Administering Snort with IDS Policy Manager
Problem
You need to administer multiple Snort sensors.
Solution
Install the IDS Policy Manager from Activeworx. This allows you to administer multiple Snort sensors.
- Download the compressed zip file from the Activeworx web site (http://www.activeworx.org/downloads/). Decompress it and run the installation program (Figure 5-20). Click Next to continue.
Figure 5-20. IDS Policy Manager welcome screen
- Accept the default installation directory or choose one of your own liking (Figure 5-21). Click Next.
Figure 5-21. Destination Folder
- Click Next to begin the installation (Figure 5-22).
Figure 5-22. Ready to Install
- Wait for the installation to complete (Figure 5-23).
Figure 5-23. Installation progress
- Click Finish to complete the installation (Figure 5-24).
Figure 5-24. IDS Policy Manager installation successful
Discussion
The IDS Policy Manager is designed to allow you to administer multiple Snort sensors. When you first start the application, it asks you if you want it to check for updates automatically (Figure 5-25).
Figure 5-25. Updating the IDS Policy Manager
After you select Yes or No to the autocheck for updates, you see the main screen (Figure 5-26). The first time you run it, no sensors are set up in the Sensor Manager tab. There are also two other tabs: Policy Manager and Logging.
Figure 5-26. IDS Policy Manager main screen
The first step is to add a Sensor. You do this by selecting Add from the Sensor menu (Figure 5-27). This starts a dialog for you to configure the sensor details (Figure 5-28). Enter the required details. The Sensor Name is for internal reference only, so call it something that makes sense to you. For the time being, set the Policy to Official. This is the only defined policy on the system at this point, and you can change it later, once you have defined more. Select the Restart after Upload checkbox if you want the sensor to be restarted after policy changes have been uploaded. Select the application that you wish to use to connect to the sensor to restart it, and enter the path to the restart script that you want to run in the Script box. Click OK to return to the main screen (Figure 5-29).
Figure 5-27. Adding a sensor
Figure 5-28. Sensor details
Figure 5-29. IDS Policy Manager main screen with new sensor
Once you have created your sensor, you can go on to create or edit the policy assigned to it. Click on the Policy Manager tab (Figure 5-30). Double-click on the name of the policy that you wish to edit, or select Add from the Policy menu. In this case, we are going to edit the Official policy. On the first running of the Policy Editor, you will be prompted to determine if you want to check for new rules (Figure 5-31). The IDS Policy Manager will automatically check for, and download, any new rules that are found and add them to the list (Figure 5-32). Within the Policy Editor, you can select which rules you wish to be part of your policy. This policy can then be propagated out to all sensors that are known about by the IDS Policy Manager. When you have chosen all that you require, select Save and Exit from the File menu.
Figure 5-30. Policy Manager tab
Figure 5-31. Check for new rules
Figure 5-32. Policy Editor
The Logging tab keeps track of all the actions that are carried out within the IDS Policy manager (Figure 5-33).
Figure 5-33. Logging tab
To update the policy across all the sensors within your network, first make the changes to the policy as required, save the changes, and then select all your sensors from the Sensor Manager by clicking the checkboxes next to their names. Then select the Sensor menu and select the Upload Policy to Sensor item. If you have selected the checkbox in the sensor configuration to restart the sensor, IDS Policy Manager will restart the sensor automatically; otherwise, select Restart Selected Sensors from the Sensor menu to do so.
Further information on the running of IDS Policy Manager can be found in the Help menu and from the Activeworx web site.
See Also
http://www.activeworx.com/
Integrating Snort with Webmin
|