Snortsam - A Firewall Blocking Agent for Snort

About | News| Download | Documentation | Mail List

2009-06-12: Updated Snort diff available for Get it here: download page
2007-07-24: Updated Snort source available for 2.6.15 and newly released 2.7.0. Hot off the presses, get yours on the download page.
2007-02-02: Well, almost a year went by without any updates. Sorry folks, but I just don't have the time to maintain Snortsam anymore. As announced in the mail list, I'm in the process of transitioning Snortsam to a new group of maintainers. Stay tuned for an offical announcement.

In order to facilitate a smooth transition, I committed several piled-up changes to CVS and the sources in FTP. I did NOT recompile any code. These additions are:
* Patch from Ali Basel to the CiscoACL plugin.
* Addition of the ENABLEPERSISTENTTCP option. The persistent TCP code has still not properly debugged, but is included in the current source code (which would be version 2.53). However, it is disabled by default, but can be forced on with this option.
* Mark P Clift had supplied code for the Microsoft ISA 2004 server since the existing plugin is only compatible with older versions. I have not been able to test this code yet, but Mark reports it running fine. To compile it, you need to have the proper DLLs, which are supplied in the contrib folder. Mark was also working on a version for ISA Server 2006.
* Finally figured out the issue with the Snortsam patch for Snort™ and why it worked on 2.4 but not 2.6 (Snort™ 2.4 had a comma too many in the code, 2.6 does not). The Snortsam patch has finally been fixed. Woohoo!

With that, the CVS and FTP trees are what I consider wrapped-up and ready for transfer to the new maintainers. All the binary compilation stuff I shall leave to their discretion.
2006-03-31: Version 2.52 still seems to have a few issues. While 2.52 is available via CVS and FTP, I'm rolling the "official" version back to 2.50 which is pretty stable. use 2.52 at your own risk. You've been warned. (Issues include Snortsam-to-Snortsam links being disabled due to spurious password mismatches, and some issues with backwards compatibility when using disablepersistentconnections).
2006-03-29: * Added support for persistent TCP connections to Snortsam and samtool. Snortsam-to-Snortsam links are now using persistent TCP connections as opposed to a new one for each block. It should be backwards compatible with earlier versions and with Snort™ (which doesn't support persistent TCP sessions just yet). This feature can be disabled with the disablepersistentconnections option if desired. Please provide feedback to performance or problems with this feature. Current Snortsam version is 2.52. Binaries and source have been updated as usual.
2006-03-11: * Cloned email plugin to a plugin named email-blocks-only. It will do the same as email but only on block events, not unblock events.
* Added config option disablereverselookups that prevents logging plugins from resolving IP addresses to host names. Currently only used by the email plugins.
* Added statefile config option to assign a name to the statefile. That way conflicts can be avoided on hosts with multiple Snortsam instances where two or more Snortsam need to keep records in the statefile.
* Added a flag labelled PluginDoesReblockOnUSR1 to the plugin specifications. This allows a plugin ro ignore reblock requests on a USR1 signal. Now the email and forward plugins won't block/email/forward blocks again on statefile reloads via USR1 signal.
* Updated source and binaries. Current Snortsam version is 2.50.
2006-01-25: * Fixed bug that caused a failure of repetitive block checking when the duration was 0 (permanent blocks). This caused endless loops in bidirectional forwarder setups despite repetitive block checking. New version of Snortsam is 2.47.
2006-01-24: * Fixed a bug in the fwexec plugin. New version of Snortsam, now at 2.46, has been released.
2005-12-25: * Updated samtool to 1.6. It will now block all IP addresses resolved for a hostname with more than one address (not just the first IP anymore).
* Small bugfix to Snortsam. LIMIT will now treat permanent blocks as very large blocks and reduce the time from 'permanent' to the defined upper limit. New version is 2.45.
2005-12-25: * Nima Sharifi Mehr submitted code that allows Snortsam to register and start itself as a Windows Service.
   To install Snortsam as a service:
     SnortSam.exe /SERVICE /INSTALL -path <Absolute Path ofSnortSam.exe> [regular command-line params]
   To remove Snortsam from services:
     SnortSam.exe /SERVICE /UNINSTALL
* Added ability to specify a maximum block time limit (and also a minimum limit) for all block requests based on the requesting sensor (or other Snortsam agent).
* Added ability to specify a list of allowed or denied SID based on the requesting sensor (or other Snortsam agent). Blocking requests for denied SIDs are ignored.
* Linux builds are now compiled by default WITHOUT MULTI-THREADING. In order to turn on multi-threading on Linux builds, use the newly added option FORCETHREADS in the snortsam.conf config file. All other platforms (BSD, Windows, Solaris) are still built with multi-threading turned on by default.
2005-11-03: * Updated Snort™ 2.4 binaries to version 2.4.3 build 26. I'm now also providing FreeBSD binaries for FBSD versions 4, 5 and 6, just because I have to create them anyway.
2005-10-06: * Got Window version to compile (stupid mistake on my part) and thus updated the Windows binaries to version 2.4.2 build 25.
* Also, applied a small fix to the Snort™ Patch to avoid compiler errors when attempting to include winsock.h when it's already loaded. updated in CVS, FTP and Web.
2005-10-05: * Joey Moe provided a detailed README.slackware for patching and installing Snort™ with the Snortsam plugin on Slackware. Thanks Joey!
