SnortSam - Snort & Firewall Integration Tool

SnortSam is an intelligent agent that allows the popular open-source Intrusion Detection System called Snort to block
intruding connections by reconfiguration of Checkpoint Firewall-1/VPN-1 firewalls. It can also block on Cisco PIX
firewalls and Cisco routers.

Snort has been extended with an 'output plugin' that notifies the SnortSam agent of blocking requests on a rule basis. Each Snort rule can be extended with a keyword that sends the blocking request.

There is another plugin available that does directly connect to Firewall-1. However, it lacks several important features,
and blocks always permanently, which is not a good thing to do. SnortSam is build on a client-agent based concept for several reasons:

* One is to reduce the workload of the IDS sensor (Snort).
* The second reason is that using this concept, one can build a comprehensive network of sensors and firewalls. Each Snort sensor can request a block at an unlimited number of firewalls, and each firewall can accept an unlimited number of IDS sensors.

SnortSam is the intelligent agent which runs on the firewall itself. A Snort sensor is configured with the address of the agent, and rules that should request a blocking action are extended with certain parameters. When a rule triggers a block, the Snort sensor sends an encrypted TCP packet to one or more SnortSam agents that are running on the firewalls. The agent performs certain checks, and if allowed, will request the firewall to block the reported IP address.