Filter
Top Products
Chapter 28 - Configuring the Intrusion Detection System
Chapter 28 - Configuring the Intrusion
Detection System
Introduction
This chapter familiarizes the user with:
• Configuration of Snort as an Intrusion Detection System.
• Generating a daily snort analysis email.
Snort Fundamentals
The Snort Intrusion Detection System (IDS) provides a type of security management
system for the router. Snort gathers and analyzes information on various network
interfaces to identify possible security breaches, which include both intrusions (attacks
from outside the protected network) and misuse (attacks from within the protected
network).
Snort examines packets received on selected interfaces, applies “rules” from its
database and generates “alerts” to warn of “vulnerabilities”.
Which Interfaces To Monitor
Typically, the router will have an interface to an external network and interfaces
comprising the local network. The firewall will cite these interfaces as belonging to
the net and local zones. A key decision is whether to monitor traffic outside, or inside
of the firewall.
Monitoring traffic outside the firewall (on the external network interface) has the
advantage that attacks the firewall is blocking can be seen. This method, however,
will generate a large number of alerts. Additionally, firewall rules installed to
eliminate vulnerabilities will not prevent future alerts since traffic is monitored before
the firewall. Finally, this method will not detect misuse of the local ports.
Monitoring traffic inside the firewall (on all local interfaces) has the advantage that
the number of alerts decreases as vulnerabilities are eliminated at the firewall. It's
also good to monitor as much of the internal traffic as possible.
Snort Rules
The router supplies a variety of prepackaged rules. Each rule contains a unique
Signature Identifier (SID). The SID is included in reported alerts as part of a Snort
unique rule ID, a three digit number of the form [generator:SID:revision]. The
“generator” field reflects the organization that generated the rule, official snort rules
having values less than 1,000,000. The SID is a unique number to reflect an
individual rule, while the “revision” reflects improvements to the rule.
The main Snort IDS menu provides the capability to disable individual and groups of
rules. It is also possible to add unique rules to the database and to replace the existing
set of rules with more experimental rules from the community.
Alerting Methods
Alerts generated by snort are stored by one of three methods; as local syslog
messages, remotely sylogged messages and in an alert file.
RuggedCom 247