* Updated Snort™ 2.4 binaries for Linux and FreeBSD to version 2.4.2 build 25. Windows compiles currently fail, so Windows binaries are still on version 2.4.0 build 19. I'll try to compile Windows in a couple days again. (If anyone else is able to successfully build Windows binaries, please let me know)
2005-08-05: * Grrr... I hate finding bugs after a release. It was just a minor issue with the repetitive block checking that would not unblock hosts that were blocked with a duration smaller than the skipcheck interval (which is typically not the case). (2.39)
* While we were at it, also made a couple tweaks relating to the reload and reblock via USR1. Also, a backup of the state file will now be created during save. Binaries and sources have been updated to version 2.40.
2005-08-04: * New Plugin: Added Forwarder plugin. Snortsam can now forward blocking requests to another Snortsam instance on the same or a different host. This capability allows for the creation of truly distributed reactive infrastructure. There are a few limitations. Make sure you read the section in README.conf and pay attention to the warning in regards to loops.
* Added the ability to specify a custom port for the SMTP plugin.
* Added SCREENLEVEL config option to throttle the screen output like LOGLEVEL does for the logfile.
* Improved performance when a lot of blocks are in the state file (Snortsam will only check for expired blocks once a second now).
Binaries and sources have been updated to version 2.38.
2005-07-29: * Updated Snort™ binaries: Refreshed 2.3, now at build 14 for all except Windows versions. The Windows build fails at the moment. Please use build 12 of the Windows versions.
* Also, added Snort™ 2.4 binaries and sources since Snort™ 2.4 just got released (and updated to build 19). The Snortsam Patch still works on Snort™ version 2.4, no changes were necessary.
2005-07-27: * Added Signal handling for USR1 and USR2:
   - If you send a USR1 signal to Snortsam, it will reload the state file and will reinitiate previous established blocks. So if your firewall (i.e. ipf) lost all Snortsam invoked blocks (like after a reboot), you can just signal Snortsam to block all previously blocked IP addresses again. (Thanks to Jeff Kell for this great idea.)
   - The USR2 signal causes Snortsam to just reload the state file, but it doesn't block again. This is useful if an external program modified the state file and you want to remove a block from it. For normal operations, the "samtool" should be used to remove blocks.
* Some minor updates to the samtool (now at version 1.5).
2005-07-21: * After many requests, I finally found some time to create a command line utility that can be used to block/unblock an IP address on one or more Snortsam stations directly. Binaries are provided, but you can compile it yourself with the provided VC++ project file and the *nix makefile (run make samtool). For usage information, run samtool -h. Enjoy!
2005-07-10: After a period of inactivity, several updates have been made:
* Olaf Schreck created a Makefile for Snortsam. It resides in the snortsam/src folder. Just "cd src && make" and you should be good to go. Olaf tested it on various platforms successfully.
* Darryl Sokoloski supplied a patch that removed IP addresses from the internal memory lists and the state file upon a "manual" unblock received through the network. Stay tuned! We'll soon have a command line tool that will send block/unblock requests to Snortsam through the network.
* Ali Basel sent in an updated version of the CiscoACL plugin. It now supports communication over SSH via use of Expect scripts. He also updated the README.ciscoacl. You are encouraged to read through that for the changes and added support.
* Ali Basel also supplied a new plugin called SNMP_Interface_down. It works in conjunction with a program he has written and maintains that allows Snortsam to block offenders by shutting down the switch ports the offender is plugged in. More on his software at
* Roger P. spotted a bug in the CHX-I plugin that prevented the log option to be passed correctly. Got that fixed.
* And finally, I cleaned up the code a bit to remove some harmless but annoying compiler warnings.
2005-03-19: * Updated Snort™ 2.3 binaries to version 2.3.2, build 12.
2005-02-06: * New Plugin: The idea of an ipfw plugin had been discussed in the past, but the fact that rules are numbered prevented a Snortsam implementation. Until now. Robert Rolfe discovered that ipfw2 (version 2 of ipfw available with FreeBSD 5.x) has support for groups and supplied the basics for this plugin. So at last, we were able to add ipfw2 support, which is included in Snortsam version 2.31.
2005-01-16: * New Plugin: Brent Erickson suggested an additional Cisco router plugin, one that adds null-routes for blocked hosts. Using sample command sequences he supplied, I created ssp_cisco_nullroute.
* Olaf Schreck supplied a patch to the PacketFilter (pf) plugin to allow usage on newer versions of OpenBSD (3.5/3.6).
2004-12-05: * Updated Snort™ 2.2 and 2.3. Compiled and uploaded Windows versions.
2004-12-03: * New Plugin: Nima Sharifi Mehr wrote a plugin for Microsoft's ISA Server proxy/firewall. Snortsam has to be run on that ISA Server of course.
* New Plugin: Peter (grcguru) recommended the addition of a plugin for the CHX-I packet filter. It calls the fltcon executable to add blocks.
* Moved README files into separate docs/ directory in source tree.
2004-11-12: * Enes Ajanovic reported a problem which led to discovery of a nasty bug affecting some plugins, especially the PIX plugin, in the OPSEC versions of Snortsam. Corrected problem and recompiled binaries.
* Joe Mazzie provided documentation for the 8signs firewall plugin. Since the plugin only applies to Windows users, I left the documentation in Rich Text Format.
2004-10-17: * Split fwexec plugin into its own files (still need to split the fwsam plugin). This provides an example for file-based plugins such as the one below.
* Added 8signs firewall plugin for the 8signs firewall on Windows. Thanks to Joe Mazzie for the suggestion and infos. Compiled new Snortsam version (2.27) and updated sources.
* Changed source directory layout a bit to keep things organized.
