Snort mailing list archives
RE: O.T. Question Cisco Shunning and Snort
From: "Hutchinson, Andrew" <andrew.hutchinson () Vanderbilt Edu>
Date: Fri, 1 Aug 2003 09:23:09 -0500
I am doing this currently, using a Pix and the 'shun' capability. I implemented this in Perl, calling out to Expect scripts to do the actual shunning and un-shunning. This really could be done w/ any CLI firewall or ACL-capable device - just tweak the Expect scripts that get called. I believe that SnortSAM also does this (I don't know if it uses Expect, but I know it can interface w/ a number of different devices). Blocking can be done using info logged to the 'alert' file. The basic jist of how I personally accomplished this is: - Open a read-handle on the 'alert' file. Seek to the end, and start doing timed reads of the file. - Perform regex matching of signatures specified in a conf file. - If a match is made, parse out the offending IP address. - Compare this IP address to addresses that A> have already been blocked (to handle cases where you get 50 alerts from the same IP in a short period), and B> IP addresses that should never be blocked (critical links, auditing systems, etc.) - If the IP address passed muster (i.e. it is perceived as a legitimate bad guy), call an expect script to shun the ip address and log it as such. I also have a facility in place to clear the shuns after a conf-file definable duration of time. Here's an example of how to interface w/ a pix via Expect (normally I wouldn't paste code listings, but it's pretty short...): ********** #!/usr/bin/expect # Andrew Hutchinson, VUMC, 2002 set send_slow {1 .1} set timeout 10 set badboy_ip [lindex $argv 0] set pix_ip [lindex $argv 1] set pix_uname [lindex $argv 2] set pix_password [lindex $argv 3] set pix_cipher [lindex $argv 4] # puts "$badboy_ip\n$pix_ip\n$pix_uname\n$pix_password\n$pix_cipher\n" spawn ssh $pix_uname@$pix_ip -c $pix_cipher expect { "password:" {} timeout {exit 0} } send $pix_password\r expect { ">" {} timeout {exit 0} } send "enable\r" expect { "Password:" {} timeout {exit 0} } send $pix_password\r expect { "#" {} timeout {exit 0} } send "shun $badboy_ip\r" expect { "successful" {} timeout {send "exit\r";exit 0} } send "exit\r" exit 1 ********** Returns 1 if the shun is set, 0 if there's a problem / timeout. HTH, Andrew Andrew Hutchinson - Network Security Vanderbilt University Medical Center (615) 936-2856
-----Original Message----- From: Brian Laing [mailto:brian.laing () blade-software com] Sent: Thursday, July 31, 2003 7:06 PM To: 'Björn Brombach'; 'Snort' Subject: RE: [Snort-users] O.T. Question Cisco Shunning and Snort Check out http://www.iss.net/support/product_utilities/realsecure_tech_c enter/tech _notes/index.php It has instructions etc. on how to do this. Its for ISS realsecure but whoudl work for snort with just a few modifications. Cheers, Brian ------------------------------------------------------------------- Brian Laing CTO Blade Software Cellphone: +1 650.280.2389 Telephone: +1 650.367.9376 eFax: +1 650.249.3443 Blade Software - Because Real Attacks Hurt http://www.Blade-Software.com ------------------------------------------------------------------- -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Björn Brombach Sent: Thursday, July 31, 2003 5:53 AM To: Snort Subject: [Snort-users] O.T. Question Cisco Shunning and Snort Hi! I am currently testing with Snort an Active Responses using Guardian and Cisco PIX firewall. The Cisco PIX Firewall supports shunning, which temporarily blocks certain ip addresses. Unfortunately i wasnt able to find any detailed informations about the capabilities and all the options of shunning. I would be very happy for any hints where to find further skripts to do shunning and more details on shunning. Thanks bb ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet _072303_01 /01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet _072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=ort-users
------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- O.T. Question Cisco Shunning and Snort Björn Brombach (Jul 31)
- Testers Needed: Installing an IDS on Redhat 9 Michael Steele (Jul 31)
- RE: O.T. Question Cisco Shunning and Snort Brian Laing (Jul 31)
- <Possible follow-ups>
- RE: O.T. Question Cisco Shunning and Snort Hutchinson, Andrew (Aug 01)