From paul at tatarsky.com  Thu Jun  4 21:44:41 2009
From: paul at tatarsky.com (Paul Tatarsky)
Date: Thu, 04 Jun 2009 20:44:41 -0500
Subject: [Snortsam-discussion] Seeking "Best Way" to use PF2 plugin and
	Pfsense
Message-ID: <4A287889.8000903@tatarsky.com>


I have hacked together a basic way to use Snortsam with PfSense 
firewalls. Now I would like to see if I'm an idiot on a couple of topics 
and if I've re-invented the wheel or missed something easier in the 
module or somebody else doing this better.

For starters, Pfsense is this pup if you've not seen it: 
http://www.pfsense.com/

Its not all pretty and wrapped yet, but not being a PF expert I had a 
question about "anchors" and the PF2 snortsam plugin. Can anyone more PF 
literate than me validate my plan here?

Pfsense already has included in its default configuration a table to 
block via the snort2c project.

http://snort2c.sourceforge.net/

As far as I can tell its a global table created at boot by these PF 
commands:

# snort2c
table <snort2c> persist
block quick from <snort2c> to any label "Block snort2c hosts"
block quick from any to <snort2c> label "Block snort2c hosts"

But I like issuing snortsam "blocks" from a set of correlation sensors 
to other devices...

So I built snortsam and deployed it on some pfSense sensors "by hand" 
and allowed the "command station" access to the snortsam port.

Then I used the pf2 module to do the following with this config:

/etc/snortsam.conf:
pf2 anchor=none table=snort2c

And I've slightly tweaked ssp_pf2.c to drop the "_in" and "_out" added 
table names because right now I just want to block IP's regardless of 
direction (Am I foolish here?) . I am working on making that cleaner but 
for now this is a "quick shun" style solution.

Then I've wrapped the section in change_table with a strncpy to not set 
an anchor if the anchor is "none". Yeah thats lame (the code defaults to 
a anchor of "snortsam" if not set in the config), but the end result is 
when I issue from my central location a request to block an IP I get 
entries in the proper global table:

samtool -b -ip 99.99.99.99 -dur "1 min" (cred)

#  pfctl -t snort2c -T show
    99.99.99.99

And that IP is blocked since its already configured to do so "out of the 
box"

Questions:

Should I change Pfsense to use an anchor?

Should I alter the defaulting of the anchor and just detect a NULL 
string for the anchor? (Compared to my silly "none" = skip anchor)

Is this is use to anyone besides me with my small farm of pfSense firewalls?

And, with a grin, does anybody understand Pfsense packages very well so 
I could add it to the web gui the basic configuration of snortsam.conf.

Many thanks to Olaf Schreck for the pf2 module and the fine maintainers 
of Snortsam regardless.

I can post a diff with my "hack" but wanted to see if anybody has better 
ideas or interest.

-- 
----------------------------------------------------------
Paul Tatarsky                            paul at tatarsky.com
              http://www.tatarsky.com/
----------------------------------------------------------

From jonkman at jonkmans.com  Fri Jun 12 09:47:45 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Fri, 12 Jun 2009 09:47:45 -0400
Subject: [Snortsam-discussion] Snort 2.8.4.1 Diff Available
Message-ID: <4A325C81.6050903@jonkmans.com>

Thanks to Frank Knobbe a new diff is available to get Snortsam into
Snort 2.8.4.1.

http://www.snortsam.net/files/snort-2.8-plugin/snortsam-2.8.4.1.diff

Please test and enjoy. Thanks Frank!!

Matt


-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From frank at snortsam.net  Sun Jun 14 15:20:25 2009
From: frank at snortsam.net (Frank Knobbe)
Date: Sun, 14 Jun 2009 14:20:25 -0500
Subject: [Snortsam-discussion] Snort 2.8.4.1 Diff Available
In-Reply-To: <4A325C81.6050903@jonkmans.com>
References: <4A325C81.6050903@jonkmans.com>
Message-ID: <1245007225.10699.0.camel@localhost>

On Fri, 2009-06-12 at 09:47 -0400, Matt Jonkman wrote:
> Thanks to Frank Knobbe a new diff is available to get Snortsam into
> Snort 2.8.4.1.
> 
> http://www.snortsam.net/files/snort-2.8-plugin/snortsam-2.8.4.1.diff


No, no, no.... the credit goes to Robert Sly.

