Googling Mi sono imbattuto in questa pagina intitolata Snortsam - Un agente di blocco del firewall per Snort che è un plugin per Snort . Secondo questa pagina dei plug-in, può essere integrato anche con Sagan:
estrattoSnortSam has also been integrated with Sagan, which is a log analysis engine developed by Champ Clark. The Snortsam Output Plugin and related files (header, Twofish) are available at the Sagan GitHub repository.
SnortSam itself consists of two pieces -- the output plugin within Snort™ and an intelligent agent that runs on the firewall, or a host near the firewall. The agent provides a variety of capabilities that go beyond other automated blocking mechanisms, such as:
- White-list support of IP addresses that will never be blocked.
- Time-override list.
- Maximum block time ceiling as well as minimum block time definition for reporting entities. Flexible, per rule blocking specification, including rule dependent blocking time interval.
- A SID filter list of allowed or denied SIDs based on reporting entity.
- Misuse/Attack detection engine (including roll-back support) that attempts to mitigate the risk of a self-inflicted Denial-Of-Service
in the IDS-Firewall integration.- Repetitive (same IP) block prevention with customizable window to improve performance.
- TwoFish encrypted communication between Snort™ and the SnortSam agent.
- True OPSEC support using the Checkpoint SDK (opsec plugin).
- Block tracking and block expiration for firewalls that don't support timeouts.
- Multi-threading for faster processing and simultaneous block on multiple devices.
- File logging and email notification of events. ... and finally, using the client/server (snort/snortsam) architecture to build large, distributed response networks in a very scalable fashion.