[Snort-users] Snort and FW-1 (was ISS - Cheaper alternatives?)

Frank Knobbe FKnobbe at ...649...
Mon Nov 20 20:38:47 EST 2000

Hash: SHA1

Wow... I didn't expect that many inquires about the scripts I
mentioned. The original posting was:

> You can use SNORT, it's for free, but I don't think that it 
> is integrated
> with Firewall-1.

Okay, so here they are. BTW: This posting is going to the Firewall-1
list and the Snort-Users list. The attached batch files are in clear
text, so no huge amount of code is submitted to the list(s). Heck,
the total size of this email may even be shorter than some replies
(you know, those were they poster don't cut on the replied text and
footers... :)

Attached are two batch files. Please be gentle with me regarding
their names. A program called snort is just asking for this. *grin*

The first batch file is called SPIT.BAT. It will monitor the
ALERT.IDS log file of snort for changes, and if detected, it will
send those changes using cryptcat to the receiver batch file. The
reason for the implementation like this is simple. Since you will
most likely have multiple sensors deployed, you will also have
multiple spit batch files. All these report to a central receiver
batch file, called TISSUE.BAT, that is located on the firewall
management station. Also, using cryptcat, the data is encrypted so
that no one (without knowing the password) is able to send fake
blocking notifications. spit.bat is called with the name (or IP
address) of your FW-1 management station. Hard code it if you like.

There are a few requirements for spit.bat to work correctly:

1) You need to have the NT Resource Kit installed, or at least the
program SLEEP.EXE of it. It is used in a loop to wait a certain
period before checking the alert.ids file again (and to give NT some
clock cycles back during the wait).

2) You need CRYPTCAT.EXE. That is a modified version of NETCAT that
uses twofish encryption. You can pick it up at

3) Snort needs to be run with the '-A full' option to generate the
multiple line log entry. This is so that the batch file can quickly
retrieve the blocking value.

4) The batch file has to be launched in the snort directory. If you
want to spawn it from somewhere else, please modify the batch file to
reflect the appropriate file locations.

The snort ruleset needs to be modified like this:

alert tcp !$MYNET any -> $MYNET any (msg:"block_src=604800 - SCAN-SYN

Basically, the alert message needs to start with 'block_src=<time> '
(Note the space at the end) or 'block_dst=<time> '. <time> is a time
value in seconds (in this example here, a week). Also, keep it lower

block_src will block the source IP address. Some snort rules are
written like '$MYNET -> !$MYNET', in that case you want to use
block_dst in order to block the destination. Basically, you want to
block whatever is not your network. 

Instead of using a time value, you may also use the word 'perm' to
block the offender indefinitely. Be careful with this!

The second batch file (tissue.bat) has to be located in the /fw/bin
directory on the machine that has the Firewall-1 management piece
installed. It will receive incoming messages from the spit batch
files and configure FW-1 modules. The attached batch file assumes
that both management server and the firewall module are on the same
machine. If you have additional firewall modules, you may want to
enter additional fw statements. See 'fw sam' for details. tissue does
not require a parameter, however, if you run it with the '-v' option,
it will produce verbose output of the fw sam statement(s).

I don't think tissue needs any refinements. I will eventually compile
spit into a small executable in order to improve performance (Mike,
this is were the syslog packets with the Win32 port would come in
handy ;)

Yes, you have to go through the snort rules file and manually insert
these statements. Be careful where you do this. I don't recommend it
on high false positive rules since you can shoot yourself in the foot
with this. I recommend running spit without tissue for a while, or
otherwise monitor your rules before you let snort reconfigure the

Did I mention both batch files have to be running in order to work?
:)  The files were designed for NT systems, but I believe the concept
is clear and they could be easily ported to any Unix platform, maybe
Perl based.

When you look at the batch files you will notice the '-k MySecKey' in
the calls to cryptcat. You may (and should) the encryption password,
but needless to say, it has to be the same on all machines.

Firewall-1 will REJECT any filtered IP addresses, which results in
the transmission of a TCP-RST packet. I recommend changing FW-1's
behavior to DROP packets instead. Although we just had this question,
here again the procedure:

Edit the file CODE.DEF in the /fw/lib directory and scroll down to
the entries regarding the SAM. You will see two function definition
and shortly thereafter you'll come across the REJECT (followed by a
bracket). Just change that REJECT to a DROP and install your policy
again. Now all filtered addresses are filtered silently.

That's pretty much it. As with all free software, I do not support it
and hereby disclaim any warranties and liabilities. Use it at your
own risk.

I apologize for the size of the posting. Flame me offline if you need
to. Also, email me offline if you have any questions.

Best regards,

Version: PGP Personal Privacy 6.5.1
Comment: PGP or S/MIME encrypted email preferred.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: spit.bat
Type: application/octet-stream
Size: 1402 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20001120/770a7ba7/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: tissue.bat
Type: application/octet-stream
Size: 720 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20001120/770a7ba7/attachment-0001.obj>

More information about the Snort-users mailing list