Thanks Rob!

-Frank





From frank at snortsam.net  Sun Jun 14 15:27:34 2009
From: frank at snortsam.net (Frank Knobbe)
Date: Sun, 14 Jun 2009 14:27:34 -0500
Subject: [Snortsam-discussion] Seeking "Best Way" to use PF2 plugin and
 Pfsense
In-Reply-To: <4A287889.8000903@tatarsky.com>
References: <4A287889.8000903@tatarsky.com>
Message-ID: <1245007654.10699.8.camel@localhost>

On Thu, 2009-06-04 at 20:44 -0500, Paul Tatarsky wrote:
> I have hacked together a basic way to use Snortsam with PfSense 
> firewalls. Now I would like to see if I'm an idiot on a couple of topics 
> and if I've re-invented the wheel or missed something easier in the 
> module or somebody else doing this better.

Well, since PFsense is built on PF, use the existing PF plugin.

> Its not all pretty and wrapped yet, but not being a PF expert I had a 
> question about "anchors" and the PF2 snortsam plugin. Can anyone more PF 
> literate than me validate my plan here?

You can set the anchor and tables names in the PF plugins as far as I
recall.

FYI: I was dealing with a FreeBSD box running PF a couple months back,
but the PF2 plugin didn't work for me. I had to modify the PF plugin a
bit. I'll post diffs for comments on that.

> # snort2c
> table <snort2c> persist
> block quick from <snort2c> to any label "Block snort2c hosts"
> block quick from any to <snort2c> label "Block snort2c hosts"

The current PF plugins use three tables. One for inbound-only blocks,
one for outbound-only blocks, and one for inbound and outbound (full)
blocks.

> But I like issuing snortsam "blocks" from a set of correlation sensors 
> to other devices...

Could you clarify please?

> Then I used the pf2 module to do the following with this config:
> 
> /etc/snortsam.conf:
> pf2 anchor=none table=snort2c

As far as I recall, the PF plugin will then use three tables, snort2cin,
snort2cout and snort2cinout... but it sounds like you discovered that
already :)

> Questions:
> 
> Should I change Pfsense to use an anchor?

I think anchors exist to make rule management easier. It's up to you if
you want to use them or not. 

> Should I alter the defaulting of the anchor and just detect a NULL 
> string for the anchor? (Compared to my silly "none" = skip anchor)

Any reason you are fixated on the snort2c thingy and didn't create the
anchor and tables as listed in the PF plugin documentation? Would save
you time to "fix" the PF code :)

Cheers,
Frank


From paul at tatarsky.com  Sun Jun 14 21:34:16 2009
From: paul at tatarsky.com (Paul Tatarsky)
Date: Sun, 14 Jun 2009 20:34:16 -0500
Subject: [Snortsam-discussion] Seeking "Best Way" to use PF2 plugin and
 Pfsense
In-Reply-To: <1245007654.10699.8.camel@localhost>
References: <4A287889.8000903@tatarsky.com>
	<1245007654.10699.8.camel@localhost>
Message-ID: <4A35A518.8050601@tatarsky.com>


> I think anchors exist to make rule management easier. It's up to you
> you want to use them or not.

Thats the main item I was looking for: they are a management
convenience. Not a performance feature or something.

> bit. I'll post diffs for comments on that.

I'd like to see that. I was having some issue I don't recall now that
involved the opposite (thats why I started using PF2 v.s PF). I'll
recheck this week why I came to that path.

>> But I like issuing snortsam "blocks" from a set of correlation sensors 
>> to other devices...

I gather attacker data from several sensors (snort, logs, spamtraps,
etc) and issue snortsam blocks based on common items to a collection of
firewalls. I use pfSense firewalls in a few smaller locations because
its convenient for the managers of those networks.

