[snort-users] Blocking with a PIX

permalink · #1 (**permalink**) 05-11-2004

This is a multipart message in MIME format.
--=_alternative 004B84F2C1256E91_=
Content-Type: text/plain; charset="US-ASCII"

Hi to everyone,

I've configured snort with snortsam to block attacks from the outside.
It worked all perfectly when I tried it on a Cisco Router.

But now I need to do that with a Cisco PIX.

Here's the snortsam.conf file:

accept 127.0.0.1
pix <PIXIP> <TELNETPASSWORD> <ENABLEPASSWORD>

When I try to launch both snort and snortsam I see these messages, and it
seems that snortsam is applying the rules on the pix:

Checking for existing state file: Present. Reading State
Starting to listen for Snort alerts.
Accepted connection from 127.0.0.1
Accepted connection from 127.0.0.1
Adding sensor 127.0.0.1 to list.
Blocking host <IP> completely for 7200 seconds
Accepted connection from 127.0.0.1
Blocking host <IP> completely for 7200 seconds
Accepted connection from 127.0.0.1
Blocking host <IP> completely for 7200 seconds

and so on...

By the way if I look at the Pix configuration there are no rules applied.
I know that the PIX Plugin use the shun command to block IP, and if i try
it manually on the Pix it works.

I've tried to disable telnet for the Snort/Snortsam server on the Pix to
see if Snortsam works anyway. If I do that SnortSam says it can't connect
to Pix.
So it seems that SnortSam "works"....

Thanks for help

Davide De Boni

Email: d.deboni@edexter.it

e.Dexter S.P.A.
C.so Risorgimento 5
28823 Ghiffa (VB)
ITALIA
Tel +39.0323.407733
Fax +39.0323.53558
--=_alternative 004B84F2C1256E91_=
Content-Type: text/html; charset="US-ASCII"

 Hi to everyone,
 
 I've configured snort with snortsam
to block attacks from the outside.
 It worked all perfectly when I tried
it on a Cisco Router.
 
 But now I need to do that with a Cisco
PIX.
 
 Here's the snortsam.conf file:
 
 accept 127.0.0.1
 pix <PIXIP> <TELNETPASSWORD>
<ENABLEPASSWORD>
 
 When I try to launch both snort and
snortsam I see these messages, and it seems that snortsam is applying the
rules on the pix:
 
 Checking for existing state file: Present.
Reading State
 Starting to listen for Snort alerts.
 Accepted connection from 127.0.0.1
 Accepted connection from 127.0.0.1
 Adding sensor 127.0.0.1 to list.
 Blocking host <IP> completely
for 7200 seconds
 Accepted connection from 127.0.0.1
 Blocking host <IP> completely
for 7200 seconds
 Accepted connection from 127.0.0.1
 Blocking host <IP> completely
for 7200 seconds
 
 and so on...
 
 By the way if I look at the Pix configuration
there are no rules applied.
 I know that the PIX Plugin use the shun
command to block IP, and if i try it manually on the Pix it works.
 
 I've tried to disable telnet for the
Snort/Snortsam server on the Pix to see if Snortsam works anyway. If I
do that SnortSam says it can't connect to Pix.
 So it seems that SnortSam "works"....
 
 Thanks for help
 
 
Davide De Boni 
 
Email: d.deboni@edexter.it 
 
e.Dexter S.P.A. 
C.so Risorgimento 5 
28823 Ghiffa (VB) 
ITALIA 
Tel +39.0323.407733 
Fax +39.0323.53558
--=_alternative 004B84F2C1256E91_=--

-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg...rom=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode