[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [FW1] Announcement: Snort + FW-1 = SnortSam ... Now available
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Greetings, pardon for the cross-post but I think the members of these lists might be interested in the following: SnortSam is a plugin to Snort that can block intruding IP addresses on Checkpoint FW-1/VPN-1 firewalls. I'm aware that this is a sensitive topic, but I believe this plugin has a variety of features that will make the concept of blocking intruders safer and more attractive. SnortSam consists of two pieces, the plugin for Snort and an intelligent agent that runs on the firewall. What differentiates this plugin from other similar mechanisms are following features: * Features a White-List: A white-list is a list of IP address that will never be blocked. (Here you can include a.root-servers.net, etc, to prevent the famous shot in the foot.) * Time Override List: The duration of the blocks is specified in Snort rules. However, you can override the time with the agent for specified IP addresses. Useful for proxies and other 'shared' IP addresses (you don't want to block ALL of AOL for a day...) * Attack Detection and Roll-Back support: You can specify a threshold of blocks per time interval. Should this threshold be exceeded (for example, if someone realizes you are actively blocking and throws a bunch or spoofed packets at you), SnortSam will roll back the last X blocks (unblock those IP's) and wait for the level to fall back below the threshold. The split of Snort and SnortSam has several advantages: a) SnortSam can be stopped in order to temporarily disable the blocking mechanism (nothing needs to be done on the Snort sensors). b) SnortSam can receive from unlimited Snort sensors, and Snort can send requests to unlimited SnortSam agents (read, firewalls). This allows for the building of, or integration into, a comprehensive network of sensors and firewalls. c) Intelligent processing occurs on the firewall. (White-list support and Roll Back thresholds are firewall dependent, but operate on a per sensor basis.) Communication between the Snort sensor and SnortSam is encrypted. SnortSam requires a list of authorized Snort sensors. SnortSam can either send an OPSEC packet to port 18183 on the firewall (preferred) or spawn the fw executable. The source should compile fine under any platform and should work across different platforms. Source and Windows binaries are available. The program has been tested (although mainly under NT) and performs well. There are few little things (like log file creation on the agent) that are still being implemented, but the desired functionality is already present. More features (such as agent-to-agent forwarding) are planned for future releases. Comments and suggestions are welcome. A draft documentation as well as the files are available at: http://www.snortsam.net Regards, Frank -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.8 Comment: PGP or S/MIME encrypted email preferred. iQA/AwUBO38HbJytSsEygtEFEQLUBgCfZ6yAxQnqOsaENc4BO1m6HWbxTYwAoIlE h5OJsqL9WSbe3UmGV1A3v94C =THI+ -----END PGP SIGNATURE----- ================================================================================ To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================================================
|