Contents:

About this document

3. Snort and SnortSAM

3.1. Snort

http://www.snort.org

/usr/local/sbin/snort -d -D -c /usr/local/src/snort-2.2.0/etc/snort.conf

/usr/local/src/snort-2.2.0/rules/*

/var/log/snort

3.2. SnortSAM

SnortSAM is a plugin for Snort which facilitates the automated blocking of IP addresses on the following firewalls: Checkpoint Firewall-1, Cisco PIX (and router ACLs), IPFilter, (OpenBSD) PF, IPChains, IPTables...

Binary executables are available from the Web site for Windows, Linux and FreeBSD. Alternatively, download the source code for Snort, SnortSAM and also the SnortSAM patches for Snort, and follow the instructions in the INSTALL file from SnortSAM.

Suggestions and hints:

SnortSAM
There are two executables --- snortsam and snortsam-debug. Use the latter first --- messages are output indicating the Snort alerts being processed.


Snort
Don't use "-A fast" --- alerts are then sent to /var/log/snort/alerts but not to SnortSAM (which listens on port 898). To avail yourself of helpful (debugging) messages, use 
     /usr/local/sbin/snort -d -c /usr/local/src/snort-2.2.0/etc/snort.conf
(no -D) with the following in snort.conf: 
    output alert_fwsam: 130.88.100.77
    output alert_syslog: log_auth log_warn
When all is well: 
    /usr/local/sbin/snort -d -D -c /usr/local/src/snort-2.2.0/etc/snort.conf



...previousup (conts)next...