[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Snort and FW-1 (was ISS - Cheaper alternatives?)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Wow... I didn't expect that many inquires about the scripts I mentioned. The original posting was: > You can use SNORT, it's for free, but I don't think that it > is integrated > with Firewall-1. Okay, so here they are. BTW: This posting is going to the Firewall-1 list and the Snort-Users list. The attached batch files are in clear text, so no huge amount of code is submitted to the list(s). Heck, the total size of this email may even be shorter than some replies (you know, those were they poster don't cut on the replied text and footers... :) Attached are two batch files. Please be gentle with me regarding their names. A program called snort is just asking for this. *grin* The first batch file is called SPIT.BAT. It will monitor the ALERT.IDS log file of snort for changes, and if detected, it will send those changes using cryptcat to the receiver batch file. The reason for the implementation like this is simple. Since you will most likely have multiple sensors deployed, you will also have multiple spit batch files. All these report to a central receiver batch file, called TISSUE.BAT, that is located on the firewall management station. Also, using cryptcat, the data is encrypted so that no one (without knowing the password) is able to send fake blocking notifications. spit.bat is called with the name (or IP address) of your FW-1 management station. Hard code it if you like. There are a few requirements for spit.bat to work correctly: 1) You need to have the NT Resource Kit installed, or at least the program SLEEP.EXE of it. It is used in a loop to wait a certain period before checking the alert.ids file again (and to give NT some clock cycles back during the wait). 2) You need CRYPTCAT.EXE. That is a modified version of NETCAT that uses twofish encryption. You can pick it up at http://www.farm9.com/Free_Tools/Cryptcat. 3) Snort needs to be run with the '-A full' option to generate the multiple line log entry. This is so that the batch file can quickly retrieve the blocking value. 4) The batch file has to be launched in the snort directory. If you want to spawn it from somewhere else, please modify the batch file to reflect the appropriate file locations. The snort ruleset needs to be modified like this: alert tcp !$MYNET any -> $MYNET any (msg:"block_src=604800 - SCAN-SYN FIN";flags:SF;) Basically, the alert message needs to start with 'block_src=<time> ' (Note the space at the end) or 'block_dst=<time> '. <time> is a time value in seconds (in this example here, a week). Also, keep it lower case. block_src will block the source IP address. Some snort rules are written like '$MYNET -> !$MYNET', in that case you want to use block_dst in order to block the destination. Basically, you want to block whatever is not your network. Instead of using a time value, you may also use the word 'perm' to block the offender indefinitely. Be careful with this! The second batch file (tissue.bat) has to be located in the /fw/bin directory on the machine that has the Firewall-1 management piece installed. It will receive incoming messages from the spit batch files and configure FW-1 modules. The attached batch file assumes that both management server and the firewall module are on the same machine. If you have additional firewall modules, you may want to enter additional fw statements. See 'fw sam' for details. tissue does not require a parameter, however, if you run it with the '-v' option, it will produce verbose output of the fw sam statement(s). I don't think tissue needs any refinements. I will eventually compile spit into a small executable in order to improve performance (Mike, this is were the syslog packets with the Win32 port would come in handy ;) Yes, you have to go through the snort rules file and manually insert these statements. Be careful where you do this. I don't recommend it on high false positive rules since you can shoot yourself in the foot with this. I recommend running spit without tissue for a while, or otherwise monitor your rules before you let snort reconfigure the firewall. Did I mention both batch files have to be running in order to work? :) The files were designed for NT systems, but I believe the concept is clear and they could be easily ported to any Unix platform, maybe Perl based. When you look at the batch files you will notice the '-k MySecKey' in the calls to cryptcat. You may (and should) the encryption password, but needless to say, it has to be the same on all machines. Firewall-1 will REJECT any filtered IP addresses, which results in the transmission of a TCP-RST packet. I recommend changing FW-1's behavior to DROP packets instead. Although we just had this question, here again the procedure: Edit the file CODE.DEF in the /fw/lib directory and scroll down to the entries regarding the SAM. You will see two function definition and shortly thereafter you'll come across the REJECT (followed by a bracket). Just change that REJECT to a DROP and install your policy again. Now all filtered addresses are filtered silently. That's pretty much it. As with all free software, I do not support it and hereby disclaim any warranties and liabilities. Use it at your own risk. I apologize for the size of the posting. Flame me offline if you need to. Also, email me offline if you have any questions. Best regards, Frank -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.1 Comment: PGP or S/MIME encrypted email preferred. iQA/AwUBOhnSJ0RKym0LjhFcEQLx+ACeMqw0I1PVF+MOVt2h1jRsOjCcNJsAmwaT 6thz787H3Kruv+tjfw/ZgdMr =HcKd -----END PGP SIGNATURE----- Attachment:
spit.bat Attachment:
tissue.bat
|