 |
| Snort For Dummies |
by Charlie Scott,Paul Wolfe, and Bert Hayes
Charlie Scott is an Information Security Analyst for the City of Austin, where
he helps maintain the City’s network security infrastructure and helps analyze
intrusion detection data. He has nearly ten years of experience in the Internet
industry and has been an avid user of open source security software that entire
time. Charlie is a Certified Information Systems Security Professional (CISSP)
and a Cisco Certified Network Professional (CCNP).
Bert Hayes is a Security Technical Analyst for the State of Texas, where he
maintains network security for a medium sized agency. In Bert’s ten years
of IT industry experience, he has done everything from managing a corporate
IT shop during a successful IPO to performing white hat penetration tests for
corporate and government offices. He has long been a proponent of open
source solutions, and is a Red Hat Certified Engineer (RHCE).
Paul Wolfe is an independent information security consultant and author,
specializing in open source security.
Publisher’s Acknowledgments
We’re proud of this book; please send us your comments through our online registration form
located at www.dummies.com/register/.
Some of the people who helped bring this book to market include the following:
Acquisitions, Editorial, and Media Development
Project Editor: Pat O’Brien
Acquisitions Editor: Melody Layne
Copy Editor: Barry Childs-Helton
Technical Editor: Jamie Pugh
Editorial Manager: Kevin Kirschner
Media Development Manager: Laura VanWinkle
Media Development Supervisor: Richard Graves
Editorial Assistant: Amanda Foxworth
Cartoons: Rich Tennant (www.the5thwave.com)
Composition
Project Coordinator: Courtney MacIntyre
Layout and Graphics: Andrea Dahl,
Stephanie D. Jumper, Lynsey Osborn,
Heather Ryan
Proofreaders: Laura Albert, David Faust,
Andy Hollandbeck, Brian H. Walls,
TECHBOOKS Production Services
Indexer: TECHBOOKS Production Services
Publishing and Editorial for Technology Dummies
Richard Swadley, Vice President and Executive Group Publisher
Andy Cummings, Vice President and Publisher
Mary C. Corder, Editorial Director
Publishing for Consumer Dummies
Diane Graves Steele, Vice President and Publisher
Joyce Pepple, Acquisitions Director
Composition Services
Gerry Fahey, Vice President of Production Services
Debbie Stailey, Director of Composition Services
Contents at a Glance
Introduction
Part I: Getting to Know Snort and Intrusion Detection
Chapter 1: Looking Up Snort’s Nose ......7
Chapter 2: Fitting In Snort ................19
Chapter 3: Readying Your Preflight Checklist........29
Chapter 4: Makin’ Bacon: Installing Snort for Linux ........41
Chapter 5: Installing Snort and MySQL for Windows........77
Part II: Administering Your Snort Box
Chapter 6: Snorting Through Logs and Alerts....107
Chapter 7: Adding Visuals and Getting Reports ......133
Chapter 8: Making Your Own Rules..............175
Chapter 9: What, Me Worry?...............199
Chapter 10: Dealing with the Real Thing ...217
Part III: Moving Beyond the Basics
Chapter 11: Reacting in Real Time ......243
Chapter 12: Keeping Snort Up to Date.....263
Chapter 13: Filling Your Farm with Pigs .........275
Chapter 14: Using the Barnyard Output Tool ....295
Part IV: The Part of Tens
Chapter 15: Ten Cool Tools for Snort......319
Chapter 16: Ten Snort Information Resources .....327
Appendix A: What’s On the CD-ROM
Index .....337
+++++++++++++++++++++++++++++++++++++++++
Table of Contents
Introduction
Who Should Read This Book?
