tcp any any -> $your_ip 11111 (msg:"TEST block 11111/tcp"; \
112 sid:1111111; fwsam:src[in],5min;)
113
114
115- start snort and snortsam, verify the processes are running, check their
116 logfiles for any errors;
117
118- verify that the test sigs fire and that alerting works before proceeding.
119 I like to have snort log via syslog, do a "telnet $your_ip 11110" from any
120 remote machine first, and then *expect* to see the "TEST log 11110/tcp"
121 in syslog. If that doesn't work for you, *fix your configuration first*.
122 It is pointless to continue without working alerting;
123
124- check that anchor, tables and rules exist after snortsam started,
125 read the pfctl manpage;
126
127 # with anchor
128 # pfctl -vsA
129 # pftcl -a fwsam -sT
130 # pfctl -a fwsam -t blockin -Ts
131 # pfctl -a fwsam -t blockin -sr
132
133 # without anchor
134 # pftcl -sT
135 # pfctl -t blockin -Ts
136
137
138- test snortsam blocking with "telnet $your_ip 11111" from any remote machine.
139 You should see a "TEST block 11111/tcp" alert in syslog, a message
140 "Blocking $src_ip" in snortsam.log, and $src_ip listed in the output from
141 "pfctl -a <anchor> -t <table> -Ts" or "pfctl -t <table> -Ts"
142
143 All traffic from $src_ip to $your_ip should be blocked now. After 5 minutes
144 you should see "Unblocking $src_ip" in snortsam.log, $src_ip removed from the
145 <table>, and traffic from $src_ip to $your_ip should be allowed again.
146
147 At least, that would be *expected* behavior. Prepare for debugging with pfctl
148 if it doesn't work out right.
149
150- test yourself the different kill options, for example during a file transfer
151 or simple with ping in both directions.
152
153 # pfctl -ss | grep $src_ip
154 # tcpdump -net -i pflog0 host $src_ip
155
156-------------------------------------------------------------------------------
157$Id: README.pf2,v 1.2 2009/11/27 01:39:39 fknobbe Exp $
158
README.rules
1README.rules - Frank Knobbe <frank@knobbe.us>
2-------------------------------------------------------------------------------
3
4This file explains the syntax of the "fwsam" statement in the Snort rule files.
5It is currently just ripped from the old FAQ. I may clean it up later if needed.
6
7
8
9Once the snort.conf file is configured, you need to modify the rules so that
10they invoke the blocking request. This is done by adding following
11statement to the rule:
12
13 fwsam: who[how],time;
14
15 who: Can be: src, source, dst, dest, destination
16
17 IP address to be blocked according to snort rule (some rules are
18 reversed, i.e. homenet -> any and you want to block any, so DST
19 would be appropriate)
20
21 how: Optional. Can be: In, out, src, dest, either, both, this, conn,
22 or connection
23 Tells the firewall to block packets INcoming from host, OUTgoing
24 to host, EITHERway, or only THIS connection (IP/service pair).
25 (If you have a Checkpoint firewall, See 'fw sam' for more
26 information.)
27
28 time: Duration of block in seconds. (Accepts 'days', 'months', 'weeks',
29 'years', 'minutes', 'seconds', 'hours'. Alternatively, a value
30 of 0, or the keyword 'PERManent', 'INFinite', or 'ALWAYS', will
31 block the host permanently. Be very careful with this!)
32 Tells the firewall how long to block packets from the host.
33
34Examples:
35
36 fwsam: src[either],15min (blocks to and from source for 15 minutes)
37 or dst[in], 2 days 4 hours (blocks from dest. for 2 days and 4 hours)
38 or src, 1 hour (blocks to and from source for an hour)
39
40Defaults to: src[either],5min
41
42That means "fwsam: dst" will block the destination (right IP in Snort rule)
43inbound and outbound for 5 minutes.
