Snort

From Allegro Network Multimeter Manual
Revision as of 10:03, 29 January 2025 by Robert (talk | contribs) (add mem config)
Jump to navigation Jump to search

Beta Feature

This feature is still in active development and is therefore subject to changes in the future. There may be bugs or unexpected behavior when using this feature.

Version 4.3.0 of the Allegro Network Multimeter introduced Snort as a new capture method for network traffic. Similar to the Webshark analysis this capture mode does not produce raw packets, but instead sends them to another tool for further processing. With Snort the user is able to conveniently analyze the traffic in their network for potential attacks or intrusions, both live and retroactively.

Configuration

For Snort to function properly it needs to be configured. The multimeter comes pre-equipped with the community ruleset to provide a basic set of rules to cover the most well-known and common attacks in a network. Note that currently no updates are provided for this ruleset by Allegro Packets, instead the user is expected to keep their ruleset up do date themselves.

All configurations of the Snort analysis are done via the Global Settings, under Generic Settings > Snort analysis.

Snort section of the generic settings page

Configuring memory

Snort needs a certain amount of memory to be able to perform the intrusion detection and threat analysis. The more memory Snort is configured to use, the less memory will be available for the in-memory databases of the multimeter. Snort may only use half of the systems memory at max, but generally the software is able to run with less than one gigabyte of memory. The default setting allocates 256MB for the Snort analysis, and generally we do not recommend going too far below this value, as too little memory can cause Snort to hang and crash during analysis. If you experience similar issue, try raising the memory threshold.

Below the slider for maximum memory, a value for "Usable memory" is displayed. This value is a soft memory limit for Snort, which will cause it to be throttled when it reaches it. The usable memory is 5MB below the maximum. If Snort should reach the true maximum memory threshold it will immediately be killed by the OOM manager.

Changing this setting requires a processing restart in order to allocate the configured memory.

Configuring Snort

Config/Lua

Snort can be configured via Lua scripts which are executed in a sandboxed environment at startup. The multimeter is delivered with the default configuration files of Snort, with the exception that some of the variables have been moved to a new config.lua file. This file is included before everything else.

In order to edit this configuration the multimeter provides a web-based interface to either change the config.lua via a GUI, or to edit any configuration file directly. To start editing the configuration click the "Edit config" button.

Retrieved from "https://allegro-packets.com/wiki/index.php?title=Snort&oldid=4946"