> Any reason you are fixated on the snort2c thingy and didn't create the

The snort2c thingy is already built into the pfSense distro as its
"blocking method". And I'm still trying to understand all the pfSense
startup configs so "creating the anchor and tables" worked from the
command line, but I need to work it into "stock" pfSense boot scripts.
Its a PHP based configuration and I'm learning its ways. So I just used
it because it was "already there" to proof it out.

However, the method described is working quite well for me, I'm just
trying to figure out how to make a snortsam "package" for pfsense
(somewhat different than a BSD package). If I figure that out, I'll let
the user define the filter names ;)

-- 
----------------------------------------------------------
Paul Tatarsky                            paul at tatarsky.com
Sysadmin Consulting		         (608)-271-6817
             http://www.tatarsky.com/
----------------------------------------------------------

From luis.daniel.lucio at gmail.com  Tue Jun 16 01:59:34 2009
From: luis.daniel.lucio at gmail.com (Luis Daniel Lucio Quiroz)
Date: Tue, 16 Jun 2009 07:59:34 +0200
Subject: [Snortsam-discussion] Snort 2.8.4.1 Diff Available
In-Reply-To: <1245007225.10699.0.camel@localhost>
References: <4A325C81.6050903@jonkmans.com>
	<1245007225.10699.0.camel@localhost>
Message-ID: <200906160759.34336.luis.daniel.lucio@gmail.com>

Le dimanche 14 juin 2009 21:20:25, Frank Knobbe a ?crit :
> On Fri, 2009-06-12 at 09:47 -0400, Matt Jonkman wrote:
> > Thanks to Frank Knobbe a new diff is available to get Snortsam into
> > Snort 2.8.4.1.
> >
> > http://www.snortsam.net/files/snort-2.8-plugin/snortsam-2.8.4.1.diff
>
> No, no, no.... the credit goes to Robert Sly.
>
> Thanks Rob!
>
> -Frank
>
>
>
>
> _______________________________________________
> Snortsam-discussion mailing list
> Snortsam-discussion at snortsam.net
> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion


Thankx guys

BTW, has any trye with 2.8.5 beta?

From farrokhi at mac.com  Tue Jun 23 13:27:42 2009
From: farrokhi at mac.com (Babak Farrokhi)
Date: Tue, 23 Jun 2009 21:57:42 +0430
Subject: [Snortsam-discussion]  Snort 2.8.4.1 Diff Available
Message-ID: <3736B42B-2D74-4D6F-8D0E-5B85AF568CED@mac.com>

Hi,

Unfortunately the diff contains twofish implementation version 1.5  
which is not 64-bit safe.
Please see the attached diff that is basically the same diff with  
twofish version 2.1.

-- 
Babak Farrokhi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: snortsam-2.8.4.1-babak.diff
Type: application/octet-stream
Size: 113744 bytes
Desc: not available
Url : http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20090623/a479d2b2/snortsam-2.8.4.1-babak-0001.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
Url : http://lists.snortsam.net/pipermail/snortsam-discussion/attachments/20090623/a479d2b2/PGP-0001.bin

From jonkman at jonkmans.com  Thu Jun 25 11:33:07 2009
From: jonkman at jonkmans.com (Matt Jonkman)
Date: Thu, 25 Jun 2009 11:33:07 -0400
Subject: [Snortsam-discussion] Snort 2.8.4.1 Diff Available
In-Reply-To: <3736B42B-2D74-4D6F-8D0E-5B85AF568CED@mac.com>
References: <3736B42B-2D74-4D6F-8D0E-5B85AF568CED@mac.com>
Message-ID: <4A4398B3.3030300@jonkmans.com>

Many thanks Babak! I've replaced the prior patch with yours. That should
suit all installs.

Matt

Babak Farrokhi wrote:
> Hi,
> 
> Unfortunately the diff contains twofish implementation version 1.5 which
> is not 64-bit safe.
> Please see the attached diff that is basically the same diff with
> twofish version 2.1.
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snortsam-discussion mailing list
> Snortsam-discussion at snortsam.net
> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc



From luis.daniel.lucio at gmail.com  Thu Jun 25 17:18:31 2009
From: luis.daniel.lucio at gmail.com (Luis Daniel Lucio Quiroz)
Date: Thu, 25 Jun 2009 23:18:31 +0200
Subject: [Snortsam-discussion] Snort 2.8.4.1 Diff Available
In-Reply-To: <3736B42B-2D74-4D6F-8D0E-5B85AF568CED@mac.com>
References: <3736B42B-2D74-4D6F-8D0E-5B85AF568CED@mac.com>
Message-ID: <200906252318.31762.luis.daniel.lucio@gmail.com>

Le mardi 23 juin 2009 19:27:42, Babak Farrokhi a ?crit :
> Hi,
>
> Unfortunately the diff contains twofish implementation version 1.5
> which is not 64-bit safe.
> Please see the attached diff that is basically the same diff with
> twofish version 2.1.
After apply your patch i got this legend:

configure: WARNING: unrecognized options: --enable-snortsam, --enable-
rulestate, --disable-mysql, --disable-postgresql, --disable-oracle, --disable-
odbc, --without-inline 

this means it does not working snortsam or i'm callign it with wrong option in 
configure,  configure --help does not mention any about snortsam after patch 
apply.

Regards,

LD

From slyguy2000 at hotmail.com  Thu Jun 25 17:28:53 2009
From: slyguy2000 at hotmail.com (Rob Sly)
Date: Thu, 25 Jun 2009 17:28:53 -0400
Subject: [Snortsam-discussion] Snort 2.8.4.1 Diff Available
In-Reply-To: <200906252318.31762.luis.daniel.lucio@gmail.com>
References: <3736B42B-2D74-4D6F-8D0E-5B85AF568CED@mac.com>
	<200906252318.31762.luis.daniel.lucio@gmail.com>
Message-ID: <BAY101-DS2AC78449D94F1AB45C774C0340@phx.gbl>

it's not called from the configure line.  The patch just allows snort 
2.8.4.1 to compile with the snortsam capability.

1st you patch your snort-2.8.4.1 source
patch -p1 < ../snortsam-2.8.4.1.diff

2nd you give autojunk.sh +x mod and run it...
chmod +x autojunk.sh && ./autojunk.sh

3rd you configure snort with what you need... (this is what I use)
./configure  -enable-dynamicplugin --with-mysql

4th you compile and install
make && make install

this is just to get snort 2.8.4.1 up and running and able to talk to 
snortsam

if you need further assistance, please check out the TWiki site: 
http://doc.emergingthreats.net/bin/view/Main/SnortSam




--------------------------------------------------
From: "Luis Daniel Lucio Quiroz" <luis.daniel.lucio at gmail.com>
Sent: Thursday, June 25, 2009 5:18 PM
To: <snortsam-discussion at snortsam.net>
Subject: Re: [Snortsam-discussion] Snort 2.8.4.1 Diff Available

> Le mardi 23 juin 2009 19:27:42, Babak Farrokhi a ?crit :
>> Hi,
>>
>> Unfortunately the diff contains twofish implementation version 1.5
>> which is not 64-bit safe.
>> Please see the attached diff that is basically the same diff with
>> twofish version 2.1.
> After apply your patch i got this legend:
>
> configure: WARNING: unrecognized options: --enable-snortsam, --enable-
> rulestate, --disable-mysql, --disable-postgresql, --disable-oracle, --disable-
> odbc, --without-inline
>
> this means it does not working snortsam or i'm callign it with wrong 
> option in
> configure,  configure --help does not mention any about snortsam after 
> patch
> apply.
>
> Regards,
>
> LD
> _______________________________________________
> Snortsam-discussion mailing list
> Snortsam-discussion at snortsam.net
> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
> 

From luis.daniel.lucio at gmail.com  Fri Jun 26 02:08:46 2009
From: luis.daniel.lucio at gmail.com (Luis Daniel Lucio Quiroz)
Date: Fri, 26 Jun 2009 08:08:46 +0200
Subject: [Snortsam-discussion] Snort 2.8.4.1 Diff Available
In-Reply-To: <BAY101-DS2AC78449D94F1AB45C774C0340@phx.gbl>
References: <3736B42B-2D74-4D6F-8D0E-5B85AF568CED@mac.com>
	<200906252318.31762.luis.daniel.lucio@gmail.com>
	<BAY101-DS2AC78449D94F1AB45C774C0340@phx.gbl>
Message-ID: <200906260808.46238.luis.daniel.lucio@gmail.com>

