[Snort-users] snortsam : snort + CheckPoint FW

Frank Knobbe FKnobbe at ...649...
Wed Oct 3 10:45:01 EDT 2001

Hash: SHA1

> -----Original Message-----
> From: David Bouscasse [mailto:bouscasse_david at ...1855...]
> Sent: Wednesday, October 03, 2001 3:43 AM
> As I didn't saw any references to this snort plugin
> for checkpoint FW1...
> URL : http://www.snortsam.net/index.asp
> Author : Frank Knobbe 
> Cheers,
> David


actually it had been announced here as well, but I don't mind seconds

Anyway, just wanted to give everyone an update (just like Marty did

* By end of Oct: I'm currently engaged in long project and won't be
able to code much until later part of this month. But by end of
October I should have support for the normal OPSEC library (for those
platforms that a library is available for). This OPSEC library is to
fully comply with Checkpoints standard. As you know, Snortsam
currently assembles its own OPSEC packet (which is actually faster,
but is limited to clear text).

* Sometime November: As part of that integration, I'll be changing
the blocking code to make it more modular. I'm envisioning a blocking
system that can take on any firewall. People have expressed interest
in Cisco ACL on-the-fly-rewrites and IPtables/chains/filters.

* Shortly thereafter: Since these other blocking modules do not
perform their own timeouts, a main loop will need to be rewritten so
that SnortSam itself can expire blocks (i.e. for Cisco ACL's

* During that process: We'll be giving the option of using UDP
instead of TCP. Personally I don't think that's a good idea, but
folks were asking for it. (Michael, we need to talk about this some
more ;)

* Sometime later: Current communication between snort and snortsam is
TwoFish encrypted. The crypto was provided in source to  make it
easier to move across platforms. However, we are planning of
supporting a crypto library to give users the choice of algorithm

So, sometime in November, anyone interested should be able to
contribute with their own firewall blocking code (i.e. code for time
based IPfilter blocks). Another announcement will be made end of this


PS: Thanks to Marty for letting me use the snort mail list for
snortsam announcements ;)  I'll be setting up a snortsam announcement
list soon.

Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME (X.509) encrypted email preferred.


More information about the Snort-users mailing list