Using Snort to update ACL on Cisco Router

Howdy All,

Does anyone have a good reference on the internet for configure snort to update the access-lists on a cisco router?

From the follwing design

ISP ----->---Cisco Router/Pix------Snort IPS----Network Segment LAN or DMZ

When snort recieves a packet that is of malicous nature, the idea is to generate an alert and based on the alert initate a script that automatically logs into the router (using a automatted SSH script) and ammends the access-list statement to deny that particular attacking host.

Thanks in advance dirk

Reply to
Loading thread data ...

Thanks for your response Walter,

i am going to attempt to script this from the Snort IPS (IDS) Server, and i am hoping that my script will work for Cisco PIX or Router (or atleast easily ported to the other). Problem is my scripting / snort skills are next to minimal (other than "therotical" knowledge that i have from reading faq / posts and howto on the web), and was wondering if someone had a recommend way of scripting the snort alerts to update a Cisco pix or router. i do not hink of myself as to daft ;-) and i just need to be pointed in the direction of a good howto.

Regards dirk

Reply to

In article , wrote: :Does anyone have a good reference on the internet for configure snort :to update the access-lists on a cisco router?

:>From the follwing design

:ISP ----->---Cisco Router/Pix------Snort IPS----Network Segment LAN or :DMZ

:When snort recieves a packet that is of malicous nature, the idea is to :generate an alert and based on the alert initate a script that :automatically logs into the router (using a automatted SSH script) and :ammends the access-list statement to deny that particular attacking :host.

Is it a Cisco router or is it a Cisco PIX?

If it is a PIX, then you might want to issue a 'shun' command instead of modifying an access-list -- the 'shun' command is intended for IDS devices to do a short-term block of an IP as a prioriity over the ACL without having to keep track of the current ACL contents. (On the PIX as of about 6.2, you -can- remove specific lines from the ACL, but you have to know the line number -- and if you have multiple IPs being blocked, then keeping track of which is on which line could prove a bit tiresome.

On the other hand, the 'shun' command likes to produce one syslog message per packet from the shunned system -- you migh want to turn off logging of that particular message!

I believe IOS with the firewall feature set has the equivilent of 'shun', but I am not certain.

Oh yes: if you use shun, then double-check whether 'shun' commands are saved when you "write memory". My recollection is that they are -not- saved.

Reply to
Walter Roberson

(Im sure there are other sites out there as well too)

formatting link
Guardian Active Response for Snort


Overview: Guardian is a security program which works in conjunction with Snort to automaticly update firewall rules based on alerts generated by Snort. The updated firewall rules block all incoming data from the IP address of the attacking machine (the machine which caused Snort to generate an alert. There is also logic in place which pervents blocking important machines, such as DNS servers, gateways, and whatever else you want.

Here is a link you might want to read:

formatting link
.. I found it very interesting on why you should use this software with great caution.

New Stuff/Changes a.. New block/unblock scripts! Checkpoint firewall and Pix firewall scripts. Download them below. Thanks goes out to Markwalder Philip (pm at and Roland Gafner (roland.gafner at Awesome work guys :) b.. Better syslog parsing! Now guardian should work regardless of how your syslog/snortlib reports the attacks (as long as the attacker's IP address is first). The new code is much cleaner, and should be a bit faster as well. c.. Added support for watching for more than one IP address. To do this, a new option has been added to the guardian.conf file:

TargetFile /etc/

The file should contain a list of IP addresses which are local IP addresses. The format is the same as the IgnoreFile. This is useful for people who are hosting several IP addresses from one machine. It might also be useful for poeple who are running snort/guardian on a firewall. This will also only place a block on the interface which is defined in the guardian.conf .. I should also add that this is experimental.

d.. Bug fix: guardian now catches portscans as reported by the portscan modules Block/Unblock Scripts a.. ipchains (Block / Unblock) b.. iptables (Block / Unblock) c.. ipfwadm (Block / Unblock) d.. FreeBSD using IPFW (Block / Unblock) e.. ipfilter (courtesy of Wes Sonnenreich (sonny at (Block / Unblock) f.. New! Null Route for Linux systems with no other packet filter software (Block / Unblock) This is a hack. Please read the file.. It works by adding a route to your routing table when an attack is detected. The route is invalid, and specific to the attacker, so while the route exists, your machine won't send anything back to the attacker. I have no idea what this does to performace. g.. Checkpoint Firewall (Thanks Markwalder Philip and Roland Gafner)(Block / Unblock) h.. Pix Firewall (Thanks Markwalder Philip and Roland Gafner)(Block / Unblock / Required perl script (also requires ssh perl module)) Misc Stuff a.. Here is a readme file that explains how to have guardian/snort running on one machine, and applying blocks to your firewall on a diffrent machine. This was written by Roland Gafner (roland.gafner at Downloads a.. Current Version: 1.7 (Download here)

a.. Better syslog parsing b.. TargetFile to watch multiple IP addresses c.. Bug Fix for catching portscans b.. Version: 1.6.2 (Download here)

a.. Support added for syslog rotation. Previously, guardian would not reopen the syslog file if it got rotated. This does not mean that there is support for rotating the guardian log itself. This will be supported in a future version. b.. Added block/unblock script for ipfwadm (useful for older linux kernels) c.. Bug fixes. Thanks to brian at for pointing them out. c.. Version: 1.6.1 (Download here)

a.. Bug fix for newer snortlibs and syslog

b.. Added block/unblock scripts for ipfwadm

d.. Version: 1.6 (Download here)

a.. Now calls an external script for blocking ip addresses.

b.. Added a timelimit feature.

c.. Removes all blocks upon exit

e.. Version: 1.5 beta (Download here) Many bug fixes, FreeBSD support added, syslog support added, IPtables support added

f.. Original release: 1.0 (Download here)

TODO a.. Support for other Network Intrusion Detection systems b.. Write block/unblock scripts for other OSs c.. Do something with the Priority codes that come with newer snort-libs d.. Include changes from unofficial guardian releases.. e.. More stuff later on.. This page is still under much work, so check back often =) --- Anthony (astevens @ chaotic . org) 03-26-02

hope this helps


Reply to

Why don't you just buy a decent firewall like a Netscreen, Sonicwall, or Fortinet. Commerical IDS->Firewall setups have been abysmal failures in the past, which is why everyones moved to IDP.

Reply to
Mark S Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.