Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: [snort-users] Blocking with a PIX

From: "Hutchinson, Andrew" <andrew.hutchinson () Vanderbilt Edu>
Date: Tue, 11 May 2004 09:26:22 -0500
The shuns won't show up in the rulebase.  Connect to the pix, get to an
enable prompt, and type 'sh shun' to see if the shuns are being applied.
It should show a list of the current shuns in place.
 
Andrew Hutchinson - Network Security
Vanderbilt University Medical Center
(615) 936-2856


        -----Original Message-----
        From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of
d.deboni () edexter it
        Sent: Tuesday, May 11, 2004 8:45 AM
        To: snort-users () lists sourceforge net
        Subject: [snort-users] Blocking with a PIX
        
        

        Hi to everyone, 
        
        I've configured snort with snortsam to block attacks from the
outside. 
        It worked all perfectly when I tried it on a Cisco Router. 
        
        But now I need to do that with a Cisco PIX. 
        
        Here's the snortsam.conf file: 
        
        accept 127.0.0.1 
        pix <PIXIP> <TELNETPASSWORD> <ENABLEPASSWORD> 
        
        When I try to launch both snort and snortsam I see these
messages, and it seems that snortsam is applying the rules on the pix: 
        
        Checking for existing state file: Present. Reading State 
        Starting to listen for Snort alerts. 
        Accepted connection from 127.0.0.1 
        Accepted connection from 127.0.0.1 
        Adding sensor 127.0.0.1 to list. 
        Blocking host <IP> completely for 7200 seconds 
        Accepted connection from 127.0.0.1 
        Blocking host <IP> completely for 7200 seconds 
        Accepted connection from 127.0.0.1 
        Blocking host <IP> completely for 7200 seconds 
        
        and so on... 
        
        By the way if I look at the Pix configuration there are no rules
applied. 
        I know that the PIX Plugin use the shun command to block IP, and
if i try it manually on the Pix it works. 
        
        I've tried to disable telnet for the Snort/Snortsam server on
the Pix to see if Snortsam works anyway. If I do that SnortSam says it
can't connect to Pix. 
        So it seems that SnortSam "works".... 
        
        Thanks for help 
        
        
        Davide De Boni
        
        Email: d.deboni () edexter it
        
        e.Dexter S.P.A.
        C.so Risorgimento 5
        28823 Ghiffa (VB)
        ITALIA
        Tel +39.0323.407733
        Fax +39.0323.53558
Previous By Date Next
Previous By Thread Next

Current thread: