Re: Automatically block IP on firewall box from snort IDS

[John Ives <jives () security berkeley edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

To give you another option, though one that would require installing
yet another tool (it does have its own uses), you could also look at
using OSSEC. It has the ability to launch scripts based upon events
(syslogd or via its agent) and already has some scripts for
manipulating firewall rules. Additionally, it has can monitor other
logs like web, mail, etc. for events that you may want to generate a
reaction from (say a attack going over SSL) that IDS may not see.

Yours,

John


On 9/18/2012 10:31 AM, beenph wrote:
> On Tue, Sep 18, 2012 at 1:10 PM, Joel Esler <jesler () sourcefire com>
> wrote:
> > I haven't used barnyard2 in years, but it is my understanding,
> > and I'd like to see beenph comment on this thread that Snortsam's
> > functionality has moved into the barnyard2 codebase.  It may be
> > in the git master build (not yet rolled into an official
> > release)
>
> I have never tested the plugin which was originay written by Frank 
> Knowbles and Integrated in by2 by Firnsy Its part of by2 since
> 2-1.9.
>
> > From what i understand the plugin will communicate with the
> > snortsam
> agent and the agent will dispatch the blocking mechanism based on
> how it is configured.
>
> I will snip part of the info found in the conf file and in code
> comment.
>
> /* * Purpose: * * This module sends alerts to a remote service on a
> host running SnortSam * (the agent) which will block the intruding
> IP address on a variety of * host and network firewalls. * *
> SnortSam also performs checks against a white-list of 
> never-to-be-blocked IP addresses, * can override block durations
> (for example for known proxies), and can detect attack conditions *
> where too many blocks are received within a defined interval. If
> an attack is detected * it will unblock the last x blocks and wait
> for the attack to end. * * See the SnortSam documentation for more
> information. * * * Output Plugin Parameters: 
> *************************** * * output alert_fwsam: <SnortSam
> Station>:<port>/<key> * *  <FW Mgmt Station>:  IP address or host
> name of the host running SnortSam. *  <port>:         Port the
> remote SnortSam service listens on (default 898). *  <key>:
> Key used for authentication (encryption really) *              of
> the communication to the remote service. * * Examples: * * output
> alert_fwsam: snortsambox/idspassword * output alert_fwsam:
> fw1.domain.tld:898/mykey * output alert_fwsam: 192.168.0.1/borderfw
> 192.168.1.254/wanfw * * * sid-fwsam Parameters: 
> *********************** * * <sid>:   who[how],time; * *  who: src,
> source, dst, dest, destination *          IP address to be blocked
> according to snort rule (some rules *          are reversed, i.e.
> homenet -> any [and you want to block any]). *          src denotes
> IP to the left of -> and dst denotes IP to the right * *  how:
> Optional. In, out, src, dest, either, both, this, conn, connection 
> *          Tells SnortSam to block packets INcoming from host, 
> OUTgoing to host, *          EITHERway, or only THIS connection
> (IP/Service pair). *          See 'fw sam' on Firewall-1 for more
> information. *          This option may be ignored by other
> plugins. * * time: Duration of block in seconds. (Accepts 'days',
> 'months', 'weeks', *       'years', 'minutes', 'seconds', 'hours'.
> Alternatively, a value of *       0, or the keyword PERManent,
> INFinite, or ALWAYS, will block the *       host permanently. Be
> careful with this! *          Tells SnortSam how long to inhibit
> packets from the host. * * Examples: * * 1487: src[either],15min; *
> 1292: dst[in], 2 days 4 hours * 1638: src, 1 hour * */
>
> -elz
>
>
>
>
> > -- Joel Esler Senior Research Engineer, VRT OpenSource Community
> > Manager Sourcefire
> >
> >
> > On Sep 18, 2012, at 7:15 AM, Pratik Narang
> > <pratik.cse.bits () gmail com> wrote:
> >
> > Isnt Snortsam functionality already there in Barnyard2 ??
> >
> >
> > On Tue, Sep 18, 2012 at 4:41 PM, Kevin Ross
> > <kevross33 () googlemail com> wrote:
> > > Use snortsam for this http://www.snortsam.net/
> > >
> > > Regards, Kevin
> > >
> > >
> > > On 18 September 2012 10:40, ML mail <mlnospam () yahoo com>
> > > wrote:
> > > > Hello,
> > > >
> > > > I have a network configuration where I run snort separately
> > > > on a dedicated Linux box and have therefore another OpenBSD
> > > > box which is dedicated to the firewall task. Now because
> > > > these two security tasks are not on the same physical machine
> > > > I was wondering how can I automatically block on my OpenBSD
> > > > firewall specific events which happens on my snort box?
> > > >
> > > > For example, I see some brute force SSH login attemps to my
