From Ryan Groom,
Your Guide to Business Security.
FREE Newsletter. Sign Up Now!

Ever been looking through your firewall logs and thought, why am I looking at this in the past. I want to be alerted when something goes wrong. I also started thinking about companies who have virtually impenetrable firewalls from the outside, but do little to protect outgoing traffic. Intrustion detection too manys times is the realm of external security but it can be very effective when used to alert you when your outbound security policy is broken.

I have set up SNORT (www.snort.org) as a simple network intrusion detection system (IDS). This system has allowed the company I had worked for to monitor outgoing traffic and be sent an email whenever something trip an alert. For a small to medium business, SNORT is extremely versatile. It is open source and free.

The system can be run on Linux or Windows (I will look at the Windows version for this article) and can be installed in minutes. If you run the setup on Windows, ensure you download WinPCap.

WinPcap is essential to Snort as it allows applications to capture and transmit traffic on a network. It basically puts your network card in promiscuous mode to allow it to look at any traffic on the wire. Once all is installed you are ready to start with the configuration. The only thing you will need to decide when installing is what type of database you want to send the data. MySQL and Oracle support are there right in the installer. If you want to use something else, Google for the instructions. If you just want to send the alerts to a text based log file you can do that as well.

This is where the task gets daunting for many, especially if you are not comfortable editing text based .conf files and using with the command line. Snort by default has no GUI interface, and many people are left with a “What Now?” attitude. Never fear, the forums at www.snort.org are a great source of information.

The first thing you will want to do is setup the Snort.conf file. This is the uber file that controls how Snort behaves. Individual settings are beyond the scope of this article but check out samples here at http://www.snort.org/docs/snort_htmanuals/htmanual_261/node25.htm

If you have a simple network you can for the most part leave the snort.conf as is without much modification. If you are running on a Windows machine you will need to edit a couple of the pre-processor sections of the conf file to be Windows paths instead of Linux paths. But apart from that you should be able to get it going. The next step is to download the rules. Snort rules are released monthly by the Snort community and are available either free of charge (a month after initial release) or via paid subscription (available immediately after release). For most, the free rules will suffice. These rules define which traffic is in exception to Snort. You don’t want Snort alerting you every time somebody goes to a webpage but you might want to be alerted if a worker goes to an inappropriate site with inappropriate content. Tweaking the rules to decide what is best for your organization does not take long. Simply run the tool and inspect the logs and start shutting off the rules as required.

Once the rules are configured you have to start Snort. The easiest way to run Snort is to install it as a service so that it runs uninhibited on the server with no one having to be logged in. You still need the syntax to start Snort though.

The easiest way is to open a command prompt and navigate to the Snort/bin directory. Then type Snort and you will see a list of all of the different configurations. As a start to setup Snort in intrusion detection mode and log in Ascii text and use the second network interface you could use something like this:

snort -i 2 -c c:\snort\etc\snort.conf -A console -K ascii

This will log and show you alerts right on the screen. While it is amusing to sit and watch while people violate your corporate policy, it isn’t practical to have someone sitting there watching the console. This is where Syslog comes in. Syslog provides an output for all of those alerts that could get generated. I used Kiwi Syslog. The syslog allows all of the content from Snort to be viewed in Kiwi and filtered as required. You can also set up Kiwi to send you an email when something trips an alert. To use syslog with Snort is simple. If the syslog service is on the same machine as Snort you can simply add –s to your command line to start using it. If the syslog server is another computer you will have to edit the snort.conf to get it to work.

That’s all there is to it. Now anytime someone on your network sends traffic from within your network that violates your policy you will be notified via email. Snort is well woth a couple of minutes of time to setup for the protection it affords your network.