212 Chapter 7 • Miscellaneous Tools agent system will then update configuration of the firewall or routers depending on the policy. Documentation, examples, and information about how to install SnortSam are available on its web site. You can find information about the changes you need to make for a particular type of firewall in the snort.conf file. You should think twice about modifying firewall policy; it may lead to Denial of Service DoS attacks. For example, if someone sends you a message resulting in the blocking of root name server addresses, your DNS server will fail.

7.2 IDS Policy Manager

IDS policy manager is a Microsoft Windows based GUI. It is used to manage the Snort configuration file and Snort rules on a sensor. It is available from its web site http: activeworx.comidspm. At the time of writing this book, beta version 1.3 is available from this web site and it supports Snort versions up to 1.9.0. You can download the soft- ware and install it using normal Windows installation procedures. When you start the software, a window like the one shown in Figure 7-3 is displayed. As you can see, this window is initially empty. It has three tabs at the bottom, as explained below: • The “Sensor Manager” tab shows the sensors that you are managing with this tool. Initially there is no sensor listed in the window because you have to add sensors after installing IDS Manager. This is the default tab when you start the Policy Manager. • The “Policy Manager” tab shows configured policies. A policy includes snort.conf file parameters variables, input and output plug-ins, include files as well as a list of rules that belong to that policy. • The “Logging” tab shows log messages. You can click on any of these tabs to switch to a particular window. To add a new sensor, you can click on the “Sensor” menu and chose the “Add Sensor” option. A pop- up window like the one shown in Figure 7-4 appears where you fill out information about the sensor. IDS Policy Manager 213 Figure 7-3 IDS Policy Manager Window. 214 Chapter 7 • Miscellaneous Tools The screen shot shown in Figure 7-4 is taken after filling out information in blank fields. You have to enter the following information about a sensor: • Sensor name, which is “MyHome Sensor” in this example. • IP address of sensor which is 192.168.1.2. You have to fill out the IP address of your sensor in this box. • The “IDS System” box is used to specify which version of Snort is being used on the sensor. Different Snort versions have slightly different parameters for input and output plug-ins as well as keywords used in rules. It’s important to use correct information in this option. • The policy name is “Official”. You can use a different name for the policy. The sensor policy is downloaded and stored on the machine where IDS Policy Manager is being installed. • The “Upload Information” section includes parameters that are needed to transfer files from and to the sensor. Figure 7-4 Adding a new sensor to IDS Policy Manager. IDS Policy Manager 215 • The SCP method uses SSH server running on the sensor. User name and password are used to log in to the Snort sensor to upload and download files. The “Upload Directory” shows the location of the snort.conf file on the Snort sensor. Since the location of other rule files is mentioned in the snort.conf file, you don’t need to specify names and locations of other rule files. After entering this information, you can click “OK” to add the sensor. After add- ing the sensor, the first task is to download policy from the sensor you added in the pre- vious step. For this purpose, you can use the “Download Policy from Sensor” option in the “Sensor” menu. After downloading the policy, you can click on the “Policy Man- ager” tab at the bottom of the screen to edit the policy. When you click here, you will see the screen with a list of currently available policies. Since you used “Official” as the name of the policy while adding the sensor, this policy must be present in the list. To edit the policy, double click the policy name and a Policy Editor window will appear, as shown in Figure 7-5. Figure 7-5 The Policy Editor window with list of rules.