52
edits
Global settings: Difference between revisions
Jump to navigation
Jump to search
m
→Snort analysis
Remco.derooy (talk | contribs) m (→Snort analysis) |
m (→Snort analysis) |
||
| Line 50: | Line 50: | ||
The Allegro Network Multimeter is able to perform intrusion detection based on the [https://www.snort.org/ Snort] software project. The detection can be performed on live traffic or ring buffer traffic. This analysis is invoked via the capture dialog on any page and respects the same capture filter expressions as a normal traffic capture. | The Allegro Network Multimeter is able to perform intrusion detection based on the [https://www.snort.org/ Snort] software project. The detection can be performed on live traffic or ring buffer traffic. This analysis is invoked via the capture dialog on any page and respects the same capture filter expressions as a normal traffic capture. | ||
[[File:Snort Analysis Results.png|thumb|Snort Analysis Results]] | [[File:Snort Analysis Results.png|thumb|Snort Analysis Results]] | ||
This feature is disabled by default, to enable it navigate to Global Settings > Snort Analysis and enable it via the toggle switch. Once enabled a new setting will appear to regulate the allowed memory usage by the intrusion detection. The user is able to set a hard maximum limit on the usable memory, and if the Snort process exceeds this limit it will be killed by the OOM-Manager. Additionally, another soft memory limit will be installed just below the hard maximum, and if the process reaches this limit it will be throttled heavily. If your intrusion analysis appears to get stuck or is unusually slow, a good troubleshooting step is to increase the memory limit. It is generally not recommended to keep the memory limit | This feature is disabled by default, to enable it navigate to Global Settings > Snort Analysis and enable it via the toggle switch. Once enabled a new setting will appear to regulate the allowed memory usage by the intrusion detection. The user is able to set a hard maximum limit on the usable memory, and if the Snort process exceeds this limit it will be killed by the OOM-Manager. Additionally, another soft memory limit will be installed just below the hard maximum, and if the process reaches this limit it will be throttled heavily. If your intrusion analysis appears to get stuck or is unusually slow, a good troubleshooting step is to increase the memory limit. It is generally not recommended to keep the memory limit below 200MB. | ||
When invoking the analysis a new modal will open which displays the results of the analysis. The result modal is a list of detected incidents, sorted by order of appearance. An entry in this list has the following structure: | When invoking the analysis a new modal will open which displays the results of the analysis. The result modal is a list of detected incidents, sorted by order of appearance. An entry in this list has the following structure: | ||