2040-09-28: * Updated Snortsam patch for Snort™ (tarball and sources in FTP and CVS). Updated Snort™ versions 2.3 down to 1.8 with new plugin. Compiled binaries for these versions, except for Windows versions for 2.2 and 2.3. These do not build yet. Chris Reid is still working on 2.3 and we'll investigate why 2.2 doesn't build. As soon as we can compile these under Windows, I'll add them here.
2004-09-27: * Darryl Sokoloski supplied a patch that allows Snort™ to transmit the signature ID to Snortsam for logging. This required a change in the communication protocol between Snort™ and Snortsam. This new version here accepts the new protocol version (1.4) but also still the old one. That means that you don't *have* to update the sensors immediately, but can do that at your leisure. (New Snort™ versions are in preparation). The Snort™ Sig_ID is displayed in logs and email, and also included in the state file, which brings us to the next point.
* The state file has changed. For one, it is now located in /var/db and no longer in /var/log (it gets moved automatically). The format changed slightly too. The file is now preset with a header that allows for version checking of the file. In addition, the Snort™ signature ID is noted together with the block so that 3rd party programs (like Darryl's) can read the table of blocked IP's together with the Sig_ID that caused the block.
2004-08-09: * Added the ability to specify a custom zone name in the Netscreen plugin (this one is for you, Jim).
* Modified the Cisco ACL plugin so that it creates a random file name for the temporary file. That should prevent collisions when two Cisco routers are configured and the plugins run simultaneously.
2004-05-26: * Bruno Scatolin supplied a plugin for Linux EtherBridgeTables. The ebtables plugin has the same options like the iptables plugin, but calls the ebtables command with slightly different parameters.
* Corrected an oversight that caused Snortsam to throw an error on startup on the DEFAULTKEY option (even though it accepted the supplied value).
* Modified the Cisco ACL plugin so that it chmods the tftp file to 644 to avoid potential umask problems and guarantee that the tftp daemon can read the file.
2004-04-18: * Updated Snort™ version 2.1.2 to build 25. Compiled and uploaded new binaries for FreeBSD, Linux and Windows to web and FTP site. Also, updated Microsoft C++ project file and automake files in source directories for the do-it-yourselfers.
* Snort™ 1.9 binaries and sources have been removed from the web site as "support" for them is running out. However, they are still available through the FTP site.
2003-12-29: * Windows binaries for Snort™ 2.1.0 build 9 have been compiled and uploaded.
2003-12-27: * Updated Snort™ to version 2.1.0, build 9, and version 2.0.6, build 100. These updates are for Linux and FreeBSD only since there seem to be problems compiling Snort™ under Windows at the moment. I'll add those as soon as they become compilable.
2003-12-02: * Hector Paterno supplied an upgrade to the pf plugin. It now supports OpenBSD 3.0/3.1/3.2/3.3/3.4 and FreeBSD 5.x.
* Cameron Mac Millan suggested an option that causes Snortsam to listen on only one interface/address. Added a new config file option BINDIP to support binding to just one i/f.
Updated sources and binaries to version 2.23.
2003-10-19: * Darryl Sokoloski supplied a patch to add the DAEMON statement so that Snortsam can daemonize upon startup. Also included is an attempt to fix the still prevailing Socket Reuse issue. Updated Snortsam sources and binaries to version 2.23.
2003-09-13: * Updated Snort™ to version 2.0.2, build 91.
2003-08-05: * Added patch to set REUSESOCKET when creating the listening socket. This prevents the annoying 'can not bind' error. Thanks to Rick Cooper.
* Added reverse hostname resolution to email notification plugin.
* Added support for NetScreen firmware version 4 (with the option to support other versions later. During initialization, the NetScreen plugin will probe for the version of the configured NetScreen). Thanks to Christopher Lyon.
* Updated Snortsam sources and binaries to version 2.21 in CVS, FTP and web site.
2003-06-07: * Thomas Maier found and fixed a bug in the Watchguard plugin.
* Updated Snort™ binaries (Snort™ 1.9.1 at build 234, and Snort™ 2.0.1 at build 86).
* Changed IPtables plugin to block on FORWARD and INPUT tables. Also, the block is now silent (DROP) instead of a REJECT. Furthermore, an option to save the tables as been implemented. This option is disabled by default. Please set the #define if you want to enable it and recompile Snortsam (this option is not fully tested yet). Thanks to Rick Cooper for these additions.
* Updated Snortsam sources and binaries to version 2.19 in CVS, FTP and web site.
2003-04-19: * Modified plugin patch slightly for Snort™ 2.0. Added 2.0-plugin source tree and added Snort™ 2.0 binaries.
* Update Snort™ 1.9 binaries to build 234.
2003-04-13: * Fabrizio supplied a small README for the iptables plugin.
* Also, Fabrizio noticed that long block intervals can be preempted by shorter block intervals. I added some logic so that long blocks are not preempted, but still extended if the new expiration time would surpass the old expiration time. Uploaded new version (2.18) of sources and binaries.
2003-03-29: * Jim Andrews reported that SnortSam throws an error during compilation under Linux (complaining about the IPfilter plugin). Corrected #ifdef's and uploaded sources and binaries (now 2.17) even though no features were added (just for versioning purposes...)
2003-03-23: * Fabrizio Tivano supplied an IPtables plugin. Documentation is forthcoming. Feedback on the performance of the plugin is appreciated.
* I made a couple changes to Erik's ipfilter plugin. It now uses the Checkpoint like syntax to block only incoming, only outgoing, both directions, or only the current connection (IP/service). This functionality should also be added to other plugins. (I'll get to those later. Plugin writers are encouraged to make the changes themselves. Use the ipfilter plugin as example.)
