Overblog Suivre ce blog
Editer l'article Administration Créer mon blog
11 janvier 2014 6 11 /01 /janvier /2014 14:53

SNORT® is probably the worldwide most used IDS, is free and open source, and is ran by Sourcefire.

We'll see here the basic possible architectures to set in place the SNORT IDS, as it's always ran with companion softwares.

Althought it can be ran as a standalone, it is usually combined with other softwares to increase reliability, useability and performance. We'll see here these combinaisons.

 

 

 

1. Presentation of the SNORT NIDS

Here is the basic SNORT NIDS structure :

 I2e.gif

SNORT can output alerts to a Database, a Syslog Server or simply display them in console mode. It can output using any combinaison of these three of course.
Beside, it can log suspicious packets in raw mode ( PCAP format ) for later further analysis.


2. SNORT / MYSQL / APACHE / BASE

Although the SNORT IDS can output alerts in console mode or send them to a syslog server, a MySQL Database is usually always used, to provide for easy datas consulting and sorting.
Likewise, a web GUI is handy for easy access to the MySQL Database, as well as data display, consulting and analysis.

I2a
 

Here, SNORT logs alerts to a MySQL Database. With the help of a Apache Web Server, a web-based GUI ( BASE ) is used to monitor the SNORT alerts. Although other SNORT GUI do exist ( SGUIL, OSSIM, Snorby, ... ), BASE is very easy to setup and ideal for newcommers.

This is the simplest SNORT NIDS setup, great for beginners to have an easy learning curve, although it as some performance / reliability issues compared to a more robust setup.

We'll just add an update tool : Pulledpork is the official ruleset updater for SNORT :

I2c.gif 

We'll see in a following post how to practically implement this easy-setup.



3. SNORT / BARNYARD2 / APACHE / BASE

Here, a spooler is added to the software chain. Barnyard2 is a spooler specially designed for SNORT :

I2b.gif 

Here SNORT can concentrate on its main duty : sniffing network traffic, and just logs raw binary datas on the HDD. Barnyard2 gathers these datas, and handles teh task of sending them to the MySQL database. Barnyard2 is very clever : when it starts, it looks for any maybe missed datas left laying around by SNORT, and handles them. Samely, it is able to understand if the MySQL Database is offline, and then pauses sending datas to it. When it sees the teh MySQL Database is up again, it resumes sending datas to it.

Using Barnyard2 adds some complexity to the global softwares chain, do complicate problems troubleshooting, allwith the need to do some manual build ( no apt-get for barnyard2 in debian Repository ).
This spooling job, handled by Barnyard 2, allows to bring full efficiency, reliability and performance to SNORT.

Of course, here too the Pulledpork updater is added to the picture too, for rulesets updating :

 I2d

We'll see in a following post how to practically implement this more robust setup too.

 

- SNORT® is a registered trademark  of Sourcefire, Inc. -

 

Partager cet article

Repost 0
Published by computer outlines - dans NIDS
commenter cet article

commentaires

Présentation

  • : Computer Outlines Blog
  • : Blog mainly focused over IPv6, Windows Server, and Networking in general.
  • Contact

Recherche

Liens