As my only site protections at the moment (excluding firewall rules so tight they cause me problems sometimes) are apache rewrite rules to automatically add ip-addresses to iptables drop rules (if an http request is for a page only a hacking attempt would look for) and tripwire reports I seldom have time to review I decided I needed an IDS.
The opensource snort IDS application has been around for a long time, and from reading the manual it seems to have all the bells and whistles needed for a command line user.
For my fedora 20 system I followed the documentation for fedora 17/18 at http://www.snort.org/docs which was pretty much complete. That covered getting snort and daq installed. I skipped the section on startup scripts as they were pre systemd and if I decise to keep snort I will probably define it as a service later.
The only extra step required was in reviewing the prerequisite requirements the barnyard2 toolkit was required. That is linked to from the requirements page so refer there.
I am using the community-rules while I play with this. No point in registering for fresher rulesets until I see if snort is usefull to me or not.
All compiled ok, at startup it says rules are loaded (I globally uncommented all the community rules which added quite a few more to the 476 default rules it obtained from somewhere when they were commented). 2979 rules loaded.
Although I will have to find a way to generate suspect traffic to see if it is actually doing enything; probably try out some of the http checks for http traffic on non-http ports and malformed URLs to see how it goes.
There are quite a few 3rd party GUI/toolset interfaces to snort for monitoring, I had a brief look as OSSIM but the hardware requirements needed to run that exceed my budget (8cores, 16Gb, dedicated to monitoring, no thanks). I will review some of the others at some point. In the meantime I’ll just hook it into my alert monitor to collect all the alerts and write a quick/dirty nagios plugin to let me know if there are snort alerts.
Short term I will leave it running for a while and see what sort of cpu overhead it uses.
Over the weekend I will fire up the website stress testing software, do a few large SCPs across the internal network, and see what sort of overhead that will cause.
Long term its ability to rewrite packet data, scan packet data and drop suspect sessions etc will provide me with entertainment for a while.
It is monitoring the network. After I shutdown the foreground session
Run time for packet processing was 147434.33857 seconds Snort processed 427340 packets. Snort ran for 1 days 16 hours 57 minutes 14 seconds Pkts/day: 427340 Pkts/hr: 10683 Pkts/min: 173 Pkts/sec: 2
Installed on my webserver VM at the moment.