About This Book
How to Use This Book
What You Don’t Need to Read
Foolish Assumptions
How This Book Is Organized
Part I: Getting to Know Snort and Intrusion Detection
Part II: Administering Your Snort Box
Part III: Moving Beyond the Basics
Part IV: The Part of Tens
Icons Used in This Book
Where to Go from Here
Part I: Getting to Know Snort and Intrusion Detection
Chapter 1: Looking Up Snort’s Nose
Why All the Hubbub about Security? ....8
What Is an IDS, and Why Have One?..............9
Key IDS concepts.................9
Don’t put all your eggs in the firewall basket ..............12
Why Snort?...........................12
Snort’s Components ...................13
Glancing at Snort’s Output............15
Visualizing with Consoles .............16
Getting to Know Snort’s Buddies .......17
Chapter 2: Fitting In Snort
Network-Based IDS...............19
Finding a home for your Snort sensor ..............20
Inviting More Pigs to the Party............25
A single, all-seeing Snort sensor..........26
Eyes and ears everywhere .............27
Chapter 3: Readying Your Preflight Checklist
Choosing Your Operating System .......29
Running Linux: the pig digs the penguin.........31
The pig jumps through Windows ............33
Which operating system is right for me? ..........34
Sizing Up Your System................34
Keep the packets flowing ..........35
Looking at hardware options ..............35
Chapter 4: Makin’ Bacon: Installing Snort for Linux
Staying Safe ......................41
Starting with a clean slate..........42
Keeping a low profile .................42
Compile from source code or install a binary? ..............46
Securing the SSH Daemon.................48
PGP and hashing: Accept no substitutes ...........49
Compiling the code .................51
Physical security ...........................54
Loose ends ...............................54
Installing MySQL for Linux.................55
Getting the code .........................55
Preparing your system for MySQL .......56
Compiling and installing MySQL ...........57
Installing Snort for Linux...................61
But wait, there’s more.............61
Downloading and compiling Snort...........63
Configuring Snort ..................66
Is this thing on? .....................73
Starting up Snort at boot time .............74
Chapter 5: Installing Snort and MySQL for Windows
The Windows Snort IDS Box .............77
Choosing your Windows OS..............78
MySQL, your SQL...........................79
Two resource hogs: Windows and Snort.................79
Keeping Your Windows Locked...................81
Limit physical access.......................81
Tighten OS access control.................81
Harden the OS.....................82
Installing the Base Snort System................84
WinPcap...........................84
Time for a Snort....................85
Bending Snort to Your Will.......................86
Network settings.....................87
Rules, rules, rules ..............89
Include configuration......................92
Testing the Installation.................93
Sniffer mode ....................93
Packet Logger .........................95
Setting Up MySQL for Snort .................95
Installing MySQL...............95
Digging in SQL guts ....................99
Is this thing on? ...............101
Locking MySQL and throwing away the key ......102
Configuring Snort as a Service ........................102
Windows 2000, XP, and 2003 service commands .......102
Installing Snort as a service ...............103
Part II: Administering Your Snort Box
Chapter 6: Snorting Through Logs and Alerts
Snort’s Basic Output...................107
tcpdump binary....................107
ASCII logging ...........................108
Logging to a database ....................108
Snort’s output facilities............108
Snort’s Output Modules ...................111
Alerting modules ...........112
Logging modules ...............122
Snort logging to a database.......127
Unified logging ................131
Chapter 7: Adding Visuals and Getting Reports
The ACID Dependency Soup.............133
ACID..............................134
PHP....................................134
Web server ...........................135
ADODB..............................135
PHPlot and JpGraph...................135
Preparing ACID and Its Dependencies........135
Gathering the necessary files ........135
Installing and configuring a Web server......138
Installing and configuring PHP ........141
Installing and configuring ADODB......147
Installing and configuring PHPlot and JpGraph ....150
Installing and Configuring ACID .....151
Preparing MySQL on Linux and Windows.......151
Preparing the MySQL databases .......153
Installing the ACID console .......156
Edit the ACID configuration file .......157
Configuring IIS for the ACID console.........159
Taking the ACID test.........161
Using ACID to View Snort Alerts .......163
The main ACID console page .........163
Graphing and reporting ..............169
Maintenance.................172
Chapter 8: Making Your Own Rules
The Power of the Pig.............................175
The Center of Snort’s Universe ..............176
Picking apart the snort.conf file ...............176
Playing by the rules.................177
Rule Installation.................................178
How the rules files are organized .........178
An in-depth rule structure..............178
Elements of the rule header..............181
Elements of the rule body .................184
How does Snort deal with all those rules? ..........193
Rule Refinements .............................193
Trimming the fat ..........................193
Making adjustments..............................194
Building a rule from whole cloth ...................195
Chapter 9: What, Me Worry?
