Sophos Snort

admin

Ah, the venerable piggy that loves packets. Many people will remember 1998 as the year Windows 98 came out, but it was also the year that Martin Roesch first released Snort. Although Snort wasn't a true IDS at the time, that was its destiny. Since then it has become the de-facto standard for IDS, thanks to community contributions. Mar 01, 2021 Save and close the file. Now let’s run Snort in IDS mode again, but this time, we are going to add one more option, as follows: sudo snort -A console -q -c /etc/snort/snort.conf -i eht0 -K ascii. We are telling Snort to log generated alerts in the ASCII format rather than the default pcap. Sep 01, 2018 Also, keep in mind that IPS on UTM is essentially Snort, a single-threaded application. With speed test applications, you may not be running enough threads to max out IPS but on a single thread, that 300-400 Mbps is the max you're likely to see. Sophos XG does this significantly better than UTM. Save and close the file. Now let’s run Snort in IDS mode again, but this time, we are going to add one more option, as follows: sudo snort -A console -q -c /etc/snort/snort.conf -i eht0 -K ascii. We are telling Snort to log generated alerts in the ASCII format rather than the default pcap. Sophos XG uses Snort for its IPS engine which is a open-source, widely used network instruction detection and prevention system. Currently, Snort does not support multi-threading so it’s limited to only using one CPU core for traffic scanning. However, Sophos XG runs multiple instances of Snort for each CPU core.

Sophos XG comes with pre-defined Intrusion Prevention System (IPS) policies but you can easily create one tailored specifically for your needs. The benefit is so the IPS engine is not scanning your traffic against more signatures than necessary, thus reducing overall system load. As a comparison, the pre-defined ‘lantowan_general’ policy has 7,181 signatures in its IPS policy rule compared to the custom IPS policy we’ll create below with 1,520 signatures which covers a basic home network without any servers or Micosoft Windows platforms.

1. Access the ‘IPS Policies’ tab on the ‘Intrusion Prevention’ page and click ‘Add’.

2. Provide a ‘Name’ for your IPS policy and description if desired. You also have the ability to clone another IPS policy but for this example, we’ll create one from scratch so click ‘Save’.

3. Open your newly created IPS policy. From here, add a rule for the IPS policy to utilize by clicking ‘Add’.

4. Provide a ‘Rule Name’ and now select which signatures you want your rule to utilize by first starting with the category. Click ‘Category’ which will display a drop down with several options. Select the appropriate categories for your needs but in this example, select the following categories and click ‘OK’:

Sophos Snort Vpn

  • Application and Software
  • Browsers
  • DNS
  • FTP
  • Malware Communication
  • Misc
  • Multimedia
  • Office Tools
  • Operating System and Services
  • Reconnaissance
  • VoIP and Instant Messaging
  • Web Services and Applications

Sophos Snort High Cpu

Note: To become familiar with what signatures fall under each filter (i.e. Category, Severity, Platform and Target), I recommend spending just a few minutes selecting each filter option individually and scroll through the signatures to become familiar with each filter option. For example, under the ‘Platform’ filter there is the option ‘Other’. Choose ‘Other’ and now pick the ‘Client’ under the ‘Target’ filter. This will list all of the signatures that apply to only client devices under the ‘Other’ platform filter. Scrolling through the list, you can now see what type of signatures apply.

5. Next, click ‘Severity’ and choose which severity level you want the IPS policy to utilize. For this example, select ‘All’ and click ‘OK’.

6. Click ‘Platform’ and choose the operating systems you have on your network and click ‘OK’.

7. Click ‘Target’, only choose ‘Client’ since we don’t have any servers and click ‘OK’. Your IPS policy rules should look something like this:

Sophos Snort Update

8. ‘Select All’ will be checked by default. As the name implies, this will choose all signatures for the categories, severity, platform and target selected above. If required to disable a specific signature, choose ‘Select Individual Signature’ and now you can individually select which signatures you want to enable or disable. For this example, leave ‘Select All’ checked.

Note: The ‘Smart Filter’ is available as an additional filter only when ‘Select All’ is chosen. The smart filter allows you to type in the partial or full name of a signature and only those specific signatures will be utilized for your IPS policy rule.

9. The last option is ‘Action’ which allows you to specify what the IPS engine will do when a matching signature is detected. Setting this to ‘Recommended’ will use the ‘Recommended Action’ for the individual signature.

10. Click ‘Save’ at the bottom and now open your desired firewall rule and make sure this IPS policy is selected.

Sophos Snort

Sophos Snort Free

That’s it! Sophos XG uses Snort for its IPS engine which is a open-source, widely used network instruction detection and prevention system. Currently, Snort does not support multi-threading so it’s limited to only using one CPU core for traffic scanning. However, Sophos XG runs multiple instances of Snort for each CPU core. You can view this by running ‘show ops-engine’ from the console which will show you the number of IPS instances. Grand opera house of the south.

Sophos Snort Software

You can see in the above screenshot there are four IPS instances running on each CPU core. While this is beneficial in increasing overall performance of Sophos XG, it’s important to note that only one IPS instance will apply to an individual connection. For example, without IPS enabled, my internet connection speeds are 900Mbps/50Mbps. With IPS enabled, speeds drop down to 300Mbps/50Mbps (Intel Core i5-5250U). When running these speed tests, only one IPS instance is being utilized because Snort is not multi-threaded causing a fairly significant drop in internet speeds. However, with multiple connections running at the same time, having multiple IPS instances obviously becomes beneficial such that the workload can be divided up among the four IPS instances.