Your Linux Data Center Experts

Recently, I have seen lots of security audit sites and articles advocate that everyone should be running an Intrusion Detection System (IDS) on their networks. I decided to take a look at Snort and see what the state of IDS under Linux is now.

The last time I looked at IDS systems, I found them to need vast amounts of care and feeding and expert analysis, making them a very bad idea for many networks. Lots of smaller networks or companies wouldn't keep the signatures up to date, wouldn't have the time or expertise to know what the results meant or what actions they would have you take. Also, I found the amount of “noise” to make examining the IDS logs tedious and error prone for even experts.

Several years ago, I had setup Snort and ACID (A snort web front end) on my firewall machine. Running it listening to the external interfaces on my firewall soon generated far too much information to be useful, so I changed it to just listen on my internal network. This proved to be more manageable, but there were still tons of false positive results. For instance, I am subscribed to the Bugtraq mailing list for discussing security vulnerabilities. Snort would constantly alert on text that appeared in those mailing list emails, ie, a mail would have a example of a vulnerability and Snort would tag it as a instance of that vulnerability. Also, Snort would log things like HTTP 404 errors and accesses to robots.txt files.

That was all several years ago, so I decided to try setting things up again and see what the state of things is now. Snort downloaded and built and installed just fine on my fedora core 3 based firewall. I then configured it to listen on ALL interfaces. This gave my Fedora Core 3 kernel's OOM (Out of memory) checker a workout. My firewall is an older machine with only 128MB of memory. This is apparently not sufficient to run snort on 5 interfaces. I pared down the configuration until snort was only running on my external dsl and cable modem interfaces. That allowed it to run properly.

The good side of things:

  • portscans are listed separately, so you can ignore them. My DSL Connection gets about 150 portscan hits a day.
  • Everything else is tagged with a “Priority:”, which lets you filter out things that are not as important. Things like active exploit attempts are “Priority: 1”, DNS zone transfers, web 404s, etc are “Priority: 2”, and ICMP packets denied are “Priority: 3”.
  • Updating signatures is pretty easy with the Oinkmaster package.

On the bad side:

  • It's still hard to map signatures to what vulnerability they are talking about. I got a few priority 1 alerts that were pop3 Helo overflow attempts. It would be very nice if the alert listed the CVE or something that would indicate which pop3 server is vulnerable, what the attack was, or what to do about it.
  • Memory usage is very high. Especially for smaller firewall systems where it would normally run.
  • The Priority 2 and Priority 3 messages are still very frequent, but at least they can be filtered out now.

So, I think at this point it would be possible to setup a Snort and Oinkmaster install at a client site and filter on Priority: 1 items and have it be somewhat useful. It might also be somewhat useful to have such a setup only listen on internal networks and alert on Priority: 1 and Priority: 2 items, although this might generate too many false positives.

comments powered by Disqus

Join our other satisfied clients. Contact us today.