About SnortSam

Snortsam - A Firewall Blocking Agent for Snort

About | News | Download | Documentation

Welcome to SnortSam (or better, its Memorial Page)

SnortSam was a plugin for Snort™, an open-source light-weight Intrusion Detection System (IDS). The plugin allowed (in the past) for automated blocking of IP addresses on following firewalls:

Checkpoint Firewall-1

Cisco PIX firewalls

Cisco Routers (using ACL's or Null-Routes)

Former Netscreen, now Juniper firewalls

IP Filter (ipf), available for various Unix-like OS'es such as FreeBSD

FreeBSD's ipfw2 (in 5.x)

OpenBSD's Packet Filter (pf)

Linux IPchains

Linux IPtables

Linux EBtables

WatchGuard Firebox firewalls

8signs firewalls for Windows

MS ISA Server firewall/proxy for Windows

CHX packet filter

Ali Basel's Tracker SNMP through the SNMP-Interface-down plugin

SnortSam had also been integrated with Sagan, which is a log analysis engine developed by Champ Clark. The Snortsam Output Plugin and related files (header, Twofish) are available at the Sagan GitHub repository.

SnortSam itself consisted of two pieces -- the output plugin within Snort™ and an intelligent agent that ran on the firewall, or a host near the firewall. The agent provideed a variety of capabilities that went beyond other automated blocking mechanisms at its time, such as:

White-list support of IP addresses that are never blocked.
Time-override list.
Maximum block time ceiling as well as minimum block time definition for reporting entities.
Flexible, per rule blocking specification, including rule dependent blocking time interval.
A SID filter list of allowed or denied SIDs based on reporting entity.
Misuse/Attack detection engine (including roll-back support) that attempts to mitigate the risk of a self-inflicted Denial-Of-Service in the IDS-Firewall integration.
Repetitive (same IP) block prevention with customizable window to improve performance.
TwoFish encrypted communication between Snort™ and the SnortSam agent.
True OPSEC support using the Checkpoint SDK (opsec plugin).
Block tracking and block expiration for firewalls that don't support timeouts.
Multi-threading for faster processing and simultaneous block on multiple devices.
File logging and email notification of events.
... and finally, using the client/server (snort/snortsam) architecture to build large, distributed response networks in a very scalable fashion.

SnortSam is open-source software, free of charge. Back in its day, it could be compiled under any platform and functioned across different platforms. SnortSam can still be obtained through web download, ~~FTP download, or CVS access~~. Links are still provided in the download section.

SnortSam has not seen any further development for almost a decade. It's been pretty much End-of-Life. However, it still works (I think), and can still be used for its intended purpose. At the very least, it can serve as an educational example of a unique prevention mechanism. (Back in its days, it pioneered the concept of "distributed intrusion prevention". Since those days, "threat intel exchange" had finally become "a thing" and has been used in a variety of products.)