Chapter 25 – Configuring The Snort IDS
When the alert file method is chosen, a daily analysis of the file can be emailed.
The SIDs referenced in alerts can be used to quickly locate the rule via the main Sort
IDS menu. The rule itself often contains HTML links to Internet resources such as
www.securityfocus.com and cve.mitre.org. These provide more in depth
descriptions of the vulnerability.
Performa nce And Res ources
The performance impact of snort varies with the number of interfaces monitored, the
number of rules enabled, the packet rate and the logging method.
Snort has been empirically determined to use about 20% of the CPU clock cycles at
its maximum processing rate.
The router is capable of recording about 300 entries/second to the local syslog and
500 entries/second to the alert file. Alerts at rates exceeding the above rates will not
be recorded.
Snort will require 5 Mbytes of system memory to start with an additional 15 Mbytes
of memory for each interface monitored.
Snort ID S Main Menu
This menu configures the snort IDS and is composed of three sections.
Note that snort is disabled by default and may be enabled via the System folder,
Bootup And Shutdown menu. If snort is running, configuration changes must be
made active by restarting it. The Restart Snort button will restart snort, listing the
interfaces it is active upon.

Global Configuration

Figure 194: Sn ort Mai n Menu part 1
The Global Configuration menu section configures parameters that apply to all
interfaces.
Interfac es
Figure 195: Sn ort Mai n Menu part 2
The Interfaces section selects the interfaces snort will monitor. You must restart snort
after changing interfaces.
RuggedCom 231