snortsam firewall suggestions

carpman · Posted: Wed Apr 18, 2007 12:05 pm Post subject: snortsam firewall suggestions

Hello, ok would like to setup snortsam and firewall on my home mail server so it is dynamic, meaning it drops persistent offender IPs.

My network is already behind a firewall, smoothwall, but want this as secondary firewall as server will be used remotely to access mail either via webmail or IMAP.

Anyone have any suggestions as how to best achieve this?

Was going to use firehol to setup firewall.

cheers
_________________
Work Station - 64bit
Gigabyte GA X48-DQ6 Core2duo E8400
8GB GSkill DDR2-1066
SATA Areca 1210 Raid
BFG OC2 8800 GTS 640mb
--------------------------------
Notebook
Samsung Q45 7100 4gb

texas1emt · Posted: Thu May 10, 2007 11:57 pm Post subject:

I've used snortsam pretty extensively, and you might get frustrated if you use iptable rule compilers like firehol or shorewall. I'd highly recommend just using plain iptables rules to avoid issues with snortsam putting rules in the wrong chains or in the wrong places within the chains themselves.

It's important to remember that if you restart iptables using the /etc/init.d/iptables script (or via firehol/shorewall), your DROP rules from snortsam will be thrown out. This is because the chains will be flushed during the restart.

But, then again, if your firewall doesn't change much, then go ahead and use shorewall or firehol :-)

_________________
M. Hayden - San Antonio, TX

carpman · Posted: Fri May 11, 2007 8:41 am Post subject:

al1ta · Tux's lil' helper Joined: 18 Apr 2005 Posts: 77

[quote="texas1emt"]I've used snortsam pretty extensively, and you might get frustrated if you use iptable rule compilers like firehol or shorewall. I'd highly recommend just using plain iptables rules to avoid issues with snortsam putting rules in the wrong chains or in the wrong places within the chains themselves.

It's important to remember that if you restart iptables using the /etc/init.d/iptables script (or via firehol/shorewall), your DROP rules from snortsam will be thrown out. This is because the chains will be flushed during the restart.

But, then again, if your firewall doesn't change much, then go ahead and use shorewall or firehol :-)[/quote]

Hi, did you ever used snortsame on a 64bit machine? I'have a gentoo amd64 on a pentium D processor kernel vanilla 2.6.23. I'm trieing to use snortsam but for now snort doesn't connect to snortsam

follow snortsam.conf
------------------------
defaultkey mysecret
accept localhost
fwsam localhost
keyinterval 30 minutes
dontblock xxx.xxx.xxx.xxx # home network
rollbackhosts 50
rollbackthreshold 20 / 30 secs
rollbacksleeptime 1 minute
logfile /var/log/snortsam.log
loglevel 4
daemon
#nothreads
email localhost alert@bigfoot
iptables eth0 LOG

I start first snortsame an the snort

Those are the errors tha I get:

snortsam
-----------
2007/10/19, 14:49:24, 127.0.0.1, 3, snortsam, Accepted connection from 127.0.0.1.
2007/10/19, 14:49:24, 127.0.0.1, 3, snortsam, Adding sensor 127.0.0.1 to list.
2007/10/19, 14:49:24, 127.0.0.1, 3, snortsam, Had to use initial key!
2007/10/19, 14:49:24, 127.0.0.1, 1, snortsam, Snort station 127.0.0.1 using wrong password, trying to re-sync.

snort
----------
INFO => [Alert_FWsam](FWsamCheckIn) Connected to host 127.0.0.1.
ERROR => [Alert_FWsam](FWsamCheckIn) Password mismatch! Ignoring host 127.0.0.1.

please help