Snort IDS on a Linksys WRT54GS
I've been really satisfied with the performance, features, and reliability of the OpenWRT firmware for the Linksys WRT54GS wireless gateway router. The WRT54GS that I purchased two years ago is equipped with 32 MB of flash RAM, most of which goes unused with the stock OpenWRT installation. So, I figured it would be a interesting exercise to install the Snort Intrusion Detection System (IDS) software on the WRT54GS to report potential network attacks or anomalies.
Snort is the most popular open-source IDS software available, and features an actively-updated list of signatures and rules that can be used to identify attack-patterns in network traffic. The primary concern with installing an IDS on the WRT54GS is the scarcity of computational and storage resources. It has got a fairly weak processor in comparison to the desktop systems we're familiar with, and the memory used for storage and running processes is extremely limited. Linksys equipped the early WRT54GS models with 32 MB of flash RAM, but later reduced it to 16 MB in what I assume was an attempt at reducing manufacturing costs. So, those with an older model are actually better off in most cases. Here's an indication of resource utilization with Snort running:
I installed the Snort utility using the OpenWRT Admin Console, pointing the installer to the "Nico Testing" repository (http://nthill.free.fr/openwrt/ipkg/testing). Once Snort was installed, I just edited the Snort configuration file (/etc/snort/snort.conf) and was snort'ing in no time. I found the article on Linux.com to be very helpful, as it inspired me to start hte project and offered guidance along the way.
I also configured Snort to log messages to a Linux PC I've got running on the LAN. Resources are so scarce on the Linksys WRT54GS that it's not practical to store log messages locally. Instead, I currently have Snort configured to send messages to the router's syslog daemon which redirect the messages to a Linux machine on the LAN. The Linux machine then commits the messages to it's local log. Next, I'd like to use the MySQL relational database to store the log messages instead of the flat syslog text file. There are several log-visualization tools (i.e. ACID) that can show log data in a more meaningful format, such as in a web browser.