Table of Contents
Advertisement
The primary advantage of running Snort IDS (Snort) in front of the firewall is that it sees
unfiltered network traffic, and is therefore able to detect a wider range of attacks. The
primary advantage of running Snort IPS (IPS) behind the firewall is that suspicious
network traffic can be disallowed, rather than simply flagged as suspicious and allowed to
pass.
Snort uses a combination of methods to perform extensive network traffic analysis on the
fly. These include protocol analysis, inconsistency detection, historical analysis and rule
based inspection engines. Snort can detect many attacks by checking destination port
number, TCP flags and doing a simple search through the packet's data payload. Rules
can be quite complex, allowing a trigger if one criterion matches but another fails and so
on. Snort can also detect malformed network packets and protocol anomalies.
Snort can detect attacks and probes such as buffer overflows, stealth port scans, CGI
attacks, NetBIOS SMB probes, OS finger printing attempts and many other common and
not so common exploits.
You may use Snort in IDS and IPS mode simultaneously if you choose; however, it
consumes a lot of the SnapGear unit's memory.
Snort and IPS configuration
Select Intrusion Detection from the Firewall section of the main menu, and click the
Snort tab to configure Snort in IDS mode, or IPS to configure Snort in IPS mode.
Check Enabled.
Select the network Interface to monitor (Snort IDS only). This is typically Internet, or
possibly DMZ.
Check Use less memory to restrict Snort's memory usage (Snort IPS only). This results
in slower signature detection throughput, but may be necessary if the device is
configured to run many services, many VPN tunnels, or both Snort IDS and IPS.
167
Firewall
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
Need help?
Do you have a question about the SG300 and is the answer not in the manual?
Questions and answers