Le jeudi 25 juin 2009 23:28:53, Rob Sly a ?crit :
> it's not called from the configure line.  The patch just allows snort
> 2.8.4.1 to compile with the snortsam capability.
>
> 1st you patch your snort-2.8.4.1 source
> patch -p1 < ../snortsam-2.8.4.1.diff
>
> 2nd you give autojunk.sh +x mod and run it...
> chmod +x autojunk.sh && ./autojunk.sh
>
> 3rd you configure snort with what you need... (this is what I use)
> ./configure  -enable-dynamicplugin --with-mysql
>
> 4th you compile and install
> make && make install
>
> this is just to get snort 2.8.4.1 up and running and able to talk to
> snortsam
>
> if you need further assistance, please check out the TWiki site:
> http://doc.emergingthreats.net/bin/view/Main/SnortSam
>
>
>
>
> --------------------------------------------------
> From: "Luis Daniel Lucio Quiroz" <luis.daniel.lucio at gmail.com>
> Sent: Thursday, June 25, 2009 5:18 PM
> To: <snortsam-discussion at snortsam.net>
> Subject: Re: [Snortsam-discussion] Snort 2.8.4.1 Diff Available
>
> > Le mardi 23 juin 2009 19:27:42, Babak Farrokhi a ?crit :
> >> Hi,
> >>
> >> Unfortunately the diff contains twofish implementation version 1.5
> >> which is not 64-bit safe.
> >> Please see the attached diff that is basically the same diff with
> >> twofish version 2.1.
> >
> > After apply your patch i got this legend:
> >
> > configure: WARNING: unrecognized options: --enable-snortsam, --enable-
> > rulestate, --disable-mysql, --disable-postgresql, --disable-oracle,
> > --disable- odbc, --without-inline
> >
> > this means it does not working snortsam or i'm callign it with wrong
> > option in
> > configure,  configure --help does not mention any about snortsam after
> > patch
> > apply.
> >
> > Regards,
> >
> > LD
> > _______________________________________________
> > Snortsam-discussion mailing list
> > Snortsam-discussion at snortsam.net
> > http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
>
> _______________________________________________
> Snortsam-discussion mailing list
> Snortsam-discussion at snortsam.net
> http://lists.snortsam.net/mailman/listinfo/snortsam-discussion
I got it

last patch enabled the --enalble-snortsam configure flag, thats why I was asking 
about that warning.

Thankx

LD

From rehderk at cablejockey.com  Sun Jun 28 14:13:15 2009
From: rehderk at cablejockey.com (Kris)
Date: Sun, 28 Jun 2009 14:13:15 -0400
Subject: [Snortsam-discussion] Cisco Null Route Plugin Blocking Routers
Message-ID: <4A47B2BB.4000101@cablejockey.com>

Has anyone experienced issues in which the null route plugin applies the 
null route against the IPs of the routers it is connecting to?

I have just upgraded to snortsam 2.57 and added additional rules using 
the fwsam option so there are a lot of nulls being applied.

It appears that after a period of time that snortsam starts applying 
null routes against the routers themselves.

A. There are no rules being triggered for the router ips that are being 
blocked.
B. The router IPs that are being nulled are configured using the 
dontblock option within the snortsam.conf

My first step was to confirm there were no snort alerts triggered by 
verify even sensor log.  Then going and raising loglevel to 3 and 
screenlevel 3

Raising the loglevel to 3 showed me that the white list function was 
working for other ips that had been configured with dontblock.

Yet even in increasing the loglevel 3 did not show me the nulls being 
placed against the routers.  Considering this was the biggest change to 
the network I continued digging.

It was not until allowing snortsam to run using snortsam-debug did I 
find a record snortsam applying the null routes against the router 
itself. Within snortsam-debug there was no record of a block to be 
applied for the router ip it just does it on its own as if the variables 
are being replaced.

Any help or thoughts would be appreciated.

Thanks,

Kris