[snort-users] Blocking with a PIX

[d.deboni () edexter it]

Hi to everyone,

I've configured snort with snortsam to block attacks from the outside.
It worked all perfectly when I tried it on a Cisco Router.

But now I need to do that with a Cisco PIX.

Here's the snortsam.conf file:

accept 127.0.0.1
pix <PIXIP> <TELNETPASSWORD> <ENABLEPASSWORD>

When I try to launch both snort and snortsam I see these messages, and it 
seems that snortsam is applying the rules on the pix:

Checking for existing state file: Present. Reading State
Starting to listen for Snort alerts.
Accepted connection from 127.0.0.1
Accepted connection from 127.0.0.1
Adding sensor 127.0.0.1 to list.
Blocking host <IP> completely for 7200 seconds
Accepted connection from 127.0.0.1
Blocking host <IP> completely for 7200 seconds
Accepted connection from 127.0.0.1
Blocking host <IP> completely for 7200 seconds

and so on...

By the way if I look at the Pix configuration there are no rules applied.
I know that the PIX Plugin use the shun command to block IP, and if i try 
it manually on the Pix it works.

I've tried to disable telnet for the Snort/Snortsam server on the Pix to 
see if Snortsam works anyway. If I do that SnortSam says it can't connect 
to Pix.
So it seems that SnortSam "works"....

Thanks for help


Davide De Boni

Email: d.deboni () edexter it

e.Dexter S.P.A.
C.so Risorgimento 5
28823 Ghiffa (VB)
ITALIA
Tel +39.0323.407733
Fax +39.0323.53558