====== Сервис SNORTSAM ======

  * [[http://www.snortsam.net/|Старый сайт]]
  * [[https://github.com/firnsy/barnyard2/blob/master/doc/README.snortsam|barnyard2 github snortsam]]
  * [[https://github.com/blox-org/snortsam|github blox snortsam]]
===== Установка пакета =====

==== FreeBSD ====
<code>
# pkg install snortsam

# more /usr/local/share/doc/snortsam/README.conf

# cd /usr/local/etc/snortsam/
</code>

==== Debian/Ubuntu ====

Не поддерживается

===== Базовая конфигурация =====
<code>
# cat snortsam.conf
</code><code>
daemon
nothreads
accept 127.0.0.1
defaultkey secret
logfile /var/log/snortsam.log
</code>

===== Настройка блокировки =====

==== netfilter ====
<code>
gate# cat snortsam.conf
</code><code>
...
iptables eth1 log
</code>

==== ipfilter ====

  * [[Сервис Firewall#FreeBSD ipfilter]]

<code>
# cat snortsam.conf
</code><code>
...
ipf em1
</code>
==== ipfw2 ====

[[http://www.lissyara.su/articles/freebsd/security/snort/]]

<code>
gate# cat snortsam.conf
</code><code>
...
ipfw2 em1 1 2
#   With tables rules like:
#              00010 deny ip from any to table 1 via em1
#              00011 deny ip from table 2 to any via em1
fwexec /sbin/ipfw
</code>

==== cisco router acl telnet ====

В случае использования aaa new-model требуется пользователь c priv-lvl = 1

<code>
server# cat snortsam.acl
</code><code>
conf terminal
no ip access-list extended ACL_FIREWALL
ip access-list extended ACL_FIREWALL
 snortsam-ciscoacl-begin
 snortsam-ciscoacl-end
 permit tcp any host 192.168.X.10 eq www
 permit tcp any host 192.168.X.10 eq 22
 permit ip any host 172.16.1.X
 permit icmp any any
 permit udp any any
 permit tcp any any established
 deny   ip any any log
end
</code><code>
server# cat snortsam.conf
</code><code>
...
# ciscoacl 192.168.X.1 user1/tpassword1 cisco /usr/local/etc/snortsam/snortsam.acl
# ciscoacl 192.168.X.1 cisco cisco /usr/local/etc/snortsam/snortsam.acl
</code>

==== cisco router acl tftp ====

=== Настройка ===
<code>
server# cat /tftpboot/snortsam.acl
</code><code>
no ip access-list extended ACL_FIREWALL
ip access-list extended ACL_FIREWALL
 snortsam-ciscoacl-begin
 snortsam-ciscoacl-end
 permit tcp any host 192.168.X.10 eq www
 permit tcp any host 192.168.X.10 eq 22
 permit ip any 172.16.1.X
 permit icmp any any
 permit udp any any
 permit tcp any any established
 deny   ip any any log
end
</code><code>
server# cat snortsam.tftp
</code><code>
copy tftp://192.168.X.10/ running-config
</code><code>
server# cat snortsam.conf
</code><code>
...
# ciscoacl 192.168.X.1 cisco cisco snortsam.acl|/usr/local/etc/snortsam/snortsam.tftp
# ciscoacl 192.168.X.1 student/tacacs cisco snortsam.acl|/usr/local/etc/snortsam/snortsam.tftp
</code>

=== Запуск ===

<code>
server# cd /tftpboot/

[server:/tftpboot] # snortsam /usr/local/etc/snortsam/snortsam.conf

server# cat /usr/local/etc/rc.d/snortsam
</code><code>
...
cd /tftpboot/

run_rc_command "$1"
</code>

==== cisco router null route ====
<code>
server# cat snortsam.conf
</code><code>
...
cisconullroute 192.168.X.1 student/tacacs cisco
</code>

===== Запуск snortsam =====

<code>
[server:~] # service snortsam rcvar

[server:~] # service snortsam start
</code>


===== Подключение Snort к Snortsam =====

  * [[Сервис BARNYARD2]]