RE: O.T. Question Cisco Shunning and Snort

["Hutchinson, Andrew" <andrew.hutchinson () Vanderbilt Edu>]

I am doing this currently, using a Pix and the 'shun' capability.  I implemented this in Perl, calling out to Expect 
scripts to do the actual shunning and un-shunning.  This really could be done w/ any CLI firewall or ACL-capable device 
- just tweak the Expect scripts that get called.  I believe that SnortSAM also does this (I don't know if it uses 
Expect, but I know it can interface w/ a number of different devices).

Blocking can be done using info logged to the 'alert' file.  The basic jist of how I personally accomplished this is:

- Open a read-handle on the 'alert' file.  Seek to the end, and start doing timed reads of the file.
- Perform regex matching of signatures specified in a conf file.
- If a match is made, parse out the offending IP address.
- Compare this IP address to addresses that A> have already been blocked (to handle cases where you get 50 alerts from 
the same IP in a short period), and B> IP addresses that should never be blocked (critical links, auditing systems, 
etc.)
- If the IP address passed muster (i.e. it is perceived as a legitimate bad guy), call an expect script to shun the ip 
address and log it as such.

I also have a facility in place to clear the shuns after a conf-file definable duration of time.

Here's an example of how to interface w/ a pix via Expect (normally I wouldn't paste code listings, but it's pretty 
short...):

**********

#!/usr/bin/expect
# Andrew Hutchinson, VUMC, 2002

set send_slow {1 .1}
set timeout 10

set badboy_ip [lindex $argv 0]
set pix_ip [lindex $argv 1]
set pix_uname [lindex $argv 2]
set pix_password [lindex $argv 3]
set pix_cipher [lindex $argv 4]

# puts "$badboy_ip\n$pix_ip\n$pix_uname\n$pix_password\n$pix_cipher\n"

spawn ssh $pix_uname@$pix_ip -c $pix_cipher
expect {
        "password:" {}
        timeout {exit 0}
}
send $pix_password\r
expect {
        ">" {}
        timeout {exit 0}
}
send "enable\r"
expect {
        "Password:" {}
        timeout {exit 0}
}
send $pix_password\r
expect {
        "#" {}
        timeout {exit 0}
}
send "shun $badboy_ip\r"
expect {
        "successful" {}
        timeout {send "exit\r";exit 0}
}
send "exit\r"

exit 1

**********

Returns 1 if the shun is set, 0 if there's a problem / timeout.


HTH,

Andrew

Andrew Hutchinson - Network Security
Vanderbilt University Medical Center
(615) 936-2856


> -----Original Message-----
> From: Brian Laing [mailto:brian.laing () blade-software com] 
> Sent: Thursday, July 31, 2003 7:06 PM
> To: 'Björn Brombach'; 'Snort'
> Subject: RE: [Snort-users] O.T. Question Cisco Shunning and Snort
>
>
> Check out
>
> http://www.iss.net/support/product_utilities/realsecure_tech_c
> enter/tech
> _notes/index.php
>
> It has instructions etc. on how to do this.  Its for ISS 
> realsecure but
> whoudl work for snort with just a few modifications.
>
> Cheers,
> Brian
>
>
> -------------------------------------------------------------------
> Brian Laing
> CTO
> Blade Software
> Cellphone: +1 650.280.2389
> Telephone: +1 650.367.9376
> eFax: +1 650.249.3443
> Blade Software - Because Real Attacks Hurt 
> http://www.Blade-Software.com
> -------------------------------------------------------------------
>  
>
> -----Original Message-----
> From: snort-users-admin () lists sourceforge net
> [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Björn
> Brombach
> Sent: Thursday, July 31, 2003 5:53 AM
> To: Snort
> Subject: [Snort-users] O.T. Question Cisco Shunning and Snort
>
>
> Hi!
> I am currently testing with Snort an Active Responses using 
> Guardian and
> Cisco PIX firewall. The Cisco PIX Firewall supports shunning, which
> temporarily blocks certain ip addresses. Unfortunately i wasnt able to
> find any detailed informations about the capabilities and all the
> options of shunning. I would be very happy for any hints where to find
> further skripts to do shunning and more details on shunning.
>
> Thanks
> bb
>
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: Free pre-built ASP.NET sites including
> Data Reports, E-commerce, Portals, and Forums are available now.
> Download today and enter to win an XBOX or Visual Studio .NET.
> http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet
> _072303_01
> /01
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: Free pre-built ASP.NET sites including
> Data Reports, E-commerce, Portals, and Forums are available now.
> Download today and enter to win an XBOX or Visual Studio .NET.
> http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet
> _072303_01/01
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=ort-users


-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users