Applies to: KNA, KOA, KWA
The Snort intrusion detection system is integrated in Kernun. According to the configuration, it can either detect and log suspicious network traffic (IDS mode), or block it (IPS mode). For detailed description of the IDS/IPS system, see ips(7).
An example of the IDS configuration is shown in Figure 6.72, “Intrusion detection/prevention system”. The complete sample configuration is
available in the
/usr/local/kernun/conf/samples/cml/ids.cml file.
The mode log item specifies that the IDS mode is
used, whereas one of drop,
reject or advanced would be
used for IPS.
The iface EXT item specifies that the external interface
should be inspected. Any number of interfaces can be included.
The pass-ssh item specifies that traffic to the
administration ssh server (see Section 2.3, “SSH Server”)
should be excluded from the inspection. Note that this item can be
useful to prevent the situation when Kernun would become
unaccessible. If this item is enabled, at least the ssh
interface is always accessible (with respect to the IDS/IPS system).
Traffic analysis is based on rules that describe
suspicious traffic. It is desirable to update the rules regularly.
An automatic rule download system is available in
Kernun. This option can be configured with the
license item, which specifies the
oinkcode that is used to access the
current ruleset. The oinkcode can be obtained from the Snort Web
pages. In our example, the subscription (the
paid alternative of the ruleset update) is specified. With this
configuration, Kernun downloads fresh rules once a day. The
oinkcron command can be used after logging to
Kernun to download the rules for the first time (and not have
to wait until the rules are downloaded automatically).