Global settings: Difference between revisions

Jump to navigation Jump to search

Global settings (view source)

Revision as of 08:57, 28 July 2025

1,959 bytes removed ,  28 July
→‎Snort analysis
Line 47: Line 47:


=== Snort analysis===
=== Snort analysis===
{{Warning|title=Beta Feature|This feature is still in active development and is therefore subject to changes in the future. There may be bugs or unexpected behavior when using this feature.}}
{{Warning|title=Beta Feature|This feature is still in active development and is therefore subject to changes in the future. There may be bugs or unexpected behavior when using this feature.}}The Allegro Network Multimeter is able to perform intrusion detection based on the [https://www.snort.org/ Snort] software project. The detection can be performed on live traffic or ring buffer traffic. This analysis is invoked via the capture dialog on any page and respects the same capture filter expressions as a normal traffic capture.
The Allegro Network Multimeter is able to perform intrusion detection based on the [https://www.snort.org/ Snort] software project. The detection can be performed on live traffic or ring buffer traffic. This analysis is invoked via the capture dialog on any page and respects the same capture filter expressions as a normal traffic capture.  
[[File:Snort Settings.png|thumb|Snort section in the global settings]]
[[File:Snort Analysis Results.png|thumb|Snort Analysis Results]]
This feature is disabled by default, to enable it navigate to Global Settings > Snort Analysis and enable it via the toggle switch. Once enabled a new setting will appear to regulate the allowed memory usage by the intrusion detection as well as the rules and configs used by Snort. The user is able to set a hard maximum limit on the usable memory, and if the Snort process exceeds this limit it will be killed by the OOM-Manager. Additionally, another soft memory limit will be installed just below the hard maximum, and if the process reaches this limit it will be throttled heavily. If your intrusion analysis appears to get stuck or is unusually slow, a good troubleshooting step is to increase the memory limit. It is generally not recommended to keep the memory limit below 200MB.  
This feature is disabled by default, to enable it navigate to Global Settings > Snort Analysis and enable it via the toggle switch. Once enabled a new setting will appear to regulate the allowed memory usage by the intrusion detection as well as the rules and configs used by Snort. The user is able to set a hard maximum limit on the usable memory, and if the Snort process exceeds this limit it will be killed by the OOM-Manager. Additionally, another soft memory limit will be installed just below the hard maximum, and if the process reaches this limit it will be throttled heavily. If your intrusion analysis appears to get stuck or is unusually slow, a good troubleshooting step is to increase the memory limit. It is generally not recommended to keep the memory limit below 200MB.  


A more detailed guide on how to use the rule and config editors can be found [[Snort|here]].  
A more detailed guide on how to use the rule and config editors can be found [[Snort|here]].  
When invoking the analysis a new modal will open which displays the results of the analysis. The result modal is a list of detected incidents, sorted by order of appearance. An entry in this list has the following structure:
{| class="wikitable"
|+
!Severity
!Time
!Classification
!Message
!Connection
|-
|This is denoted by the color on the left hand side of the row.
|The packet timestamp of the offending packet.
|A normalized name for the type of incident that occured.
|A more detailed description of the incident
|A diagram of the connection in which the incident occured. The IPs can be clicked to go to the IP detail page, and on the right there is an "external link" icon that opens the connection details page in a new tab.
|}
Additionally, on the right hand side of the modal is another color band that serves as a rough overview over all incidents. The band is static and roughly aligned with the scroll bar to make it easier to navigate to specific severity incidents.
Snort works by reading a rule file which contains a list of rules used to match packets against. These rules can match subnet, direction, protocol, payload contents, and more (see the Snort documentation for more information on rules), and are given a classification, message and priority, which are displayed in the analysis results. Internally this feature uses a community rule set which is available for free and receives periodic updates. '''Note:''' The Allegro Network Multimeter (currently) does NOT automatically update this rule set. We are deploying the same rule set to all devices independent of the date of installation. Thus the analysis may not be able to detect zero day exploits and should not be relied on when trying to detect recently discovered attack vectors.
At the moment, only critical and severe incidents are reported (Snort priorities 0 and 1). The classification and message strings are taken directly from the rule that triggered this incidents.


===Detail of traffic analysis===
===Detail of traffic analysis===
Robert
52

edits

Retrieved from "https://allegro-packets.com/wiki/Special:MobileDiff/5178"

Navigation menu