RE: [snort-users] Blocking with a PIX

permalink · #1 (**permalink**) 05-11-2004

This is a multi-part message in MIME format.

------_=_NextPart_001_01C43763.EED7DFC8
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

The shuns won't show up in the rulebase. Connect to the pix, get to an
enable prompt, and type 'sh shun' to see if the shuns are being applied.
It should show a list of the current shuns in place.
=20
Andrew Hutchinson - Network Security
Vanderbilt University Medical Center
(615) 936-2856

-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of
d.deboni@edexter.it
Sent: Tuesday, May 11, 2004 8:45 AM
To: snort-users@lists.sourceforge.net
Subject: [snort-users] Blocking with a PIX
=09
=09

Hi to everyone,=20
=09
I've configured snort with snortsam to block attacks from the
outside.=20
It worked all perfectly when I tried it on a Cisco Router.=20
=09
But now I need to do that with a Cisco PIX.=20
=09
Here's the snortsam.conf file:=20
=09
accept 127.0.0.1=20
pix <PIXIP> <TELNETPASSWORD> <ENABLEPASSWORD>=20
=09
When I try to launch both snort and snortsam I see these
messages, and it seems that snortsam is applying the rules on the pix:=20
=09
Checking for existing state file: Present. Reading State=20
Starting to listen for Snort alerts.=20
Accepted connection from 127.0.0.1=20
Accepted connection from 127.0.0.1=20
Adding sensor 127.0.0.1 to list.=20
Blocking host <IP> completely for 7200 seconds=20
Accepted connection from 127.0.0.1=20
Blocking host <IP> completely for 7200 seconds=20
Accepted connection from 127.0.0.1=20
Blocking host <IP> completely for 7200 seconds=20
=09
and so on...=20
=09
By the way if I look at the Pix configuration there are no rules
applied.=20
I know that the PIX Plugin use the shun command to block IP, and
if i try it manually on the Pix it works.=20
=09
I've tried to disable telnet for the Snort/Snortsam server on
the Pix to see if Snortsam works anyway. If I do that SnortSam says it
can't connect to Pix.=20
So it seems that SnortSam "works"....=20
=09
Thanks for help=20
=09
=09
Davide De Boni
=09
Email: d.deboni@edexter.it
=09
e.Dexter S.P.A.
C.so Risorgimento 5
28823 Ghiffa (VB)
ITALIA
Tel +39.0323.407733
Fax +39.0323.53558

------_=_NextPart_001_01C43763.EED7DFC8
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Message</TITLE>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR></HEAD>
<BODY>
<DIV>The=20
shuns won't show up in the rulebase.  Connect to the pix, get to an =
enable=20
prompt, and type 'sh shun' to see if the shuns are being applied.  =
It=20
should show a list of the current shuns in place.</DIV>
<DIV> </DIV>
<DIV>
Andrew Hutchinson - Network Security Vanderbilt =
University=20
Medical Center (615) 936-2856 </DIV>
<BLOCKQUOTE style=3D"MARGIN-RIGHT: 0px">
<DIV></DIV>
<DIV class=3DOutlookMessageHeader lang=3Den-us dir=3Dltr =
align=3Dleft><FONT=20
face=3DTahoma size=3D2>-----Original Message----- From:=20
snort-users-admin@lists.sourceforge.net=20
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of=20
d.deboni@edexter.it Sent: Tuesday, May 11, 2004 8:45=20
AM To: snort-users@lists.sourceforge.net Subject:=20
[snort-users] Blocking with a PIX </DIV> <FONT=20
face=3Dsans-serif size=3D2>Hi to everyone, I've configured snort with snortsam to block attacks from the =

outside. It worked all =
perfectly when=20
I tried it on a Cisco Router. But=20
now I need to do that with a Cisco PIX. Here's the snortsam.conf file: accept 127.0.0.1 pix=20
<PIXIP> <TELNETPASSWORD> <ENABLEPASSWORD>=20
 When I try to launch both =
snort and=20
snortsam I see these messages, and it seems that snortsam is applying =
the=20
rules on the pix: Checking for=20
existing state file: Present. Reading State Starting to listen for Snort alerts. Accepted connection from 127.0.0.1 Accepted connection from 127.0.0.1 Adding sensor 127.0.0.1 to list. Blocking host <IP> completely for 7200 seconds =
 <FONT=20
face=3Dsans-serif size=3D2>Accepted connection from 127.0.0.1 =
 <FONT=20
face=3Dsans-serif size=3D2>Blocking host <IP> completely for =
7200=20
seconds Accepted =
connection from=20
127.0.0.1 Blocking host =
<IP>=20
completely for 7200 seconds and so=20
on... By the way if I =
look at the=20
Pix configuration there are no rules applied. I know that the PIX Plugin use the shun command to block IP, =
and if i=20
try it manually on the Pix it works. I've tried to disable telnet for the Snort/Snortsam server on =
the Pix=20
to see if Snortsam works anyway. If I do that SnortSam says it can't =
connect=20
to Pix. So it seems that =
SnortSam=20
"works".... Thanks for =
help=20
 Davide De =
Boni Email:=20
d.deboni@edexter.it e.Dexter S.P.A. C.so Risorgimento =
5 28823=20
Ghiffa (VB) ITALIA Tel +39.0323.407733 Fax=20
+39.0323.53558</BLOCKQUOTE></BODY></HTML>
=00
------_=_NextPart_001_01C43763.EED7DFC8--

-------------------------------------------------------
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson & Lucent use to
deliver higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg...rom=osdnemail3
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode