Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Using Snort to update ACL on Cisco Router

1,127 views
Skip to first unread message

jag...@gmail.com

unread,
Apr 6, 2005, 12:18:29 AM4/6/05
to
Howdy All,

Does anyone have a good reference on the internet for configure snort
to update the access-lists on a cisco router?

>From the follwing design

ISP ----->---Cisco Router/Pix------Snort IPS----Network Segment LAN or
DMZ

When snort recieves a packet that is of malicous nature, the idea is to
generate an alert and based on the alert initate a script that
automatically logs into the router (using a automatted SSH script) and
ammends the access-list statement to deny that particular attacking
host.


Thanks in advance
dirk

Walter Roberson

unread,
Apr 6, 2005, 1:45:23 AM4/6/05
to
In article <1112761108.9...@g14g2000cwa.googlegroups.com>,
<jag...@gmail.com> wrote:
:Does anyone have a good reference on the internet for configure snort

:>From the follwing design

Is it a Cisco router or is it a Cisco PIX?

If it is a PIX, then you might want to issue a 'shun' command
instead of modifying an access-list -- the 'shun' command is
intended for IDS devices to do a short-term block of an IP
as a prioriity over the ACL without having to keep track of the
current ACL contents. (On the PIX as of about 6.2, you -can-
remove specific lines from the ACL, but you have to know the
line number -- and if you have multiple IPs being blocked, then
keeping track of which is on which line could prove a bit tiresome.

On the other hand, the 'shun' command likes to produce one
syslog message per packet from the shunned system -- you migh
want to turn off logging of that particular message!


I believe IOS with the firewall feature set has the equivilent of
'shun', but I am not certain.


Oh yes: if you use shun, then double-check whether 'shun' commands
are saved when you "write memory". My recollection is that they
are -not- saved.
--
"This was a Golden Age, a time of high adventure, rich living and
hard dying... but nobody thought so." -- Alfred Bester, TSMD

jag...@gmail.com

unread,
Apr 6, 2005, 2:34:33 AM4/6/05
to
Thanks for your response Walter,

i am going to attempt to script this from the Snort IPS (IDS) Server,
and i am hoping that my script will work for Cisco PIX or Router (or
atleast easily ported to the other).
Problem is my scripting / snort skills are next to minimal (other than
"therotical" knowledge that i have from reading faq / posts and howto
on the web), and was wondering if someone had a recommend way of
scripting the snort alerts to update a Cisco pix or router. i do not
hink of myself as to daft ;-) and i just need to be pointed in the
direction of a good howto.

Regards
dirk

Matt

unread,
Apr 9, 2005, 9:53:16 PM4/9/05
to
(Im sure there are other sites out there as well too)

http://www.chaotic.org/guardian/

Guardian Active Response for Snort

--------------------------------------------------------------------------------

Overview:
Guardian is a security program which works in conjunction with Snort to
automaticly update firewall rules based on alerts generated by Snort.
The updated firewall rules block all incoming data from the IP address of
the attacking machine (the machine which caused Snort to generate an alert.
There is also logic in place which pervents blocking important machines,
such as DNS servers, gateways, and whatever else you want.

Here is a link you might want to read:
http://online.securityfocus.com/infocus/1540 .. I found it very interesting
on why you should use this software with great caution.

New Stuff/Changes
a.. New block/unblock scripts! Checkpoint firewall and Pix firewall
scripts. Download them below. Thanks goes out to Markwalder Philip (pm at
ibp.ch) and Roland Gafner (roland.gafner at gmx.net). Awesome work guys :)
b.. Better syslog parsing! Now guardian should work regardless of how your
syslog/snortlib reports the attacks (as long as the attacker's IP address is
first). The new code is much cleaner, and should be a bit faster as well.
c.. Added support for watching for more than one IP address. To do this, a
new option has been added to the guardian.conf file:

TargetFile /etc/guardian.target

The file should contain a list of IP addresses which are local IP
addresses. The format is the same as the IgnoreFile. This is useful for
people who are hosting several IP addresses from one machine. It might also
be useful for poeple who are running snort/guardian on a firewall.
This will also only place a block on the interface which is defined in the
guardian.conf .. I should also add that this is experimental.

d.. Bug fix: guardian now catches portscans as reported by the portscan
modules
Block/Unblock Scripts
a.. ipchains (Block / Unblock)
b.. iptables (Block / Unblock)
c.. ipfwadm (Block / Unblock)
d.. FreeBSD using IPFW (Block / Unblock)
e.. ipfilter (courtesy of Wes Sonnenreich (sonny at alum.mit.edu) (Block /
Unblock)
f.. New! Null Route for Linux systems with no other packet filter software
(Block / Unblock)
This is a hack. Please read the file.. It works by adding a route to your
routing table when an attack is detected. The route is invalid, and specific
to the attacker, so while the route exists, your machine won't send anything
back to the attacker. I have no idea what this does to performace.
g.. Checkpoint Firewall (Thanks Markwalder Philip and Roland Gafner)(Block
/ Unblock)
h.. Pix Firewall (Thanks Markwalder Philip and Roland Gafner)(Block /
Unblock / Required perl script (also requires ssh perl module))
Misc Stuff
a.. Here is a readme file that explains how to have guardian/snort running
on one machine, and applying blocks to your firewall on a diffrent machine.
This was written by Roland Gafner (roland.gafner at gmx.net)
Downloads
a.. Current Version: 1.7 (Download here)

a.. Better syslog parsing
b.. TargetFile to watch multiple IP addresses
c.. Bug Fix for catching portscans
b.. Version: 1.6.2 (Download here)

a.. Support added for syslog rotation. Previously, guardian would not
reopen the syslog file if it got rotated. This does not mean that there is
support for rotating the guardian log itself. This will be supported in a
future version.
b.. Added block/unblock script for ipfwadm (useful for older linux
kernels)
c.. Bug fixes. Thanks to brian at unearthed.org for pointing them out.
c.. Version: 1.6.1 (Download here)

a.. Bug fix for newer snortlibs and syslog

b.. Added block/unblock scripts for ipfwadm

d.. Version: 1.6 (Download here)

a.. Now calls an external script for blocking ip addresses.

b.. Added a timelimit feature.

c.. Removes all blocks upon exit

e.. Version: 1.5 beta (Download here)
Many bug fixes, FreeBSD support added, syslog support added, IPtables
support added

f.. Original release: 1.0 (Download here)

TODO
a.. Support for other Network Intrusion Detection systems
b.. Write block/unblock scripts for other OSs
c.. Do something with the Priority codes that come with newer snort-libs
d.. Include changes from unofficial guardian releases..
e.. More stuff later on..
This page is still under much work, so check back often =) --- Anthony
(astevens @ chaotic . org) 03-26-02

hope this helps

vr/msb


<jag...@gmail.com> wrote in message
news:1112769273....@l41g2000cwc.googlegroups.com...

Mark S

unread,
Apr 10, 2005, 11:45:02 PM4/10/05
to
Why don't you just buy a decent firewall like a Netscreen, Sonicwall, or
Fortinet. Commerical IDS->Firewall setups have been abysmal failures in the
past, which is why everyones moved to IDP.

<jag...@gmail.com> wrote in message
news:1112761108.9...@g14g2000cwa.googlegroups.com...

0 new messages