Snortsam - A Firewall Blocking Agent for Snort


About | News | Download | Documentation | Mail List

2013-10-29: Darryl Sokoloski and Bryan Waters independently provided a patch for Snort 2.9.5.3. Download Darryls version or Bryans version. Both do the same thing, but patch application may slightly differ. If you have problems with one, try the other. They have been added to the download section

2012-04-20: Michael Scheidell provided a patch for Snort 2.9.2.2. It has been added to the download section

2011-12-13: Michael Scheidell provided a patch for Snort 2.9.1.2. It has been added to the download section

2011-02-20: Chris Fensch reported a bug (missing NULL assignment in clearhistory) that could cause memory corruption and crashes while reloading the state file. This was observed on 64 bit systems, but should also effect 32 bit systems, although it was not observed there. Snortsam has been patched, bringing it to version 2.70. New source tarball has been uploaded. Thanks Chris!

2011-02-05: Robert Zelaya submitted a patch to Snort 2.9. It has been added to the download section.

2010-04-26: Olli Hauer submitted an updated patch for Snort 2.8.5.3.

Luis Daniel Lucio Quiroz submitted a patch for Snort 2.8.6. I have not tested these, they are (as all submissions) posted as received.

2009-11-26: Olli Hauer submitted some tweaks to the PF2 plugin, and some clean-up to other code. In addition, a new version of makesnortsam.sh has been created that makes it easier to modify things (like adding a custom source file). Great work Olli!

CVS and FTP have been updated with the new Snortsam version, now at version 2.69. Hope everyone had a great Thanksgiving.

2009-11-08: Olli Hauer submitted a new version of the PF2 plugin. It now supports the tear-down and disconnect of existing sessions. In the past, Snortsam added the IP to groups for block action, but that only blocked new connections. Existing sessions (for example, brute-force attacks) remained open. Now the session can be killed. Please read the README.pf2 documentation included in the FTP and CVS docs directory and in the source tarball.

Olli also did some clean-up on the older PF plugin. Table names and now fixed. The code may no longer work on OpenBSD older than 3.3, but should work without problems on all newer versions. Thanks Olli!

I also brought the plugin version numbers listed on startup of Snortsam in sync with the respective versions of the plugin in CVS.

CVS and FTP have been updated with the new Snortsam version, now at version 2.68.

2009-10-16: Good news allround:
  • Luis' patch for Snort 2.8.5 works like a charm.
  • Wouter de Jong submitted a modified version of the Cisco Null Route plugin. It's named "cisconullroute2". The plugin has extended config options and supports tagged routes.
  • I dusted off the old Microsoft Visual Studio project file. You can now choose between Normal and OPSEC, but also ISA2002 and ISA2004 modifications.
  • The config option blockonly has been added. If used, all blocks are ignored unless they match IP's or networks on this list. This is useful is you only want to block addresses from a certain network range. (dontblock still applies to these ranges). An option unblockonly is also present, though I can't think of a good use case for it at the moment. But the functionality is there.
  • I made several changes to how the IP's are stored internally to improve performance when massive amounts of IP's are on the block list. In addition, the statefile is only saved in 5 sec intervals now to avoid excessive disk I/O.
New Windows binaries have been compiled, and CVS and source tar ball have been updated to version 2.66.
2009-10-09: Reports have come in that Luis' Snort 2.8.5 patch contained an error. A fixed version has now been uploaded. Please test it and report result.
2009-09-23: Luis Daniel Lucio Quiroz submitted a patch for Snort 2.8.5 that adds the Snortsam plugin. It has been uploaded to the web and FTP site.
2009-09-19: Snortsam version 2.63 is available in CVS and FTP. This update adds missing ifdefs around two POSIX mutexes for Windows so that Snortsam can once again be compiled under Windows. Also included is a fix that addresses crashes on connection resets when using persistent TCP connections. Those who use persistent TCP connections are encouraged to upgrade.
2009-09-15: Snortsam version 2.61 has just been committed to CVS and FTP. It adds the config option dontunblock. In the past, dontblock only affected blocks and all unblock requests where accepted unfiltered. dontunblock allows now for selective ignoring of unblock requests. Also included is a crude fix that prevents the forwarded plugin from forwarding a request back to the IP address where it received the request.
2009-09-02: Greetings! Frank here. I have decided to take the Snortsam web site back over. I would like to thank Matt Jonkman and other Emerging Threats members for keeping the web site running during a period where I just didn't have the time to maintain it. Not that I have more time now, but I'd like to take another stab at maintaining Snortsam. Even though it is 8 years old now, I do still feel a certain attachment to it.

I don't think there will be many new features in Snortsam v2 in the near future. In my spare time, I'm working on the next step in the evolution of distributed blocking, and it will blow Snortsam right out of the water. You will hear about it when it is ready for release. But in the meantime, Snortsam is still seeing use, and there are many new folks that are discovering it just now. So, I'll do my best to maintain it.

If you haven't updated Snortsam lately, you should. The current version is 2.60 which contains several bugfixes.


Older bulletins/Changelog entries are also available.


© Copyright 2001-2014 Frank Knobbe. All rights reserved.
Snort and Sourcefire are registered trademarks of Sourcefire, Inc.