[Snortsam-discussion] opsec or fwsam versus checkpoint firewalls?
Frank Knobbe
frank at snortsam.net
Sun Dec 20 18:34:12 EST 2009
Sorry, late to the emails.
On Fri, 2009-12-18 at 16:01 -0500, John Jasen wrote:
> > Does snort connect to snortsam? (keying issues?)
> Fails using samtool as well.
samtool would only ensure that the communication TO Snortsam is working.
> opsec fails out with the init error I reported earlier.
The opsec error "Error: [(null)] OPSEC init failed" should only occur if
the opsec.conf file specified in snortsam.conf doesn't exist.
> My best completely uneducated guess is that the SAM pagefile is full on
> the security gateways, and that status isn't getting reported back.
That wouldn't cause the init error. Instead you would get a "Opsec
request failed" sorta error.
Olli said:
"With RHEL you cannot use the opsec.conf only the fwsam plugin."
The OPSEC SDK is only supported on Windows and Linux systems, so if the
OPSEC files in the Snortsam source tree are present, and it all compiled
fine, then it should work on RedHat.
When you used fwsam for testing, I assume the firewall also ignored
block requests?
You said it stopped suddenly without and configuration or code changes
on Snortsam or Checkpoint. Is there anything at all that changed?
Perhaps a RedHat update?
Lastly, make sure you have "nothreads" in the snortsam.conf. There were
multithreading issues with Snortsam on Linux in the past, especially in
conjunction with the OPSEC SDK. Using "nothreads" will cause Snortsam
not to use threads. Maybe that'll help.
Regards,
Frank
More information about the Snortsam-discussion
mailing list