* When SnortSam extends a block (repeated block after 'skip-repetitive' period and before expiration) it used to just block again. While this concept is correct for firewalls that time-out themselves, other did not need this double-block (i.e. ipfilter and co.). SnortSam will now skip a double block for firewalls that don't expire blocks themselves.
* Uploaded sources of new version 2.16 to CVS and FTP, and updated the binaries for FreeBSD, Linux, Windows, and Solaris.
2003-03-09: * Thomas Maier supplied the WatchGuard plugin. It uses the fbidsmate program to initiate blocks on Firebox firewalls.
* Added the capability to provide a user name and user password for login to the PIX. Until now the PIX plugin only used a telnet password. If the PIX is configured for RADIUS or TACACS authentication, it also prompts for a username, which can now be supplied. The first parameter (usually telnet password) has to be <username>/<password>. In other words, if a / is present in the first parameter, SnortSam will use the halves for user name and password.
* Added ability to specify a SENDER address for the email plugin. Just add the sender behind the recipient in the config file.
* Uploaded new sources to CVS and FTP as well as binaries for FreeBSD, Linux, Windows, and Solaris.
* Updated Snort™ binaries to version 1.9.1, build 233.
2003-02-23: * Updated Snort™ 1.9 binaries for Windows, FreeBSD, and Linux to build 230.
2003-02-09: * spo_alert_fwsam from the plugin has been modified such that it is possible to use an etc/ file to specify the blocking options instead of the fwsam: option in the rules. The syntax is:
For example:
    1023: src, 15 min

Alternatively, you may use a | (pipe) instead of a : (colon). You can specify options in both places (rules and file), but the sid file takes priority. The file has to be in the same directory as the other Snort™ config files (i.e. Binaries with this modification will be released shortly.

* Also, from now on the Snort™ 1.8 version will not be actively maintained anymore. Everyone should be using 1.9 by now. Snort™ 2.0 will be supported once it is released.
2003-02-06: * Updated Snort™ 1.9 binaries to build 228.
2003-01-15: * Andre Vink noticed that netmasks that don't fall on even boundaries (i.e. 0, 8, 16, 24, 32) seem to be messed up. Indeed, the netmask tables for little-endian systems was way off. Corrected netmask values, and it seems to be fixed.
* Also, I changed the parameter declaration in the *_block functions to void. The data pointer now gets casted right after the NULL check. That finally got rid off all those annoying compilter warnings. Updated CVS, FTP, web with new source and binaries (as usual).
2003-12-24: * Hector Paterno supplied an IPchains plugin. Uploaded new sources and new binaries.
* I have started to rewrite the documentation. The new files are committed to CVS and uploaded to FTP. The 'Documentation' on the website will be updated soon. (Actually, I may completely redesign the site...we'll see...)

Merry Christmas!

2003-11-17: * Changed build script to make it more compatible. This also fixes an issue with compiling and running SnortSam under RedHat 8.0.
2002-11-16: * Added a plugin for OpenBSD's packet filter (pf). Many thanks to Hector Paterno for writing it. From what I hear, he's working on IPtables now. Go Hector!
* Updated patch script to add the snortsam plugin into Snort™. The util.h issue and that unimportant (but annoying) reject file have been solved.
* Added new option for the SnortSam config file. 'nothreads' will now cause SnortSam to run single-threaded. The pthread library is still required for compilation, but no thread functions are being called. That means it behaves like the old SnortSam version 1, which has now reached the end of its life. If you have to use the single threaded version for some reasons, please try version 2 with the 'nothreads' option and let me know how it works.
* Thomas Maier has supplied a Watchguard plugin. We still need to iron out some details, but hope that we can release it soon. Stay tuned.
2002-11-03: * Two mail lists for SnortSam have been set up. Please see the instructions on the Mail List page.
* Updated README for the Netscreen plugin.
2002-10-26: * Lot's of news: First off, SnortSam can now block on Netscreen firewalls. Many thanks go out to Christopher Lyon for the concept, a draft readme (We'are working on better documentation), and for letting me use his systems to test this. The SnortSam config file statement is: netscreen <firewall-ip> <login-id> <login-pw> <optional-group-name>. I suggest you read the readme.netscreen first since you will have to setup a group that you need to configure in your policy for a complete block. SnortSam will add and remove IP address to/from this group.
* Erik Sneep has written a plugin for IPFilter. I had planned a generic script plugin to block on other Unix firewalls (pf, ipfw, iptables, etc) as well, but Erik beat me to it and made blocking on ipf possible today! Thanks!
* Also, many thanks to Paul Knibbs from down-under. With his help we found a few bugs still lingering around the OPSEC plugin, and an issue involving the fwsam method on big-endian systems.
* Part of the fix for OPSEC is a change in threading. SnortSam now has three threading modes for plugins: Multi-threaded (where plugins run simultaneously, processing its devices in parallel), single-threaded (where plugins still run simultaneously, but process devices sequentially), and non-threaded (where the plugin runs within the main thread, processing its devices sequentially). The last one was required for OPSEC. That means OPSEC will slow SnortSam down a bit. I'm planning on moving the network handling routines into its own thread, that should speed things up again... Anyone still running version 1 for threading reason is encouraged to try version 2.
* The next item planned is work on documentation. I'm planning on creating seperate README.<plugin> files and provide better configuration examples.
* The Snort™ plugin has changed as well. There is no longer a 1.8 and 1.9 version. Since there were still issues running the patch (especially patching the make files), I hacked up a script that figures out which version of Snort™ is present, and it fixes the make files much cleaner (by running sed over it a few times :)
* New sources for Snortsam v.2 have been uploaded as well as binaries for Linux, FreeBSD, and Windows. Solaris is coming shortly.
