SnortSam ( www.snortsam.net) is an active response plugin for Snort that performs gateway interaction with various router and firewall devices. SnortSam acts at the network layer by instructing the gateway to alter or block traffic for specified amounts of time based on the IP address. SnortSam consists of two parts: an agent that runs on the gateway device and accepts commands, and an output plugin for Snort that sends commands based on triggered rules. The communication between the output plugin and the agent is secured by an encrypted TCP session. SnortSam supports the following gateways:

• Checkpoint Firewall-1

• Cisco PIX firewall

• Cisco Routers

• Netscreen/Juniper firewalls

• IP Filter (IPF)

• OpenBSD s Packet Filter (PF)

• Linux IPchains

• Linux IPtables

• Linux EBtables

• WatchGuard Firebox firewalls

The SnortSam agent provides several features including:

• The ability to specify a whitelist of IP addresses that will never be blocked

• The ability to provide per-rule blocking and time interval

• The ability to prevent repetitive blocking of the same IP address

• Twofish-encrypted sessions between Snort and SnortSam

• The ability to multithread for faster processing and simultaneous blocking on multiple devices

• The ability to log events and send e-mail notification

• The ability to scale to larger distributed networks using a client/server architecture

You must download and install both the SnortSam agent and the Snort plugin patch. Once they are installed, you will need to add the output plugin command for alert_fwsam to the snort.conf file on the Snort IDS, in the following format:

output alert_fwsam: /

For example: