Recently, I have seen lots of security audit sites and articles advocate that everyone should be running an Intrusion Detection System (IDS) on their networks. I decided to take a look at Snort and see what the state of IDS under Linux is now.
The last time I looked at IDS systems, I found them to need vast amounts of care and feeding and expert analysis, making them a very bad idea for many networks. Lots of smaller networks or companies wouldn't keep the signatures up to date, wouldn't have the time or expertise to know what the results meant or what actions they would have you take. Also, I found the amount of “noise” to make examining the IDS logs tedious and error prone for even experts.
Several years ago, I had setup Snort and ACID (A snort web front end) on my firewall machine. Running it listening to the external interfaces on my firewall soon generated far too much information to be useful, so I changed it to just listen on my internal network. This proved to be more manageable, but there were still tons of false positive results. For instance, I am subscribed to the Bugtraq mailing list for discussing security vulnerabilities. Snort would constantly alert on text that appeared in those mailing list emails, ie, a mail would have a example of a vulnerability and Snort would tag it as a instance of that vulnerability. Also, Snort would log things like HTTP 404 errors and accesses to robots.txt files.
That was all several years ago, so I decided to try setting things up again and see what the state of things is now. Snort downloaded and built and installed just fine on my fedora core 3 based firewall. I then configured it to listen on ALL interfaces. This gave my Fedora Core 3 kernel's OOM (Out of memory) checker a workout. My firewall is an older machine with only 128MB of memory. This is apparently not sufficient to run snort on 5 interfaces. I pared down the configuration until snort was only running on my external dsl and cable modem interfaces. That allowed it to run properly.
The good side of things:
On the bad side:
So, I think at this point it would be possible to setup a Snort and Oinkmaster install at a client site and filter on Priority: 1 items and have it be somewhat useful. It might also be somewhat useful to have such a setup only listen on internal networks and alert on Priority: 1 and Priority: 2 items, although this might generate too many false positives.comments powered by Disqus