2002-10-17: * I didn't expect to find the bug for the issue mentioned below so quickly. Maybe I jumped the gun on the recall, but I rather pull something that doesn't work at all, instead of leaving it on the page. Anyhow, the recall has been cancelled. A new version of the multi-threaded edition is available now. The new version is 2.9. Sources on FTP and CVS have been updated, and new binaries for Linux, Windows, and FreeBSD have been compiled and uploaded.
* I also updated the single-threaded version to During the startup of SnortSam, there was no reporting of unblock events when the white-list was checked against the state file containing blocked hosts. Now log messages as well as messages on the screen are given when a host has been unblocked after being added to the white-list. Source and binaries have been updated.
2002-10-16: * It has come to my attention that SnortSam doesn't block anymore on Checkpoint. I'm officially recalling the 2.x version now. Please use the single-threaded version instead. Once the issue with 2.x is figured out, I'll be uploading binaries again and let you know on this page. It may take a bit as I'm currently pretty busy with regular work. Thank you for your understanding.
2002-10-14: * The patches for the Snort™ plugin have now also been included in Ben Feinstein's Snortenstein, which is a patch-o-matic system for Snort.
2002-10-13: * In Cisco ACL plugin, removed the system call to rename the file, and used rename() instead. (Hopefully the bug reported by James in New Zealand is history)
* Vincent Corriveau reported that the SnortSam plugin in Snort™ can only be initialized once. That prevented someone from using alert_fwsam in two different rule types. This has been fixed. You can now create as many rule types with alert_fwsam as you want. You can even specify different SnortSam hosts. For example, the rule type 'blockext' can contain only the SnortSam host for the external firewall, and the rule type 'blockall' can contain all firewalls/SnortSams. (Note: Even though a SnortSam host may be listed twice, it is only checked-in once during Snort™ startup)
* Craig Gill had a suggested to have SnortSam validate the state file upon startup against the white-list (dontblock's). SnortSam will now check if a white-listed host is present in the state file (as it would be the case if it got blocked, and you decided to add it to the white-list). If it finds a white-listed host blocked, it will unblock it during startup. SnortSam will now keep a state file regardless of plugins used. If you like to avoid the state file (in case where you don't use a plugin that needs SnortSam to expire the block), you can add the statement 'avoidstatefile' to the config.
* With all those changes, new sources of SnortSam (2.8 for multithreaded, for the old single threaded version) as well as the binaries for Windows, Linux and FreeBSD have been uploaded.
* Also, new versions of the Snort™ 1.8 and Snort™ 1.9 plugins (source + patchfile) as well as the binaries for Windows, Linux and FreeBSD have been uploaded.
... now the next item is the NetScreen plugin. Hang on, Chris, I'll get to that soon....
2002-09-26: * James and Ali found an error in the Cisco ACL plugin where it would not rename the temp file under Windows. This should be fixed now.
* The SnortSam CVS tree has now a new branch. This branch is for version 1 and contains patches against it. The branch is named 'v1'. You can check out the patched version 1 code by using '-r v1' in your CVS command.
* With this branch there, I back-ported a lot of fixes, cosmetics, and code clean-up from version 2 back into version 1. I'm not planning on supporting version 1 indefinetely, but until all quirks are worked out of version 2, I'm keeping version 1 patched.
* That said, new source (v 2.6 and v as well as binaries for Windows and Linux have been uploaded (FreeBSD will come later today).
* Whoa... Look like the Windows version is messed up. I'm pulling it and will be replacing it shortly. Sorry about that.
* It appears that there are problems with stdout/stderr under Windows. Thanks to Vincent Corriveau for pointing this out. Uploaded new Windows and Linux source and binaries.
2002-09-21: * Created a patch for Snort™ 1.9 that adds the Snortsam plugin. Compiled binaries for Linux, Windows, and FreeBSD.
* Reorganized the FTP site for clear representation of the old version 1 of SnortSam (single-threaded), the new version 2 (multi-threaded) as well as the plugins for Snort™ 1.8 and Snort™ 1.9.
2002-09-18: * Jason Hershcopf noticed that the Solaris binaries weren't linked correctly. Thomas supplied new versions for Solaris.
2002-09-17: * Thomas Maier supplied binaries for the Solaris platform (v. 2.3).
* Vincent Corriveau noticed that the ZIP files for the compiled Windows version are corrupt. Uploaded ZIPs again.
2002-09-16: * Fixed a timout issue in the fwsam module (now v. 2.1). Also, changed plugin handling so that plugins, that timeout themselves (e.g. fwsam, opsec), don't get called on unblock request. Uploaded new version (v. 2.3) and binaries for Linux, FreeBSD and Windows.
* My personal email address has changed to Please make a note. will remain active for while though (or send me an email at my other 23
2002-09-12: * Thomas Maier supplied binaries for the Solaris platform (v. 2.2).
2002-09-11: * Thomas Maier supplied binaries for the Solaris platform (v. 2.1).
* Paul Knibbs reported that 'fwexec' no longer works. This was caused by the lack of a data structure in the fwexec handling and the plugin launcher omitts plugins without data. This problem is fixed now. Windows, Linux and FreeBSD binaries of version 2.2 have been uploaded.
