Chapter 25 – configuring the snort ids, Introduction, Snort fundamentals – RuggedCom RuggedRouter RX1000 User Manual

RuggedRouter



User Guide

Chapter 25 – Configuring The Snort IDS

Introduction

This chapter familiarizes the user with:

•

Configuration of Snort as an Intrusion Detection System.

•

Generating a daily snort analysis email.

Snort Fundamentals

The snort Intrusion Detection System (IDS) provides a type of security management
system for the router. Snort gathers and analyzes information on various network
interfaces to identify possible security breaches, which include both intrusions
(attacks from outside the protected network) and misuse (attacks from within the
protected network).
Snort examines packets received on selected interfaces, applies “rules” from its
database and generates “alerts” to warn of “vulnerabilities”.

Which Interfaces To Monitor

Typically, the router will have an interface to an external network and interfaces
comprising the local network. The firewall will cite these interfaces as belonging to
the net and local zones. A key decision is whether to monitor traffic outside, or inside
of the firewall.
Monitoring traffic outside the firewall (on the external network interface) has the
advantage that attacks the firewall is blocking can be seen. This method, however,
will generate a large number of alerts. Additionally, firewall rules installed to
eliminate vulnerabilities will not prevent future alerts since traffic is monitored
before the firewall. Finally, this method will not detect misuse of the local ports.
Monitoring traffic inside the firewall (on all local interfaces) has the advantage that
the number of alerts decreases as vulnerabilities are eliminated at the firewall. It's
also good to monitor as much of the internal traffic as possible.

Snort Rules

The router supplies a variety of prepackaged rules. Each rule contains a unique
Signature Identifier (SID). The SID is included in reported alerts as part of a Snort
unique rule ID, a three digit number of the form [generator:SID:revision]. The
“generator” field reflects the organization that generated the rule, official snort rules
having values less than 1,000,000. The SID is a unique number to reflect an
individual rule, while the “revision” reflects improvements to the rule.
The main Snort IDS menu provides the capability to disable individual and groups of
rules. It is also possible to add unique rules to the database and to replace the existing
set of rules with more experimental rules from the community.

Alerting Methods

Alerts generated by snort are stored by one of three methods; as local syslog
messages, remotely sylogged messages and in an alert file.
When the local syslog method is chosen, the destination log file may be selected.

230 RuggedCom