44
45
46This statement is very dependent on the rule itself. Here are some
47real Snort example rules:
48
49alert tcp any any -> $HTTP_SERVERS 80
50 (msg:"WEB-MISC http directory traversal"; flags: A+;
51 content: "..\\";reference:arachnids,298; fwsam: 15 minutes;)
52
53The rule applies to a connection from any to your servers. That means
54the source is the attacker, the destination is you. The above fwsam
55statement will block the source for 15 minutes.
56
57alert tcp $HOME_NET 23 -> any any
58 (msg:"TELNET not on console"; flags: A+;
59 content:"not on system console"; nocase;
60 reference:arachnids,365; fwsam: dest, 1 day;)
61
62This rule applies to connections from your host to the attacker. The
63source is your system, the destination is the attacker. That means
64you would want to block the destination. Above fwsam statement will
65block the destination for a whole day.
66
67Both examples will block incoming and outgoing connections to the
68attackers. If you wanted to block only incoming connections, but want
69to allow outgoing connections to the attacker (maybe for an
70investigative scan), then the fwsam statements would have to be
71modified with [in] to explicitly block only incoming connections.
72
73i.e. fwsam: src[in], 15 minutes
74 fwsam: dest[in], 1 day
75
76For modifying Snort rules, it is best that you first figure out, who
77you want to block (which depends on the rule itself). Then you have to
78decide if you want to completely block the offender, or only block
79incoming (or perhaps only block outgoing connections). Finally,
80decide how long you want to block them.
81
82It is recommended that you start with short time intervals for
83testing purposes and increase the time once the rule is 'tuned'.
84
85
86Instead of modifying the Snort rules, you can also create a file named
87sid-block.map which has to be in the same directory as Snort's sid-msg.map
88file (typically etc). In this file you can list the fwsam option using
89following syntax:
90
91 <sid>:<option>
92
93For example:
94
95 1023: src, 15 min
96
97 Alternatively, you may use a | (pipe) instead of a : (colon).
98 This has the same effect as adding "fwsam: src, 15min;" to the Snort rule
99 with SID 1023.
100
101 You can specify options in both places (rules and sid-block.map file), but
102 the sid file takes priority. The file has to be in the same directory as the
103 other Snort config files (ie. sid-msg.map).
104
105-------------------------------------------------------------------------------
106$Id: README.rules,v 1.1 2004/06/23 19:48:11 fknobbe Exp $
107
108
README.slackware
1README.slackware - Joey Moe <family_geek@yahoo.com>
2############################################################################
3# This Readme file is a walk-through for installing Snort with the SnortSAM
4# plugin on a computer running Slackware 10. They do not tell you how to
5# configure Snort or SnortSAM, since there is already README files for this
6# and every installation is unique, but it will be thorough. This walk-through
7# assumes that you are saving these files to /usr/local/src. This is not a
8# mandatory location, but it is the most common.
9#
10# ~ jmoe ~
11#
12##############################################################################
13########## DEPENDANCIES ##########
14##############################################################################
15# First there are a few dependancies that you will have to install. These are
16# not needed to run Snort, but they will be needed to run SnortSAM later. The
17# dependancies need to be installed in the order listed here:
18#
19# libgpg-error-1.0 (http://bent.latency.net/bent/darcs/libgpg-error-1.0/src)
20#
21# To install:
22# tar zxvf libgpg-error-1.0.tar.gz
23# change directories to the libgpg-error-1.0 folder
24# ./configure
25# make
26# make install
27# make clean
28#
29# libgcrypt-1.2.0 (http://lists.gnupg.org/pipermail/gnupg-announce/2004q2/000167.html)
30#
31# To install:
32# tar zxvf libgcrypt-1.2.0.tar.gz
33# change directories to the libgcrypt-1.2.0 folder
34# ./configure
35# make
36# make install
37# make clean
38# Restart the computer
39#
40# gnutls-1.0.24 (http://lists.gnupg.org/pipermail/gnutls-dev/2005-January/000807.html)
41#
42# To install:
43# tar zxvf gnutls-1.0.24.tar.gz
44# change directories to the gnutils-1.0.24 folder
45# ./configure
46# make
47# make install
48# make clean
49# Restart services
50#
51# libprelude-0.9.0-rc15 (http://www.prelude-ids.org/rubrique.php3?id_rubrique=6)
52#
53# To install:
54# tar zxvflibprelude-0.9.0-rc15.tar
55# change directories to the libprelude-0.9.0-rc14 folder
56# ./configure
57# make
58# make install
59# make clean
60# Restart services
61#
62# automake-1.9.2 (http://lists.gnu.org/archive/html/autoconf/2004-09/msg00203.html)
63#
64# To install:
65#
66# tar zxvf automake-1.9.2.tar.gz
67# change directories to the automake-1.9.2 folder
68# ./configure
69# make
70# make install
71# make clean
72#
73# (You might want to do a "automake --version" to verify that 1.9.2 is
74# your current version)
75#
76#
77# Now that you have your dependancies installed, now we have to install Snort.
