SnortSam Prentice.Hall – Intrusion.Detection.Systems.with.Snort
IDS Policy Manager 215
• The SCP method uses SSH server running on the sensor. User name and password are used to log in to the Snort sensor to upload and download files. The
“Upload Directory” shows the location of the snort.conf file on the Snort sensor. Since the location of other rule files is mentioned in the snort.conf
file, you don’t need to specify names and locations of other rule files.
After entering this information, you can click “OK” to add the sensor. After add- ing the sensor, the first task is to download policy from the sensor you added in the pre-
vious step. For this purpose, you can use the “Download Policy from Sensor” option in the “Sensor” menu. After downloading the policy, you can click on the “Policy Man-
ager” tab at the bottom of the screen to edit the policy. When you click here, you will see the screen with a list of currently available policies. Since you used “Official” as the
name of the policy while adding the sensor, this policy must be present in the list.
To edit the policy, double click the policy name and a Policy Editor window will appear, as shown in Figure 7-5.
Figure 7-5 The Policy Editor window with list of rules.
216 Chapter 7 • Miscellaneous Tools
On the left hand side of the window shown in Figure 7-5 is a list of different classes of rules used on the sensor. The right hand side of the window shows a descrip-
tion of the class and individual rules included in that class. To modify a rule, you can double click that rule and a window like the one shown in Figure 7-6 will appear where
you can modify different parts of a rule.
The pull-down menus in the right side of the window shown in Figure 7-6 make it very easy to modify rules. For example, to modify protocol used in the rule, you can
click the pull-down menu button and a list of supported protocols will appear. To modify other parts of the snort.conf file, you can click the “Settings” tab
on the top left side of the window. A window like the one shown in Figure 7-7 appears where you can modify input and output plug-ins and values of different variables.
As you can see in the screen shot in Figure 7-7, the database user name and pass- words are displayed. These are the same ones we used in Chapter 5 while configuring
the MySQL database. After making changes to the policy, you can close this window. Now you can
upload it to the sensor using options in the “Sensor” menu of the main menu. IDS Policy Manager makes it very easy to modify sensor policies. It does almost
all of the tasks that are discussed in Chapter 3 and Chapter 4.
Figure 7-6 Modifying a rule in IDS Policy Manager.
Securing the ACID Web Console 217