Saturday, November 12, 2005

Snort2c - Active Response Tool for PF

I have used snort2c to defend against certain threats before that and thinking that I should blog it, yet been asked by some friends in #pf, I decide to give it a ride(write).

Normally people fail to differentiate active response and true IPS system, I myself never try to compare of both, but normally active response system will fail on single packet exploit with small footprint.

Like other active response tool such as snortsam(I wish I have time to play on this), fwsnort and etc, snort2c is based on snort, hence we need to have snort running on the system. I never have hard time at all to get snort compiled from source in OpenBSD box. I will directly jump to configuration part since getting snort2c working in the system is easy too.

First creating whitelist for certain or range of IP, for example I want 192.168.0.1 to be whitelisted permanently.

shell>echo 192.168.0.1 > /nsm/whitelist

Running snort

shell>snort -i le1 -c /nsm/snort-2.4.0/rules/snort.conf -l /var/log/snort -D

Running snort2c on bootup

shell>snort2c -s -w /nsm/whitelist -a /var/log/snort/alert

With -s option, it is the best switch as it turn on init mode and create a snort2c table automatically for you with block return rules, that's why it's good to run it on boot. If you want to configure and run snort2c manually, please refer to snort2c site, just follow the instruction in the url and you are done.

Then you can run snort2c manually by,

shell>snort2c -w /nsm/whitelist -a /var/log/snort/alert

Snort2c provides a tool to monitor it's table, it is called mons2c. You can print out blocked ip, flushing snort2c table or delete the ip from snort2c table. However since I'm more used to pfctl, I can actually use the native pfctl to achieve the same thing.

To print out blocked IP and with -v it has even clean output.

shell>pfctl -t snort2c -v -T show

To delete the blocked IP, for example 192.168.0.55

shell>pfctl -t snort2c -T delete 192.168.0.55

Flushing snort2c table

shell>pfctl -t snort2c -T delete

Creating snort2c table

shell>pfctl -t snort2c -T add

Remember to tweak your snort rules properly to avoid lockout of yourself :P. I have deployed this on my OpenBSD bridge device and it works properly for me, with this transparent bridge I able to plug it in or out without changing network architecture, yet make it flexible enough for fast incident response device.

2 comments:

Anonymous said...

Thanks for this article, it was very useful for me ;)

I have just found this blog now, i will follow ur posts from now on.

C.S.Lee said...

anonymous,

Thanks for reading my blog, hopefully you enjoy it ;)