Snort® IDS/IPS

TNSR can setup and manage instances of Snort® running locally to act as an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS). Snort inspects packets for potentially suspicious behavior as they pass through TNSR. Depending on its configuration, Snort can either log (detect) or drop (prevent) suspicious traffic. The TNSR dataplane uses the Snort Data Acquisition library (DAQ) to pass traffic from TNSR through Snort.

Warning

Inspecting traffic using an inline IDS/IPS will have a significant negative impact on performance.

See also

More detailed information about Snort can be found in the Snort Documentation.

See also

Snort is an incredibly complex and extensive platform; its full potential is beyond what can be configured through TNSR.

Users who require complicated Snort configurations should consider running Snort on a separate host and integrating an IDS/IPS with TNSR via ERSPAN.

Snort Requirements

Snort requires large amounts of CPU power, so it is critical to ensure Snort does not attempt to share CPU cores with the dataplane. This can be accomplished by configuring Automatic CPU Isolation.

Snort Configuration

Configuring Snort on TNSR starts from config mode and involves setting the mode and creating one or more Snort instances.

Snort Mode

The Snort mode controls how Snort will process packets. The mode is configured using the snort mode (interrupt|polling) command.

The mode can be either interrupt or polling. For information on the difference between the two modes, see Polling Mode vs. Interrupt Mode.

Snort Instances

Snort instances monitor traffic passing through an interface in one or both directions. For Snort to function there must be at least one instance configured.

Snort Instance Configuration

To create a new Snort instance and enter config-snort-instance mode, use the snort instance command:

tnsr(config)# snort instance <name>
tnsr(config-snort-instance)#

The following commands are available while in config-snort-instance mode:

action (detect|prevent):

Configures the action taken by TNSR when traffic matches a Snort rule.

detect:

Act as an Intrusion Detection System (IDS). Log suspicious behavior but take no action and allow traffic to pass.

prevent:

Act as an Intrusion Prevention System (IPS). Drop packets which match Snort rules. Additionally, if a Snort rule is configured to use the reject action, Snort can send a TCP reset to the source to terminate the connection.

description <text>:

Text describing this Snort instance, for example its role or purpose.

(enable|disable):

Enables or disables this Snort instance. Instances are disabled by default.

interface <name> [direction (both|in|out)]:

The TNSR interface to be monitored by this Snort instance.

direction:

Optional direction in which this instance will inspect traffic on the interface.

both:

Inspect both inbound (ingress) and outbound (egress) traffic on this interface. This is the default behavior when no direction is specified.

in:

Inspect only inbound (ingress) traffic on this interface.

out:

Inspect only outbound (egress) traffic on this interface.

on-disconnect (drop|pass):

Configures the default behavior when this Instance is disconnected from the Snort client. For example, if the Snort process for this instance fails or is otherwise not running.

drop:

Drops all traffic if it cannot be inspected by Snort. This method is safer, but results in a potentially disruptive loss of connectivity.

pass:

Allows traffic to flow freely without being inspected by Snort. Maintains connectivity to reduce disruptions, however, this can be dangerous as suspicious traffic may pass while the instance is disconnected from Snort.

output (csv|fast|full|json|syslog|unixsock):

Configures the format Snort will use when writing log entries.

Log output formats other than syslog place their files in /var/log/snort/<instance-name>/.

csv:

Log alerts to a file in Comma Separated Value format.

fast:

Log alerts to a file in a brief one-line format.

full:

Log alerts to a file along with full packet headers. This is slower, but provides more detail.

json:

Log alerts to a file in JSON format.

syslog:

Send alert log messages through syslog.

unixsock:

Setup a UNIX socket file and send alerts through the socket.

External utilities can listen on the socket to receive and process alerts.

queue-size <int>:

Maximum number of packets TNSR will allow in the queue between the dataplane and Snort.

snort disconnect instance <name>:

Manually break the connection between a specific Snort instance and the dataplane.

Custom Snort Instance Rules

Snort instances on TNSR use the default Snort ruleset. Each configured Snort instance can read custom Snort rules from a file located at /etc/snort/<instance-name>/local.rules.

Place custom rules in that file and then reload or restart the Snort instance (Snort Service Control).

Example

This example configures a Snort instance to act in an intrusion detection only role for any traffic on the DMZ interface. It also allows traffic to continue flowing on the DMZ interface if Snort is disconnected.

tnsr(config)# snort instance DMZIDS
tnsr(config-snort-instance)# description IDS for DMZ hosts
tnsr(config-snort-instance)# action detect
tnsr(config-snort-instance)# interface DMZ direction both
tnsr(config-snort-instance)# on-disconnect pass
tnsr(config-snort-instance)# enable
tnsr(config-snort-instance)# exit

Snort Status

To view the current status of Snort, use the following command:

show snort [(clients|instances|interfaces|mode)]:

This client displays all Snort status information available in TNSR, with optional filtering.

clients:

When present, output is limited to a list of Snort clients.

instances:

When present, output is limited to a list of Snort instances.

interfaces:

When present, output is limited to a list of interfaces which contain Snort instances.

mode:

When present, output is limited to the current Snort mode.

tnsr(config)# show snort
Mode: interrupt

  # Instance                   # Client ShMem SZ ShMem FD On-Disconnect Action    Alerts     Enabled
--- ------------------------ ---------- -------- -------- ------------- --------- ---------- --------
  0 DMZIDS                     0          126976      191          pass detect    syslog     true

ifi Interface                  # Instance
--- ------------------------ --- ------------------------
  4 DMZ                        0 DMZIDS

  # Client   # Instance
---------- --- ------------------------
  0          0 DMZIDS

Snort Service Control

The Snort service has slightly different syntax than most other services on TNSR since each Snort instance runs separately. To manage the service, use the following command:

service snort <instance-name> <action>:
instance-name:

The Snort instance name to take action upon.

action:

The action to take on the specified Snort instance.

reload:

Reload the Snort instance configuration without restarting the instance.

restart:

Stop the instance if it is running, then start the instance.

start:

Start the instance if it is not already running.

status:

Check the status of the instance.

stop:

Stop the instance if it is running.