Snort IDS Events

by Josef Weiss
October 15, 2013

The Snort IDS Events dashboard organizes and visualizes events collected from the Snort intrusion detection system.

The dashboard and its components are available in the SecurityCenter 4.7 Dashboard app feed, an app store of dashboards, reports and assets. The dashboard requirements are:

  • SecurityCenter 4.7
  • LCE 4.2.1

Tenable's Log Correlation Engine (LCE) supports a large number of intrusion detection systems. One of the more popular ones, Snort, is the focus of this analysis console. Dashboard components gather present data on the last 72 hours of events and include:

  • Normalized event summary of Snort normalized events that have occurred over the previous 72 hour period as well as the number of occurrences of those events.
  • 72 hour trend graph of the total number of inbound/outbound/internal Snort events.
  • Pie chart representing summary of Snort events that have occurred over the last 72 hours, broken into Class C blocks of addresses. This provides a high level insight into which networks are generating Snort events.
  • Event analysis for Databases. For sensitive areas such as databases, alert Indicators are present for Oracle and SQL along with counts of those alerts. This provides an immediate indication of alerts and the total number of alerts seen over the last 72 hours.
  • Event analysis for Policy Alerts and Web Client Alerts. Alert Indicators are present for these two items along with counts of those alerts. This provides an immediate indication of alerts and the total number of alerts seen over the last 72 hours.
  • Multi-line 72 hour trend that graphs the type of Snort events being reported, such as intrusions, errors, login-failures and more.
  • Snort IDS Event Indicator that indicates on events that are occurring over the last hour by signaling a green for no events or red for events occurring.
  • Snort Indicator Matrix. This is an indicator matrix panel that illuminates red when Snort events have triggered within the respective category. Each event is grouped by Normalized and Detailed event keyword pattern matching.

This collection of components allows the analyst to simply click on illuminated event indicators or browse component data for given criteria, which will bring them directly to the analysis console for further investigation.