{"id":462,"date":"2014-05-11T12:20:55","date_gmt":"2014-05-11T00:20:55","guid":{"rendered":"http:\/\/mdickinson.dyndns.org\/php\/wordpress\/?p=462"},"modified":"2014-05-11T12:20:55","modified_gmt":"2014-05-11T00:20:55","slug":"snort-open-source-intrusion-detection-system","status":"publish","type":"post","link":"https:\/\/mdickinson.dyndns.org\/php\/wordpress\/?p=462","title":{"rendered":"Snort &#8211; open source intrusion detection system"},"content":{"rendered":"<p>As my only site protections at the moment (excluding firewall rules so tight they cause me problems sometimes) are apache rewrite rules to automatically add ip-addresses to iptables drop rules (if an http request is for a page only a hacking attempt would look for) and tripwire reports I seldom have time to review <em>I decided I needed an IDS<\/em>.<\/p>\n<p>The opensource <a href=\"http:\/\/www.snort.org\">snort IDS<\/a> application has been around for a long time, and from reading the manual it seems to have all the bells and whistles needed for a command line user. <\/p>\n<p>For my fedora 20 system I followed the documentation for fedora 17\/18 at http:\/\/www.snort.org\/docs which was pretty much complete. That covered getting <b>snort<\/b> and <b>daq<\/b> installed. I skipped the section on startup scripts as they were pre systemd and if I decise to keep snort I will probably define it as a service later.<\/p>\n<p>The only extra step required was in <a href=\"http:\/\/www.snort.org\/start\/requirements\">reviewing the prerequisite requirements<\/a> the barnyard2 toolkit was required. That is linked to from the requirements page so refer there.<\/p>\n<p>I am using the community-rules while I play with this. No point in registering for fresher rulesets until I see if snort is usefull to me or not.<\/p>\n<p>All compiled ok, at startup it says rules are loaded (I globally uncommented all the community rules which added quite a few more to the 476 default rules it obtained from somewhere when they were commented). 2979 rules loaded.<\/p>\n<p>Although I will have to find a way to generate suspect traffic to see if it is actually doing enything; probably try out some of the http checks for http traffic on non-http ports and malformed URLs to see how it goes.<\/p>\n<p>There are quite a few 3rd party GUI\/toolset interfaces to snort for monitoring, I had a brief look as OSSIM but the hardware requirements needed to run that exceed my budget (8cores, 16Gb, dedicated to monitoring, no thanks). I will review some of the others at some point. In the meantime I&#8217;ll just hook it into my alert monitor to collect all the alerts and write a quick\/dirty nagios plugin to let me know if there are snort alerts.<\/p>\n<p>Short term I will leave it running for a while and see what sort of cpu overhead it uses.<br \/>\nOver the weekend I will fire up the website stress testing software, do a few large SCPs across the internal network, and see what sort of overhead that will cause.<\/p>\n<p><b>Long term its ability to rewrite packet data, scan packet data and drop suspect sessions etc will provide me with entertainment for a while<\/b>.<\/p>\n<p>It is monitoring the network. After I shutdown the foreground session <\/p>\n<pre>\r\nRun time for packet processing was 147434.33857 seconds\r\nSnort processed 427340 packets.\r\nSnort ran for 1 days 16 hours 57 minutes 14 seconds\r\n   Pkts\/day:       427340\r\n    Pkts\/hr:        10683\r\n   Pkts\/min:          173\r\n   Pkts\/sec:            2\r\n<\/pre>\n<p>Installed on my webserver VM at the moment. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>As my only site protections at the moment (excluding firewall rules so tight they cause me problems sometimes) are apache rewrite rules to automatically add ip-addresses to iptables drop rules (if an http request is for a page only a &hellip; <a href=\"https:\/\/mdickinson.dyndns.org\/php\/wordpress\/?p=462\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-462","post","type-post","status-publish","format-standard","hentry","category-my-nux-thoughts-and-notes"],"_links":{"self":[{"href":"https:\/\/mdickinson.dyndns.org\/php\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/462","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mdickinson.dyndns.org\/php\/wordpress\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mdickinson.dyndns.org\/php\/wordpress\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mdickinson.dyndns.org\/php\/wordpress\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/mdickinson.dyndns.org\/php\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=462"}],"version-history":[{"count":4,"href":"https:\/\/mdickinson.dyndns.org\/php\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/462\/revisions"}],"predecessor-version":[{"id":466,"href":"https:\/\/mdickinson.dyndns.org\/php\/wordpress\/index.php?rest_route=\/wp\/v2\/posts\/462\/revisions\/466"}],"wp:attachment":[{"href":"https:\/\/mdickinson.dyndns.org\/php\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=462"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mdickinson.dyndns.org\/php\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=462"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mdickinson.dyndns.org\/php\/wordpress\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=462"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}