RuggedRouter™ User Guide

Chapter 25 – Configuring The Snort IDS

Introduction

This chapter familiarizes the user with:

Configuration of Snort as an Intrusion Detection System.

Generating a daily snort analysis email.

Snort Fundamentals

The snort Intrusion Detection System (IDS) provides a type of security management system for the router. Snort gathers and analyzes information on various network interfaces to identify possible security breaches, which include both intrusions (attacks from outside the protected network) and misuse (attacks from within the protected network).

Snort examines packets received on selected interfaces, applies “rules” from its database and generates “alerts” to warn of “vulnerabilities”.

Which Interfaces To Monitor

Typically, the router will have an interface to an external network and interfaces comprising the local network. The firewall will cite these interfaces as belonging to the net and local zones. A key decision is whether to monitor traffic outside, or inside of the firewall.

Monitoring traffic outside the firewall (on the external network interface) has the advantage that attacks the firewall is blocking can be seen. This method, however, will generate a large number of alerts. Additionally, firewall rules installed to eliminate vulnerabilities will not prevent future alerts since traffic is monitored before the firewall. Finally, this method will not detect misuse of the local ports.

Monitoring traffic inside the firewall (on all local interfaces) has the advantage that the number of alerts decreases as vulnerabilities are eliminated at the firewall. It's also good to monitor as much of the internal traffic as possible.

Snort Rules

The router supplies a variety of prepackaged rules. Each rule contains a unique Signature Identifier (SID). The SID is included in reported alerts as part of a Snort unique rule ID, a three digit number of the form [generator:SID:revision]. The “generator” field reflects the organization that generated the rule, official snort rules having values less than 1,000,000. The SID is a unique number to reflect an individual rule, while the “revision” reflects improvements to the rule.

The main Snort IDS menu provides the capability to disable individual and groups of rules. It is also possible to add unique rules to the database and to replace the existing set of rules with more experimental rules from the community.

Alerting Methods

Alerts generated by snort are stored by one of three methods; as local syslog messages, remotely sylogged messages and in an alert file.

When the local syslog method is chosen, the destination log file may be selected.

230

RuggedCom

Page 232
Image 232
RuggedCom RX1000 Configuring The Snort IDS, Snort Fundamentals, Which Interfaces To Monitor, Snort Rules, Alerting Methods