325
edits
Global settings: Difference between revisions
m
→Snort analysis
No edit summary |
Remco.derooy (talk | contribs) m (→Snort analysis) |
||
| Line 50: | Line 50: | ||
The Allegro Network Multimeter is able to perform intrusion detection based on the [https://www.snort.org/ Snort] software project. The detection can be performed on live traffic or ring buffer traffic. This analysis is invoked via the capture dialog on any page and respects the same capture filter expressions as a normal traffic capture. | The Allegro Network Multimeter is able to perform intrusion detection based on the [https://www.snort.org/ Snort] software project. The detection can be performed on live traffic or ring buffer traffic. This analysis is invoked via the capture dialog on any page and respects the same capture filter expressions as a normal traffic capture. | ||
[[File:Snort Analysis Results.png|thumb|Snort Analysis Results]] | [[File:Snort Analysis Results.png|thumb|Snort Analysis Results]] | ||
This feature is disabled by default, to enable it navigate to Global Settings > Snort Analysis and enable it via the toggle switch. Once enabled a new setting will appear to regulate the allowed memory usage by the intrusion detection. The user is able to set a hard maximum limit on the usable memory, and if the Snort process exceeds this limit it will be killed by the OOM-Manager. Additionally, another soft memory limit will be installed just below the hard maximum, and if the process reaches this limit it will be throttled heavily. If your intrusion analysis appears to get stuck or is unusually slow, a good troubleshooting step is to increase the memory limit. It is generally not recommended to keep the memory limit above | This feature is disabled by default, to enable it navigate to Global Settings > Snort Analysis and enable it via the toggle switch. Once enabled a new setting will appear to regulate the allowed memory usage by the intrusion detection. The user is able to set a hard maximum limit on the usable memory, and if the Snort process exceeds this limit it will be killed by the OOM-Manager. Additionally, another soft memory limit will be installed just below the hard maximum, and if the process reaches this limit it will be throttled heavily. If your intrusion analysis appears to get stuck or is unusually slow, a good troubleshooting step is to increase the memory limit. It is generally not recommended to keep the memory limit above 200MB. | ||
When invoking the analysis a new modal will open which displays the results of the analysis. The result modal is a list of detected incidents, sorted by order of appearance. An entry in this list has the following structure: | When invoking the analysis a new modal will open which displays the results of the analysis. The result modal is a list of detected incidents, sorted by order of appearance. An entry in this list has the following structure: | ||
| Line 69: | Line 69: | ||
Additionally, on the right hand side of the modal is another color band that serves as a rough overview over all incidents. The band is static and roughly aligned with the scroll bar to make it easier to navigate to specific severity incidents. | Additionally, on the right hand side of the modal is another color band that serves as a rough overview over all incidents. The band is static and roughly aligned with the scroll bar to make it easier to navigate to specific severity incidents. | ||
Snort works by reading a rule file which contains a list of rules used to match packets against. These rules can match subnet, direction, protocol, payload contents, and more (see the Snort documentation for more information on rules), and are given a classification, message and priority, which are displayed in the analysis results. Internally this feature uses a community rule set which is available for free and receives periodic updates. '''Note:''' The Allegro Network Multimeter does NOT automatically update this rule set. We are deploying the same rule set to all devices independent of the date of installation. Thus the analysis may not be able to detect zero day exploits and should not be relied on when trying to detect recently discovered attack vectors. | Snort works by reading a rule file which contains a list of rules used to match packets against. These rules can match subnet, direction, protocol, payload contents, and more (see the Snort documentation for more information on rules), and are given a classification, message and priority, which are displayed in the analysis results. Internally this feature uses a community rule set which is available for free and receives periodic updates. '''Note:''' The Allegro Network Multimeter (currently) does NOT automatically update this rule set. We are deploying the same rule set to all devices independent of the date of installation. Thus the analysis may not be able to detect zero day exploits and should not be relied on when trying to detect recently discovered attack vectors. | ||
At the moment, only critical and severe incidents are reported (Snort priorities 0 and 1). The classification and message strings are taken directly from the rule that triggered this incidents. | At the moment, only critical and severe incidents are reported (Snort priorities 0 and 1). The classification and message strings are taken directly from the rule that triggered this incidents. | ||