2002-09-10: * IMPORTANT BUG FIX! Loic Lariven reported that the PIX plugin does not unblock (using 'no shun') anymore in version 2. I'm embarrassed to say that this is correct. An oversight in the upgrade to V.2 fuxored a pointer to the block/unblock flag in the PIX-Block routine. This is fixed now in 2.1. PLEASE UPDATE SNORTSAM TO 2.1!
* Since the output plugins are now running in seperate threads, the timeouts for email, PIX and Cisco routers have been increased slightly. That allows for more processing time on those devices without holding up SnortSam itself.
* Uploaded new source and binaries (SnortSam v. 2.1) for Window, Linux, and FreeBSD.
* Thomas Maier supplied binaries for the Solaris platform (v. 2.1).
2002-08-11: * SnortSam version 2.0 has been released. There aren't new plugins in it yet, but one important change has been made, and I believe that change justifies a major version increase. SnortSam is now multi-threaded! That means that all output plugins are now executed simultaneously! The email plugins runs at the same time the fwsam plugin does. Also, if more than one firewall or router is specified, all these devices run at the same time.
The only exception is the OPSEC plugin since it in itself is multi-threaded. While it is executed in parallel to the other plugins, each defined OPSEC device runs sequentially. I'll be taking a closer look at that plugin and see if it can't communicate with the devices in a multi-threaded fashion.
* In regards to the problem Dave Robinson reported, it may be related to XP. I have not been able to reproduce his problem under W2K or Linux. Also, Michael Greene reports success under XP. If you are using SnortSam under XP, please let me know how it works out for you.
* Thomas Maier supplied recent binaries for the Solaris platform (version 2.0 and 1.45).
2002-08-07: * Michael Greene observed that newer PIX versions present a 'password' prompt, not 'passwd' anymore. Changed handling in PIX plugin (now v. 1.6) and uploaded new version of SnortSam (1.45) incl. binaries for Windows, Linux and FreeBSD.
* Dave Robinson observed a similar behaviour. I'm waiting for his packet traces to see if that's the same problem.
* Changed file format for Linux and FreeBSD. The tar file is named by function (opsec lib or straight fwsam) and version, but the file contains 'snortsam' or 'snortsam-debug', the executable. This is to avoid confusion about weather the gzipped file is an archive or the executable.
2002-07-30: * Marco reported that blocking via fwsam doesn't work anymore. Somewho (probably during cleanup) a value in the fwsam packet array got changed. Fixed that and uploaded new version of SnortSam (1.44) and binaries for Windows, Linux and FreeBSD.
2002-07-27: * Updated Snort™ plugin to Snort™ version 1.8.7 build 128. Updated makefiles and binaries for Windows (i386), Linux (i386), and FreeBSD (i386).
* Created a PATCH file for *nix users to simplify adding the plugin into Snort™.
2002-07-05: * Ali Basel supplied a new version of the Cisco ACL plugin. It now supports uploading of router ACL's using FTP, RCP or TFTP. Please read the readme.ciscoacl for more info. Also, cleaned up the code a bit. gcc -WALL should complain less now. New plugin version 1.10, new SnortSam version 1.43. Uploaded binaries for Linux and Windows.
2002-06-13: * Corrected wrong unblock time in email notification. New plugin version 1.3, new SnortSam version 1.42. Uploaded binaries for Linux and Windows.
2002-06-12: * Ali Basel supplied a bug-fix for the Cisco ACL plugin (leading spaces were confusing the ACL). New plugin version 1.8, new SnortSam version 1.41. Uploaded binaries for Linux and Windows.
2002-06-09: * Enhanced log output on screen, log file and email. New version 1.40, uploaded binaries for Linux and Windows. Next planned item is Eventlog and syslog logging.
2002-06-05: * Argh... forgot to remove an ifdef yesterday. Uploaded corrected ACL plugin (v1.7). Uploaded new binaries for Windows and Linux (1.39).
2002-06-04: * Reverted to Ali's version of cr/lf handling (v1.6). Uploaded new binaries for Windows and Linux (1.38).
2002-06-03: * Fixed a problem in Cisco plugin that I caused, not Ali. My sincere apologies. I suggest ra and wa instead of rt and wt for files... New versions (1.37) uploaded.
2002-06-02: * Added Email Notification plugin. SnortSam can send email to alert you when it blocks IP's. New version is 1.35. Windows and Linux binaries have been uploaded.
* Also, added the statement DISABLESEQNOCHECK to disable sequence number checking and thus avoiding the seqno-error and forces re-sync. SeqNo violations are currently not punished, but it was planned to do so to improve security. This option lets you turn if off.
* Updated Snort™ plugin: Removed requirement for ENABLE_SNORTSAM (if you don't want SnortSam, just don't download this :) Also, added HOLD functionality where SnortSam canput Snort™ on hold. This is only recommended for testing purposes, and for Barnyard which is planned for the near future. Uploaded Windows and Linux binaries of Snort™, version 1.8.7, build 123.
* Also uploaded new SnortSam version (1.36) with HOLDSNORT statement, and Windows and Linux uploaded binaries.
2002-05-25: * Added additional bugfixes from Ali Basel to new version (v.1.3) of the Cisco ACL plugin.
* Also, fixed a problem with temp file rename under Windows. Uploaded sources, Windows and Linux binaries (v.1.33).
* Argh... corrected an oversight in the fix. New versions have been uploaded (v.1.34).
2002-05-19: * Implemented a workaround for endian issue in the network mask handling (the bug reported by Thomas Maier).
* Ali Basel supplied bugfixes in his new version (v.1.2) of the Cisco ACL plugin. Uploaded sources, Windows and Linux binaries (v.1.32).
