Alerting methods, Performance and resources, Ids configuration – RuggedCom RuggedRouter RX1100 User Manual

33. Configuring the Intrusion Detection System

Revision 1.14.3

276

RX1000/RX1100™

33.1.1.3. Alerting Methods

Alerts generated by snort are stored by one of two methods; as syslog messages, or in a specified
alert file.

When the local syslog method is chosen, the destination log file may be selected.

When the alert file method is chosen, a daily analysis of the file can be emailed.

The SIDs referenced in alerts can be used to quickly locate the rule via the main Sort IDS menu.
The rule itself often contains HTML links to Internet resources such as

www.securityfocus.com

[http://www.securityfocus.com/] and cve.mitre.org. These provide more in-depth descriptions of the
vulnerability.

33.1.1.4. Performance And Resources

The performance impact of snort varies with the number of interfaces monitored, the number of rules
enabled, the packet rate and the logging method.

Snort has been empirically determined to use about 20% of the CPU clock cycles at its maximum
processing rate.

The router is capable of recording about 300 entries/second to the local syslog and 500 entries/second
to the alert file. Alerts at rates exceeding the above rates will not be recorded.

Snort will require 5 Mbytes of system memory to start with an additional 15 Mbytes of memory for
each interface monitored.

33.2. IDS Configuration

33.2.1. Snort IDS Main Menu

This menu configures the Snort IDS and is composed of three sections.

Note that Snort is disabled by default and may be enabled via the System folder, Bootup And
Shutdown menu. If snort is running, configuration changes must be made active by restarting it. The
Restart Snort button will restart snort, listing the interfaces it is active upon.

33.2.1.1. Global Configuration

Figure 33.1. Snort Main Menu part 1

The Global Configuration menu section configures parameters that apply to all interfaces.