Template:IDS Policy Manager Setup

From ImageStream Router Documentation

(Difference between revisions)
Jump to: navigation, search
(Edit the new policy)
(Add a new sensor)
Line 53: Line 53:
::*''Configuration File'': Leave default ''snort.conf''
::*''Configuration File'': Leave default ''snort.conf''
::*''Test Connectivity Command'': Leave default ''uname -a;id''
::*''Test Connectivity Command'': Leave default ''uname -a;id''
-
:'''Authentication Tab'''
+
:'''Authentication Tab''' [[Image:IDSPM_auth_settings.JPG]]
::*''Username'': Enter ''root''
::*''Username'': Enter ''root''
::*''Authentication Mode'': Leave default ''Password'' from the dropdown.
::*''Authentication Mode'': Leave default ''Password'' from the dropdown.
Line 64: Line 64:
::*''Test Command'': If ''Run Test Snort Before Restart'' is enabled, enter ''Checkconf snort''
::*''Test Command'': If ''Run Test Snort Before Restart'' is enabled, enter ''Checkconf snort''
::*''Test Fails if Output Contains'': Enter ''Failure''
::*''Test Fails if Output Contains'': Enter ''Failure''
-
:'''Variables Tab'''
+
:'''Variables Tab''' [[Image:IDSPM_variable_settings.JPG]]
::*Add SNORT_IFACE and set to a space delimited list of interfaces to monitor. WARNING: Snort requires about 200 MB of memory per interface monitored.
::*Add SNORT_IFACE and set to a space delimited list of interfaces to monitor. WARNING: Snort requires about 200 MB of memory per interface monitored.

Revision as of 15:25, 22 May 2009

Contents

Installation

  • Download and install the IDS Policy Manager software from www.activeworx.org/programs/idspm

Configure Settings

  • Select Options => Settings from the menu.
  • Enter your Oink Code
You must create an account with snort.org to obtain an Oink Code https://www.snort.org/reg-bin/userprefs.cgi
  • Initialize Update Locations and select Snort v2.8 checkbox.

IDSPM Initial UL.JPG

Add a new policy

  • Double-click on Snort Policies in the left-hand tree view.
  • Right-click on Snort Policies and select Add Policy.
  • Enter a name for the policy.
  • Select Snort Version Snort 2.8
  • Make sure the Initialize Policy checkbox is checked.
  • Click OK

IDSPM add policy.JPG

Edit the new policy

ImageStream Variables IDSPM variables.JPG
  • Click on the new policy to expand the tree view.
  • Click on Variables
  • Right-click on the right-hand pane with the list of variables and select Add Item
  • Enter SGUIL_HOST for the Name and the Sguil server's Name or IP for the Value.
  • Right-click the new SGUIL_HOST variable and select Enable Item
  • Other Snort/Snort ImageStream Variables
Output Modules IDSPM output sguil.JPG
Enable unified logging to barnyard/sguil
  • Double-click on the log_unified line
  • Click the Enabled checkbox
  • Filename: Enter /dev/null
Force alert logging to /dev/null
  • Right-click on the log_unified line and select Add Item
  • Output Module: Select Alert Full
  • Click the Enabled checkbox
  • Filename: Enter /dev/null

Add a new sensor

  • Double-click on Snort Sensors in the left-hand tree view.
  • Right-click on Snort Sensors and select Add Sensor.
  • Name: Enter the router's name.
  • Description: Enter a description for the router.
Sensor Settings Tab IDSPM sensor settings.JPG
  • Sensor Host: Enter the router's hostname or IP address.
  • Policy: Select the policy you created earlier from the dropdown.
  • Snort Version: Select 2.8.
Upload Settings Tab IDSPM sensor upload settings.JPG
  • Upload Protocol: Select SFTP from the dropdown. Leave the default SSH port (22). Enable Use Compression.
  • Upload Directory: Enter /data/snort/etc
  • Configuration File: Leave default snort.conf
  • Test Connectivity Command: Leave default uname -a;id
Authentication Tab File:IDSPM auth settings.JPG
  • Username: Enter root
  • Authentication Mode: Leave default Password from the dropdown.
  • Password Settings: Enter and confirm the router's password for root.
Restart Settings Tab IDSPM sensor restart settings.JPG
  • Restart after Upload: Enable
  • Restart method: Select Script via SSH from the dropdown.
  • Restart script: Enter Restart snort
  • Run Test Snort Before Restart: If the router has 512 MB of RAM or more you may enable this option.
  • Test Command: If Run Test Snort Before Restart is enabled, enter Checkconf snort
  • Test Fails if Output Contains: Enter Failure
Variables Tab File:IDSPM variable settings.JPG
  • Add SNORT_IFACE and set to a space delimited list of interfaces to monitor. WARNING: Snort requires about 200 MB of memory per interface monitored.

Update Rules

  • Click on Snort Sensors in the left-hand tree view.
  • Click on the Update Policies icon above the left-hand menu.
  • Click the Start button to download rules files from snort.org.

Update Sensors

  • Click on Snort Sensors in the left-hand tree view.
  • Click on the Upload Policies to Sensors icon above the left-hand menu.
  • Enable the Update checkbox.
  • Click the Start button to upload rules and configuration files to the router.
  • Click the View Log button to ensure Snort was restarted properly.
Done Uploading to Sensor Scott home.

Restart Log
-----------

Restarting Sensor Scott home.
Pid file /var/run/snort_eth0.pid is stale! Removing...

Snort service is not running

Starting the Snort service...
  Mounting add-on program partition read-write... 
 done.

  Mounting add-on program partition read-only... 
 done.

success (process id 3939)
Personal tools
Router software releases