2002-05-16: * Found a bug in the sendreceive function in the PIX plugin (thanks to Robert Graham). Uploaded corrected sources, Windows and Linux versions (1.31).
* Also, Thomas Maier reports a problem with incorrect DONTBLOCK checks under Solaris, and I'm suspecting that to be another endian problem. I'm currently hunting for that. Stay tuned.
2002-05-06: * Looks like we're on a roll in regards to new plugins. In version 1.30, Ali Basel created a plugin for SnortSam that let's it block IP's on Cisco Routers by modification of the Access Control Lists. Great job! (This code is currently beta! Please report any problems to Ali at
* Changed logging calls a bit.
* The config file defaults have been changed. If Snortsam is given a parameter, it will use that for the config file to read. If none is given, it used to default to snortsam.cfg for all platforms. This change will use snortsam.cfg on Windows platforms, and /etc/snortsam.conf on Unix and other platforms.
2002-04-28: * Cleaned a few compiler warnings. Those were more typos than bug fixes. Uploaded new Windows and Linux binaries of SnortSam.
2002-04-27: * Finally! The Cisco PIX plugin has been added to version 1.28. Also, to support this, added state tracking functionality so that Snortsam can expire blocks itself.
The syntax in the config file is: pix ipaddress telnetpassword enablepassword
Many thanks to Aaron Carr for letting me use his systems to develop and test this plugin.
* Updated Windows binaries for Snort™ to version 1.8.7, build 113.
2002-04-24: * Updated Windows binaries for Snort™ to version 1.8.7, build 111.
* Found a bug in AlertFWsam (Snort™ plugin) that got introduced with stream4 (otn_tmp was NULL and the plugin didn't check for that). Uploaded updated binaries and source files. Plugin version is now 1.11.
2002-04-23: * Fixed a bug in the endian detection. Marco tested all endian combinations and the IP address is reported correctly now. Looks like endian issues are finally worked out.
* Marco Supino supplied latest Linux and Solaris binaries (v1.24).
* Changed Windows Project File to create an OPSEC version (with Checkpoint SDK libs) and a FWSAM version (native opsec packet, no SDK overhead). Uploaded Windows binaries (v1.25).
* Added 'cmd /c' to system call for fwexec method under Windows, uploaded revised binaries (v1.26)
2002-04-18: * Patrick Morris had reported that endian issues were cropping up again. I updated the SnortSam packet structure to allow for an automatic check of the endianess of a system. Hopefully these endian issues are a thing of the past now.
You need to update both, the Snort™ plugin and SnortSam, due to the packet format change. New Windows binaries have been uploaded. I'm still waiting on Linux and Solaris binaries. I'll upload them as soon as I get them.
2002-04-15: * Oops... uploaded wrong binaries during last update. Corrected error and uploaded latest Snort™ binaries (v 1.8.6, build 107).
2002-04-13: * Updated Snort™ binaries with latest version (v 1.8.6, build 107).
2002-03-30: * Added statements to snortsam.h for smoother compile under Linux and Solaris.
* Marco Supino supplied Linux binaries for SnortSam (release and debug versions, with and without OPSEC libraries).
2002-03-24: * Replaced sleep() with usleep() (On Win32, sleep waits in ms, but not under other platforms).
* Fixed a potential buffer overflow bug in config file parser.
* Uploaded latest SnortSam and Snort™ binaries.
2002-03-15: * Marco Supino supplied the latest version of the Solaris executables. They came in two flavors: With the OPSEC API libraries from Checkpoint and without (using native fwsam packet). The files are available on the Download page.
2002-03-12: * Corrected an issue in the fw sam command line in the FWEXEC plugin, found by Marco Corte.
2002-03-06: * Fixed and committed an endian related issue found by Marco Supino that only affected the display of IP's on Solaris.
2002-03-03: * Converted old fwexec method to be a plugin.
* Removed left-over S_un's for compatibility.
* Added define for conditional OPSEC inclusion.
* Fixed left-open socket on exit via signal.
* Uploaded Solaris binaries of SnortSam v1.16 including OPSEC. Thanks to Marco Supino for compiling these.
2002-01-13: * Updated executables with latest Snort™ version from Snort™ CVS tree (Snort_1_8 branch / Jan 13th, 2001 / Build 90).
2002-01-02: * Okay, SnortSam works like a charm on Checkpoint NG (Next Generation). You can use either the OPSEC plug-in or the old FWSAM method (which is slightly faster).
However, in order to get the clear-text SAM requests to work on NG, you have to make one change. On Firewall-1 4.0 and 4.1 (all SP levels), you only need the line sam_server port 18183 in the fwopsec.conf file. Firewall-1 NG requires the following in fwopsec.conf:
sam_server auth_port 0
sam_server port 18183

For some reason it requires the line with port 0 to activate SAM sessions in clear-text. After the change, restart the FW-1 daemon/service and it will accept SAM requests from SnortSam.
I'll update the documentation shortly.
2002-01-01: * Changed logging behaviour of OPSEC plugin a bit.
* SnortSam (actually the OPSEC SDK library) under Win32 now requires MSVCRT.DLL (and MSVCRTD.DLL for the Debug version). Made those files available via FTP and added to Download page.
2001-12-31: * The second plug-in has been added. It is the OPSEC integration using Checkpoints OPSEC SDK. The next planned plugin allows for blocking on Cisco PIX firewalls. Also, Cisco router ACL config is planned.
OPSEC plug-in source code for SnortSam is now available from the Download page.