> > > > network coming from a specific external IP. Here I would like
> > > > to block that external IP on my OpenBSD firewall for let's
> > > > say 1 hour. What would be the best solution to do that?
> > > >
> > > > Thanks for your suggestions.
> > > >
> > > > Best, ML
> > > >
> > > >
> > > > ------------------------------------------------------------------------------
Live Security Virtual Conference
> > > > Exclusive live event will cover all the ways today's security
> > > > and threat landscape has changed and how IT managers can
> > > > respond. Discussions will include endpoint security, mobile
> > > > security and the latest in malware threats.
> > > > http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ 
> > > > _______________________________________________ Snort-users
> > > > mailing list Snort-users () lists sourceforge net Go to this URL
> > > > to change user options or unsubscribe: 
> > > > https://lists.sourceforge.net/lists/listinfo/snort-users 
> > > > Snort-users list archive: 
> > > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > > >
> > > > Please visit http://blog.snort.org to stay current on all the
> > > > latest Snort news!
> > >
> > >
> > >
> > >
> > > ------------------------------------------------------------------------------
Live Security Virtual Conference
> > > Exclusive live event will cover all the ways today's security
> > > and threat landscape has changed and how IT managers can
> > > respond. Discussions will include endpoint security, mobile
> > > security and the latest in malware threats.
> > > http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ 
> > > _______________________________________________ Snort-users
> > > mailing list Snort-users () lists sourceforge net Go to this URL
> > > to change user options or unsubscribe: 
> > > https://lists.sourceforge.net/lists/listinfo/snort-users 
> > > Snort-users list archive: 
> > > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> > >
> > > Please visit http://blog.snort.org to stay current on all the
> > > latest Snort news!
> >
> >
> > ------------------------------------------------------------------------------
Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security
> > and threat landscape has changed and how IT managers can respond.
> > Discussions will include endpoint security, mobile security and
> > the latest in malware threats. 
> > http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________
Snort-users mailing list
> > Snort-users () lists sourceforge net Go to this URL to change user
> > options or unsubscribe: 
> > https://lists.sourceforge.net/lists/listinfo/snort-users 
> > Snort-users list archive: 
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the
> > latest Snort news!
> >
> >
> >
> > ------------------------------------------------------------------------------
Live Security Virtual Conference
> > Exclusive live event will cover all the ways today's security
> > and threat landscape has changed and how IT managers can respond.
> > Discussions will include endpoint security, mobile security and
> > the latest in malware threats.
> > http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ 
> > _______________________________________________ Snort-users
> > mailing list Snort-users () lists sourceforge net Go to this URL to
> > change user options or unsubscribe: 
> > https://lists.sourceforge.net/lists/listinfo/snort-users 
> > Snort-users list archive: 
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the
> > latest Snort news!
>
> ------------------------------------------------------------------------------
Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and 
> threat landscape has changed and how IT managers can respond.
> Discussions will include endpoint security, mobile security and the
> latest in malware threats.
> http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ 
> _______________________________________________ Snort-users mailing
> list Snort-users () lists sourceforge net Go to this URL to change
> user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/snort-users 
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the
> latest Snort news!

- -- 
- -------------------------------------------------------------------------
John Ives
System & Network Security                           Phone (510) 229-8676
University of California, Berkeley
- -------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQWQtyAAoJEJkidK6qbywskY8H/0AdE/11OJNul5AuMQYos5J2
3QYGHIuKwtWHJTtiX6/NjtLzJz39MuJqtK6JxYGz/wE0z4ZUCiu3rJQNiXqZ7xi4
ly6k46j7pw9BAETj5A/qeS52gs2ocZzfKGiHn1aJjtXf1ghzxivEuc9cR2O5QViT
yhvA6njZn+crJEeqDxPFOjtZ4tOuSqYOG+BSFFI8ORcxJRk8X1twRiE38XA5Kmtz
hVPjq75vduxquf7x53w6jeCsYWWBP5AZBKoJQmmG7ZCCBfQ3HyYjIKkmqMdHWcpV
E9aX/iAnfVofZ2lPSaTXg/ahPOg04l7ZKWQ1a+D1/h1aM2kQ6ggCtmrqAKJ8LY8=
=F07x
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!