78# I configured Snort to log to a MYSQL database, so I will be including this
79# in this README file.
80##############################################################################
81########## INSTALLING SNORT #########
82##############################################################################
83#
84# Snort-2.4.0 (www.snort.org)
85#
86# To Install:
87# tar zxvf snort-2.4.0.tar.gz
88# change directories to the Snort-2.4.0 folder
89# ./configure --with-mysql=/usr
90# make
91# make install
92# make clean
93#
94# Snort-2.4.0 does not include the rules folder. You will have to download the
95# current rule set. You can et this from www.snort.org. Make sure to copy this
96# to your snort-2.4.0 root directory or point your snort.conf file to the location
97# where you save it.
98#
99# With Snort installed we now have to create the MYSQL database. But before we
100# we can create the database we need to setup MYSQL. I chose to use the MYSQL
101# installation that came with the Slackware distro.
102#
103# MYSQL (OPTIONALLY: www.mysql.org)
104#
105# To Configure:
106# su mysql
107# mysql_install_database
108# /usr/bin/mysqld_safe &
109# /usr/bin/mysqladmin -u root password "your password"
110# (DO NOT INCLUDE QUOTES! This sets your MYSQL admin password)
111# mysql -u root -p
112# (You will be prompted for the password you just provided)
113# (Once you enter a password you will be given a MYSQL prompt)
114# create database snort;
115# (you must include the semicolon at the end)
116# connect snort;
117# source /usr/local/src/snort-2.4.0/schemas/create_mysql;
118# (you will see the creation of numerous tables)
119# (as verification, check the tables)
120# show tables;
121#
122# Next you wan to set permissions for your new snort database. This includes
123# both accounts and passwords:
124#
125# grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort;
126# grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost;
127# grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to root;
128# grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to root@localhost;
129#
130# set password for 'snort'@'%'=password('your password');
131# set password for 'root'@'%'=password('your password');
132# set password for 'snort'@'localhost'=password('your mysql password');
133# set password for 'root'@'localhost'=password('your mysql password');
134#
135# exit;
136# (you will be brought back to a command line prompt)
137# exit;
138# (you should be brought back to a root prompt)
139#
140#
141# Next we need to download and install a package that is supposed to enhance
142# the Snort MYSQL database. This file is snortdb-extra.gz. We need to download
143# it to the /snort-2.4.0/contrib folder, (DO NOT UNCOMPRESS IT).
144#
145# snortdb-extra.gz (http://cvs.snort.org/viewcvs.cgi/snort/contrib/Attic/snortdb-extra.gz)
146#
147# zcat /usr/local/src/snort-2.4.0/contrib/snortdb-extra.gz | mysql -p snort
148#
149# Now we have to adjust the snort.conf file to work with the newly configured
150# snort database:
151#
152# vi /usr/local/src/snort-2.4.0/etc/snort.conf
153# :set number (this allows you to see the line numbers)
154#
155# On line 575 you will uncomment the line (remove the proceeding pound sign)
156# and make the following changes to the user, password, dbname, and host
157# fields:
158# "user"= the account you want to use to access the MYSQL snort database
159# "password"= password for the "user" you selected
160# "dbname"=snort
161# "host"=name of the localhost
162#
163# From here, you can escape, save, and exit.
