52
edits
Snort: Difference between revisions
add usage info
m (remove in-dev warning) |
(add usage info) |
||
| Line 55: | Line 55: | ||
All files in this view are loaded by Snort, so no additional action needs to be taken to add a new file to the ruleset. | All files in this view are loaded by Snort, so no additional action needs to be taken to add a new file to the ruleset. | ||
== Usage == | |||
[[File:Snort Analysis Results.png|thumb|Snort Analysis Results]] | |||
Snort analysis are triggered in the capture dialog. If the feature has been enabled, the button to begin the analysis is located in the bottom right-hand corner of the modal. Should there be no button named "Snort analysis", make sure to check the global settings if the feature is enabled. | |||
When invoking the analysis a new modal will open which displays the results of the analysis. The result modal is a list of detected incidents, sorted by order of appearance. An entry in this list has the following structure: | |||
{| class="wikitable" | |||
|+Snort results table structure | |||
!Severity | |||
! Time | |||
!Classification | |||
!Message | |||
!Connection | |||
|- | |||
|This is denoted by the color on the left hand side of the row. | |||
| The packet timestamp of the offending packet. | |||
|A normalized name for the type of incident that occured. | |||
| A more detailed description of the incident | |||
| A diagram of the connection in which the incident occured. The IPs can be clicked to go to the IP detail page, and on the right there is an "external link" icon that opens the connection details page in a new tab. | |||
|}Additionally, on the right hand side of the modal is another color band that serves as a rough overview over all incidents. The band is static and roughly aligned with the scroll bar to make it easier to navigate to specific severity incidents. | |||
Snort works by reading a rule file which contains a list of rules used to match packets against. These rules can match subnet, direction, protocol, payload contents, and more (see the Snort documentation for more information on rules), and are given a classification, message and priority, which are displayed in the analysis results. Internally this feature uses a community rule set which is available for free and receives periodic updates. '''Note:''' The Allegro Network Multimeter (currently) does NOT automatically update this rule set. We are deploying the same rule set to all devices independent of the date of installation. Thus the analysis may not be able to detect zero day exploits and should not be relied on when trying to detect recently discovered attack vectors. | |||
At the moment, only critical and severe incidents are reported (Snort priorities 0 and 1). The classification and message strings are taken directly from the rule that triggered this incidents. | |||