From luis.daniel.lucio at gmail.com  Sat Jan 17 11:16:41 2009
From: luis.daniel.lucio at gmail.com (Luis Daniel Lucio Quiroz)
Date: Sat, 17 Jan 2009 10:16:41 -0600
Subject: [Snortsam-discussion] RPM SPEC
Message-ID: <200901171016.41635.luis.daniel.lucio@gmail.com>

Hi SAMS,

I wonder to know if any one has a SPEC file for snortsam (module part, not 
snort pluging).

Best regards,

LD

From luis.daniel.lucio at gmail.com  Mon Jan 19 22:59:13 2009
From: luis.daniel.lucio at gmail.com (Luis Daniel Lucio Quiroz)
Date: Mon, 19 Jan 2009 21:59:13 -0600
Subject: [Snortsam-discussion] Mandriva SPEC for RPM
Message-ID: <200901192159.13637.luis.daniel.lucio@gmail.com>

Just to share my SPEC, it builds okay in Mandriva 2009.0

%define name    snortsam                                                                 
%define version 2.57                                                                     
%define release %mkrel 1                                                                 

Name:           %{name}
Version:        %{version}
Release:        %{release}
Summary:    SnortSAM module
License:    GPL            
Group:      Networking/Other
URL:        http://www.snortsam.net/
Source:     http://www.snortsam.net/files/snortsam/%{name}-
src-%{version}.tar.gz
BuildRoot:  %{_tmppath}/%{name}-%{version}                                      

%description
Snortsam is a daemon that interacts with snort to use a firewall.

%prep
%setup -q -n %{name}
cat > Makefile <<EOF
install:            
EOF                 

%build
./makesnortsam.sh

#%make "CFLAGS=%optflags"

%install
install -d %{buildroot}%{_sbindir}
rm -rf %{buildroot}%{_sysconfdir} 
install -d %{buildroot}%{_sysconfdir}
install snortsam %{buildroot}%{_sbindir}
install conf/snortsam.conf.sample %{buildroot}%{_sysconfdir}/snortsam.conf
%makeinstall                                                              
#%{__rm} -rf %{buildroot}

#mkdir %{buildroot}%_mandir/man1
#mv %{buildroot}%_mandir/*.1 %{buildroot}%_mandir/man1/

%clean
%{__rm} -rf %{buildroot}

%files
%defattr(-,root,root)
%doc docs/*
#%_bindir/*
%_sbindir/*
#%_mandir/man1/*
%{_sysconfdir}/snortsam.conf




%changelog
* Sun Jan 18 2009 Daniel Lucio <dlucio at okay.com.mx> 2.57-1mdv2009.0
+ Revision: 243049
- rebuild
- rebuild


From carlopmart at gmail.com  Tue Jan 20 06:37:49 2009
From: carlopmart at gmail.com (carlopmart)
Date: Tue, 20 Jan 2009 12:37:49 +0100
Subject: [Snortsam-discussion] OPSEC binaries of snortsam
Message-ID: <4975B78D.4030108@gmail.com>

Hi all,

  Exists some snortsam precompiled binary to use with CheckPoint NGXR65?? If not 
, where is README.opsec file?? I have downloaded source code, but I didn't find 
it ...

thanks.

-- 
CL Martinez
carlopmart {at} gmail {d0t} com

From frank at snortsam.net  Thu Jan 22 21:54:10 2009
From: frank at snortsam.net (Frank Knobbe)
Date: Thu, 22 Jan 2009 20:54:10 -0600
Subject: [Snortsam-discussion] OPSEC binaries of snortsam
In-Reply-To: <4975B78D.4030108@gmail.com>
References: <4975B78D.4030108@gmail.com>
Message-ID: <1232679250.92302.29.camel@localhost>

On Tue, 2009-01-20 at 12:37 +0100, carlopmart wrote:
>   Exists some snortsam precompiled binary to use with CheckPoint NGXR65?? If not 
> , where is README.opsec file?? I have downloaded source code, but I didn't find 
> it ...

I'm not sure if Matt has precompiled binaries on the web site that
include OPSEC. He would be able to answer that.

There never was a README.opsec doc since in the beginning a while OPSEC
(well, Checkpoint) was the only supported firewall. Information on how
to configure it was in the docs/FAQ file.

On the Snortsam side, you need to create a text file for OPSEC
configuration. A sample is in the /conf dir (opsec.conf). The IP has to
be the firewall IP (or management station if you want to
block-by-proxy). In the Snortsam conf, you just specify "opsec
thatconffile.conf".

On the firewall itself, you also have to modify the OPSEC related config
file.

[From the FAQ]
You need to change the file /fw/conf/fwopsec.conf (version 4.0)
or /fw1/4.1/conf/fwopsec.conf (version 4.1) or /fw1/ng/conf/fwopsec.conf
(Next Generation) as follows:

By default it should contain:

sam_server      auth_port       18183
lea_server      auth_port       18184
# authenticated connections for servers
# server      {server IP}    {service port}      auth_opsec
server        127.0.0.1         18181            auth_opsec
server        127.0.0.1         18182            auth_opsec
sam_allow_remote_requests no

You may already have added other entries. For SnortSam to work properly,
you need to change line 1 to

sam_server   auth_port   0
sam_server        port   18183

That will allow clear-text connections to the SAM port which is what
SnortSam sends. sam_allow_remote_requests should be set to YES on all
firewall modules that you want to send requests to directly (as supposed
to proxy mode where requests are sent through the management station). 


Hope that helps,
Frank




From luis.daniel.lucio at gmail.com  Sun Jan 25 01:28:10 2009
From: luis.daniel.lucio at gmail.com (Luis Daniel Lucio Quiroz)
Date: Sun, 25 Jan 2009 00:28:10 -0600
Subject: [Snortsam-discussion] multiple iptables
Message-ID: <200901250028.10935.luis.daniel.lucio@gmail.com>

I just wondering if i could list multiple times iptables pluging

iptables eth0
iptables ethX

TIA

LD

From frank at snortsam.net  Tue Jan 27 20:20:20 2009
From: frank at snortsam.net (Frank Knobbe)
Date: Tue, 27 Jan 2009 19:20:20 -0600
Subject: [Snortsam-discussion] multiple iptables
In-Reply-To: <200901250028.10935.luis.daniel.lucio@gmail.com>
References: <200901250028.10935.luis.daniel.lucio@gmail.com>
Message-ID: <1233105620.66589.3.camel@server1>

On Sun, 2009-01-25 at 00:28 -0600, Luis Daniel Lucio Quiroz wrote:
> I just wondering if i could list multiple times iptables pluging
> 
> iptables eth0
> iptables ethX

You sure can. :)

-Frank