NOTE: If you need/want to compile the source yourself, you will need to download the OPSEC SDK from Checkpoints web site. Use the newer SDK for NG (Next Generation). DO NOT USE THE OLDER 4.1 SDK! There are three versions: Windows, Solaris, and Linux. Pick your platform and extract the files into a subfolder called OPSEC under your snortsam source folder. The path should be snortsam/opsec/lib and snortsam/opsec/include. You may need to adjust the path a bit yourself.
The VC++ Project file does include the OPSEC libraries. As there are no make files for other platforms available yet (but hopefully coming soon), you will need to construct your own make files. You need to link the snortsam.o, twofish.o, and ssp_opsec.o files together with the libraries in the OPSEC SDK (as well as your default libraries). I hope to have someone upload make files for other platforms shortly.
You also need to replace the fwsam statement in your snortsam.cfg file with the following:
opsec opsec.conf
The opsec.conf file is included. You need to modify it to reflect the IP address of your firewall (if SnortSam runs on the firewall, leave the address at Note that you can add more than one opsec <file> statement if you want to block on more than one firewall (you need to have seperate opsec.conf files for each firewall).
* The OPSEC method is an alternative to the native FWSAM method. FWSAM works faster on 4.x firewalls, but may not work on NG.
* I'll work on the documentation later. Right now... it's New Year's party time!
2001-12-06: * Updated executables with latest Snort™ version from Snort™ CVS tree Dec 6th, 2001.
* Updated make and config files in FTP and CVS with latest Snort™ versions from Snort™ CVS tree Dec 6th, 2001.
2001-12-02: * Updated SnortSam: Corrected the correction for the endian bug (grrr...).
* Also, added plug-in structure to support blocking code for other firewalls (Cisco is planned). IMPORTANT: YOU NEED TO ADD THE FOLLOWING TO YOUR EXISTING SNORTSAM.CFG FILE:

Above assumes you run SnortSam on the firewall itself (as required until now). You can also list additional firewall modules for the block to be executed.
2001-11-12: * Updated SnortSam: Corrected an endian bug in talktosam found by Bjoern Jansson (this only affected big-endian systems like Solaris).
2001-11-04: * Updated executables with latest Snort™ version from Snort™ CVS tree Nov 4th, 2001.
* Updated make and config files in FTP and CVS with latest Snort™ versions from Snort™ CVS tree Nov 4th, 2001.
2001-10-01: * Updated executables with latest Snort™ version.
* Updated make and config files in FTP and CVS with latest Snort™ versions.
2001-09-05: * Renamed snort CVS module to snort-plugin. Check out with cvs -d co snort-plugin
2001-09-03: * All files in the FTP tree and CVS tree have now been dos2unix'ed. That should make it easier on all you Unix folks out there.
2001-09-01: * Added include command in config file for nesting of files. Only one level of inclusion is currently supported (which should be enough).
2001-08-31: * Reports have come in that the TwoFish routines are now fully cross-endian compatible.
* Finished sequence number checking (update both, SnortSam and the Snort™ plugin).
* Extended log file format. It now lists: date, time, snort-IP, severity, message.
* spo_alert_fwsam.c/.h got corrupted in CVS. I need to restore these Tuesday. The FTP versions are fine.
2001-08-30: * Bjorn Jansson reported that the TwoFish routines still don't work across different platforms. So far I found a compiler dependent problem (where something to the extend of *p++ |*p++ | *p++ did not produce the intended results). To all you folks having encryption problems across different platforms, please give the updated source a try. Only TwoFish.c has been updated. Binaries will be updated later today.
2001-08-27: * Michael Boman added --enable-snortsam (and ENABLE_SNORTSAM) conditional compiler statements (just like for MySQL and FlexResp). Changes affect the compile and make files as well as an IFDEF in plugbase. I added the ENABLE_SNORTSAM to the snort.dsp file (for MS VC).
* Andrea Medici reported compiler errors due to sockio.h not found. Removed the include. Please let me know if this is required on a particular platform.
2001-08-25: * Changed TwoFish routines: They should now be fully compatible across different endian platforms.
* Changed packet assembly routines (did away with FixEndian). That means the packet format is slightly different (packet version number has changed). BE SURE TO UPDATE/RECOMPILE BOTH SNORTSAM AND SNORT™!
2001-08-20: * Changed comments from // to /* */. Removed pragma's. IFDEF'ed closesocket and ioctlsocket (thanks to Tony Nelson).
* Extended duplicate block skip check mechanism into user definable field (default buffer for 10 hosts, ignores duplicate blocks within 10 secs. See readme.txt for adjusting these values).
2001-08-19: * Added logfile support (keywords logfile and loglevel, see readme).
* Added includes for (hopefully) smoother compile under Unix (thanks to John Amsden).
2001-08-19: * Fixed a small bug where vars in main were defined within the ifdef WIN32 by mistake.
* Fixed a stupid bug in the CPpacket assembly. Duration was set with wrong endian format. It's now using >>'s to set correct time.
* Ahem... corrected an oversight in CPpacket assembly. Also, moved winsock.h into ifdef and scrapped conio.h so Unix doesn't complain on compile (snortsam and Snort™ plugin).
* Added SOCKET definition for Unix source.
2001-08-18: * Added 'Repetitive Block Prevention' to Snort™ plugin. It checks the last 10 events within 10 seconds. If identical packets are found, Snort™ will skip sending a block (since that request has already been sent). This improves performance quite a bit.
* Windows version of Snort™ has been recompiled with latest CVS sources.
2001-08-16: Created web site with the latest sources and files.

© Copyright 2001-2014 Frank Knobbe. All rights reserved.
Snort and Sourcefire are registered trademarks of Sourcefire, Inc.