| | 74 | |
| | 75 | === Update the rules === |
| | 76 | The '''Updates''' tab is used to check the status of downloaded rules packages and to download new updates. The table shows the available rule packages and their current status (not enabled, not downloaded, or a valid MD5 checksum and date). |
| | 77 | |
| | 78 | - Click on the '''Update Rules''' button to download the latest rule package updates. If there is a newer set of packaged rules on the vendor web site, it will be downloaded and installed. The '''FORCE''' button can be used to force download of the rule packages from the vendor web site no matter previous version. |
| | 79 | |
| | 80 | === Add Snort to an interface === |
| | 81 | - Click the '''Snort Interfaces''' tab and then the Add icon to add a new Snort interface. |
| | 82 | |
| | 83 | - A new Interface Settings tab will open with the next available interface automatically selected. We will add the detection to WAN interface. The interface selection may be changed using the '''Interface''' drop-down if WAN is not automatically selected. |
| | 84 | |
| | 85 | - A descriptive name may also be provided for the interface. Other interface parameters may also be set on this page. Be sure to click the '''SAVE''' button down at the bottom of the page when finished. |
| | 86 | |
| | 87 | - After saving, the browser will be returned to the '''Snort Interfaces''' tab, Click on the pencil icon on Actions list of the WAN interface. |
| | 88 | |
| | 89 | - Click WAN Categories. Then Click on the Select All and Save. This will select all rules on the selected categories to be active for IDS. |
| | 90 | |
| | 91 | - Now click the Snort Interfaces link and go back to Interface Settings Overview. |
| | 92 | |
| | 93 | - To start the IDS click the start button on Snort Status column. |
| | 94 | |
| | 95 | - Next Click on the Alerts link and tick the Auto-refresh if it’s not already selected. |
| | 96 | |
| | 97 | - On a new tab do some browsing and check whether are there any detections. |
| | 98 | |
| | 99 | If you see lots of alerts from a single rule then it is can be a false positive. You have to go back to the interface edit on snort and on WAN Rules you may disable that specific Rule/s. But be careful in disabling rules as it might create new loop holes in your analysis. |
| | 100 | |
| | 101 | On the WAN Rules page you can select your rule by its category. Once the rule is found you can disable a working rule by clicking on the green icon or vice versa. |
| | 102 | |
| | 103 | === Creating Custom Rules === |
| | 104 | |
| | 105 | - Select WAN Rules -- > Category Selection -- > custom.rules |
| | 106 | |
| | 107 | - Type in the custom rules, save them and check whether they are working. (To see the best of your custom rules, first deselect all categories from the WAN Categories) |
| | 108 | |
| | 109 | - If you see lots of false positives or false negative, you might consider fine tuning your rules. |
| | 110 | {{{ |
| | 111 | alert tcp $EXTERNAL_NET any -> $HOME_NET 22 (msg: "SSH Detected"; sid:10; rev:1;) |
| | 112 | }}} |
| | 113 | |
| | 114 | The text up to the first parenthesis is the rule header and the section enclosed in parenthesis contains the rule options. The words before the colons in the rule options section are called option keywords. |
| | 115 | '''Eg:''' |
| | 116 | To trigger any tcp flows, |
| | 117 | alert tcp any any -> any any (msg: "Testing Alert" ; sid:1000001; rev:1) |
| | 118 | Where, |
| | 119 | |
| | 120 | '''Rule Header''' |
| | 121 | alert – Rule action. Snort will generate an alert when the set condition is met. |
| | 122 | tcp – protocol |
| | 123 | any – Source IP. Snort will look at all sources. |
| | 124 | any – Source port. Snort will look at all ports. |
| | 125 | -> – Direction. From source to destination. (-> and <> are the valid directions) |
| | 126 | any – Destination IP. |
| | 127 | any – Destination port. Snort will look at all ports on the protected network. |
| | 128 | |
| | 129 | '''Rule Options''' |
| | 130 | msg:”Testing Alert” – Snort will include this message with the alert. |
| | 131 | sid:1000001 – Snort rule ID. Remember all numbers < 1,000,000 are reserved, this is why we are starting with 1000001 (you may use any number, as long as it’s greater than 1,000,000). |
| | 132 | rev:1 – Revision number. This option allows for easier rule maintenance. |
| | 133 | |
| | 134 | - Now try your own rules. |
| | 135 | {{{ |
| | 136 | alert tcp 192.248.x.x any -> $HOME_NET 21 (msg:”FTP connection attempt from LEARN”; sid:1000002; rev:1;) |
| | 137 | }}} |
| | 138 | |
| | 139 | === Snort as an IPS === |
| | 140 | |
| | 141 | All what we saw was IDS function of the Snort. Now let us see how to block potential threats according to the alerts. |
| | 142 | |
| | 143 | - Go back to Snort Interface settings by clicking the pencil mark in front of your Snort Interface. |
| | 144 | |
| | 145 | - Under the WAN settings tick “Block Offenders” and Save. This will block any IP address that will trigger an alert. |
| | 146 | |
| | 147 | - Check Block Addresses |
| | 148 | |
| | 149 | - Go to “Blocked” in Services>Snort to check the blocked IP addresses, You may also manage any address in the list if needed. |
| | 150 | |
| | 151 | === IPS settings to block torrents === |
| | 152 | |
| | 153 | Following is an example steps in blocking torrent traffic. But if the traffic is encrypted you may not see any good results. |
| | 154 | |
| | 155 | - Go to: |
| | 156 | |
| | 157 | Services > Snort > Snort Interfaces > WAN > WAN Categories |
| | 158 | |
| | 159 | - Deselect all Rule Categories from the interface. |
| | 160 | |
| | 161 | - Select the categories that includes “p2p” and Save. |
| | 162 | |
| | 163 | Make sure Block offenders are ticked in your interface settings. |
| | 164 | |
| | 165 | - You may check the blocked IP details from Blocked page. Also you should consider blocking all non-essential ports as well. |
| | 166 | |
| | 167 | '''Note:''' |
| | 168 | We highly not recommend putting a IPS in a high traffic path as the IPS function will become a bottleneck to the whole network. |