164#
165# You have to create a folder in the /var/log directory for snort to log to,
166# or else you will get an error
167#
168# mkdir /var/log/snort
169#
170# This would be a good time to verify that Snort is working. While there are
171# numerous options for snort to use, I am only using the option to log to the
172# snort database. -c option takes one argument: the path to the snort.conf
173# file.
174#
175# snort -c /usr/local/src/snort-2.4.0/etc/snort.conf
176#
177##############################################################################
178########## INSTALLING SNORTSAM ##########
179##############################################################################
180# Now that you know snort is working correctly, now it is time to take it up a
181# notch. I know there are many different scenarios and even more opinions of
182# how to deploy your SnortSAM setup, this README file assumes you are
183# installing Snort and SnortSAM on the same machine.
184#
185# You have to move to the SnortSAM directory and change the permissions on the
186# shell script that creates snortsam:
187#
188#
189# tar zxvf snortsam-src-2.40.tar.gz (www.snortsam.net/download.html)
190# change directories to the snortsam folder
191# chmod +x makesnortsam.sh
192# ./makesnortsam.sh
193#
194# This creates two programs. (snortsam and snortsam-debug).Move these programs
195# to the /usr/local/bin folder.
196##############################################################################
197########## PATCHING SNORT ##########
198##############################################################################
199# This is the last step to getting Snort to work with SnortSAM. It takes a
200# little bit of work, but the pay off is huge. We have to first change the
201# permissions on the patchsnort.sh file and then run it. The patch takes only
202# one argument, the path to the snort-2.4.0 folder:
203#
204# tar zxvf snortsam-patch.tar.gz (www.snortsam.net/download.html)
205# rename the folder "snortsam-patch"
206# change directories to the snortsam-patch
207# chmod +x patchsnort.sh
208# ./patchsnort.sh /usr/local/src/snort-2.4.0
209#
210# At this point, you have change directories so you wind up in the snort-2.4.0
211# folder. Once in the snort-2.4.0 directory, you have to run the following
212# commands in the following order:
213#
214# aclocal
215#
216# When you run aclocal, you will get a small series of errors. This is
217# a quick run down of the files and modifications you need to make to
218# fix these:
219#
220# In the file configure.in you will need to make the following changes:
221#
222# - Line 169 originally looks like this:
223# AC_DEFUN(SN_CHECK_DECL,[
224#
225# Change the line so it reads:
226# AC_DEFUN([SN_CHECK_DECL],[
227#
228# - Line 202 originally looks like this:
229# AC_DEFUN(SN_CHECK_DECL,
230#
231# Change the line so it reads:
232# AC_DEFUN([SN_CHECK_DECL],
233#
234# - Line 298 originally looks like this:
235# AC_DEFUN(FAIL_MESSAGE,[
236#
237# Change the line so it reads:
238# AC_DEFUN([FAIL_MESSAGE],[
239#
240#
241# In the file /usr/local/share/aclocal/libgcrypt.m4 you will need to
242# make the following changes:
243#
244# - Line 23 originally looks like this:
245# AC_DEFUN(AM_PATH_LIBGCRYPT,
246#
247# Change the line so it reads:
248# AC_DEFUN([AM_PATH_LIBGCRYPT],
249#
250# Now that aclocal is not reporting any errors you can finish the rest
251# of the snort patch process without any problems:
252#
253# autoheader
254# automake --add-missing
255# autoconf
256#
257# Finally, you have to configure snort the same way you did when when we first
258# installed it. Don't forget to include the MYSQL option for database support.
259#
260# From this point please see the respective README files for configuring Snort
261# and SnortSAM. These files will show you how to fine tune your installation
262##############################################################################
263##############################################################################
264$Id: README.slackware,v 1.2 2005/11/10 11:03:47 fknobbe Exp $
265
266
README.snmp_interface_down
1README.snmp_interface_down - Ali Basel <ali@basel.name.tr>
2-------------------------------------------------------------------------------
3
4This plugin may be used to stop local intruders by shutting-down their switch port.
