Configuring the intrusion detection system, Introduction, Snort fundamentals – RuggedCom RuggedRouter RX1100 User Manual

33. Configuring the Intrusion Detection System

Revision 1.14.3

275

RX1000/RX1100™

33. Configuring the Intrusion Detection System

33.1. Introduction

This chapter familiarizes the user with:

• Configuration of Snort as an Intrusion Detection System.

• Generating a daily snort analysis email.

33.1.1. Snort Fundamentals

The Snort Intrusion Detection System (IDS) provides a type of security management system for the
router. Snort gathers and analyzes information on various network interfaces to identify possible
security breaches, which include both intrusions (attacks from outside the protected network) and
misuse (attacks from within the protected network). Snort examines packets received on selected
interfaces, applies “rules” from its database and generates “alerts” to warn of “vulnerabilities”.

Snort is a complex system with many capabilities and a large community of contributors and users.
The interested reader is encouraged to seek more information at the project's web site:

http://snort.org

[http://snort.org/].

33.1.1.1. Which Interfaces To Monitor

Typically, the router will have an interface to an external network and interfaces comprising the local
network. The firewall will cite these interfaces as belonging to the net and local zones. A key decision
is whether to monitor traffic outside, or inside of the firewall.

Monitoring traffic outside the firewall (on the external network interface) has the advantage that attacks
the firewall is blocking can be seen. This method, however, will generate a large number of alerts.
Additionally, firewall rules installed to eliminate vulnerabilities will not prevent future alerts since traffic
is monitored before the firewall. Finally, this method will not detect misuse of the local ports.

Monitoring traffic inside the firewall (on all local interfaces) has the advantage that the number of alerts
decreases as vulnerabilities are eliminated at the firewall. It's also good to monitor as much of the
internal traffic as possible.

33.1.1.2. Snort Rules

The router supplies a variety of prepackaged rules. Each rule contains a unique Signature Identifier
(SID). The SID is included in reported alerts as part of a Snort unique rule ID, a three digit number
of the form [generator:SID:revision]. The “generator” field reflects the organization that generated the
rule, official snort rules having values less than 1,000,000. The SID is a unique number to reflect an
individual rule, while the “revision” reflects improvements to the rule.

The main Snort IDS menu provides the capability to disable individual and groups of rules. It is
also possible to add unique rules to the database and to replace the existing set of rules with more
experimental rules from the community.