5
6This plugin uses the database of the trackerd (http://www.basel.name.tr/projects/tracker/index.html), so it must be set up and running.
7
8All the "snmp_interface_down" plugin does is only to call the shell script "trackersnmp" with the IP address to be blocked; so, before using this pluging, you should test that the above script runs without any problem.
9
10So what does trackersnmp ?
11--------------------------
12Network Tracker builds a table which records which user is connected on which port of a switch by scanning SNMP-enabled devices. It keeps the inventory of these devices up-to-date by scanning the network regularly. Devices are also checked with ping and SNMP, and the user is informed by email when any of the devices is not alive.
13
14trackersnmp first, finds the given IP in that database to obtain the switch IP, SNMP community names, switch port number and ifindex of that port.
15Before shutting down the switch port, trackersnmp queries the switch to be sure that the port belongs really to the given IP, and then, shuts down the port using SNMP.
16It can also send e-mail which contains all of its output.
17
18For more information about trackersnmp please read its documenation.
19
20
21
22To use that plugin add the line below into the snortsam config file:
23snmpinterfacedown /full_path_of_the/trackersnmp
24
25
26
27If the given IP couldn't be found in the trackerd database, no things happen.
28
29Using than plugin is a very effective, but do not forget to define your servers in the "dontblock" list of the snortsam config file.
30
31
32-------------------------------------------------------------------------------
33$Id: README.snmp_interface_down,v 2.0 2005/07/10 21:17:05 fknobbe Exp $
34
35
README.wgrd
1README.watchguard - Thomas Maier <Thomas.Maier@arcos.de>
2-------------------------------------------------------------------------------
3
4The Watchguard plugin supports all WatchGuard Firebox System 5.0 or later
5versions. But NOT the SOHO-Box.
6
7The Watchguard Plugin requires the additional software 'fbidsmate', which is
8available from the Watchguard website. Download is only permitted if you have
9an active service contract. Perhaps you find similar files elsewhere on the
10Internet. There are three different versions depending on the target OS.
11
12ec56fa37eaba84d0a52dd111db76dcf9 fbidsmate.exe (for Windows NT/98/2000)
1315245ba11f109d35fddf424aea42afe9 fbidsmate (for Solaris)
1474d0b4842b7149474f23c7ab83a2962c fbidsmate (for Linux)
15
16To start support for Watchguard you have to add one line to the snortsam.conf
17for each Watchguard you want to initiate the block on. Use the following
18syntax:
19
20 watchguard <path/to/fbidsmate> <ip-of-firebox> <configpassword>
21
22Also you can store the configuration passphrase in encrypted form,
23so you don't have to leave it in the clear in your snortsam.conf. Then you
24can use the following syntax:
25
26 watchguard <path/to/fbidsmate> <ip-of-firebox> file <configpassfile>
27
28To create this configpassfile
29
30 ./fbidsmate import_passphrase <config_passphrase> <filename>
31
32This stores the passphrase in the indicated file with 3DES encryption.
33Example:
34
35 ./fbidsmate import_passphrase mySecretPass /etc/fbidsmate.passphrase
36
37Here an example snortsam.conf with viewable password
38
39# cat /etc/snortsam.conf
40accept 10.10.0.26
41defaultkey secret
42watchguard /bin/fbidsmate 10.1.0.1 mySecretPass
43logfile /var/log/snortsam.log
44loglevel 3
45
46Here the same example snortsam.conf with password encrypted in file
47
48# cat /etc/snortsam.conf
49accept 10.10.0.26
50defaultkey secret
51watchguard /bin/fbidsmate 10.1.0.1 file /etc/fbidsmate.passphrase
52logfile /var/log/snortsam.log
53loglevel 3
54
55Thomas Maier
56Thomas.Maier@arcos.de
57
58-------------------------------------------------------------------------------
59$Id: README.wgrd,v 2.1 2003/03/09 23:58:35 fknobbe Exp $
60
61