Preprocessing Punk Packets.................199
Defining preprocessing ....................200
Understanding the benefits of preprocessing ........200
Looking under the packet magnifying glass..........201
Detecting anomalies...........................201
Keeping packets in a row..........................202
Normalizing network traffic ................206
Deciding what’s normal and what’s not ...........209
Fine Tuning: Reducing False Positives ...........212
Removing unnecessary rules...............212
Using a security audit tool ................214
Chapter 10: Dealing with the Real Thing
Developing an Incident Response Plan ........217
Houston, We Have an Incident.........218
Benign alerts ........................219
Malicious alerts .....................219
Checking an attack with ACID .........220
Using Snort to Track an Attack .........221
Obtaining more information on an alert......222
Digging into a triggered alert ...........222
Halting the Attack ................226
Pulling the network plug ...............226
Pulling the power plug................227
Looking through Logs..............228
Locating Unix and Linux logs..................228
Using Window’s Event Viewer.................229
Knowing what to look for in your logs..........229
Keeping your logs safe...............230
Looking for Odd Running Processes .............231
Viewing processes in Unix and Linux ......231
Viewing processes in Windows .......232
Looking for Odd Files..................234
Linux.........................................234
Windows 2000 .........................234
Windows XP ...........................235
Looking for Odd Network Services..............236
Recovering from the Incident ....................237
Learning from the Attack ....................238
Part III: Moving Beyond the Basics
Chapter 11: Reacting in Real Time
Integrating Snort into Your Security Strategy ....243
Using Syslog-ng for log wrangling ............244
Using Swatch to Watch Your Log Files .........252
Downloading and installing Swatch ...........252
Configuring Swatch .........................253
Starting Swatch.......................................256
Firewalling Suspicious Traffic in Real Time..........257
Blocking malicious network traffic with SnortSam.....258
Chapter 12: Keeping Snort Up to Date
Updating Rules with Oinkmaster .............263
Obtaining and installing Oinkmaster ........264
Mastering Oinkmaster ............................265
Mastering Oinkmaster ..................270
Upgrading Snort ..........................272
Preparing for the upgrade .............272
Completing the upgrade..............273
Testing ..............................273
Chapter 13: Filling Your Farm with Pigs
Pigs on the Perimeter ..................275
Preparing for deployment ...............276
Setting up a Snort sensor for an internal network .......277
Snort sensor in the DMZ...............279
Catching All the Oinks .................281
Multiple output configuration .............281
Securing Snort’s Output ..............283
Getting and installing stunnel .............284
Configuring and running stunnel as a server...........285
Configuring and running stunnel as a client ............290
Running Snort and stunnel..............291
Chapter 14: Using the Barnyard Output Tool
Barnyard for Fast Output .................295
What does Barnyard do? ..................295
Installing and Configuring Barnyard...............297
Prerequisites ..............297
Extracting the archive................298
Configuring Barnyard..............298
Making and installing ................300
Fitting Barnyard into Your Snort Environment ......301
Setting up Snort for unified logging ........301
Configuring Barnyard.....................302
Starting Barnyard .......................311
Part IV: The Part of Tens
Chapter 15: Ten Cool Tools for Snort
Alert-Management Tools .........319
SnortSnarf.........................319
Snort Alert Monitor............320
Pig Sentry ................321
Alert-Reporting Tools .........322
RRD-Snort ...................322
Snortalog ............323
Alert-Response Tools...............323
SnortFW ..................324
Guardian ..............324
Intrusion-Management Tools..........325
MIDAS.......................325
Demarc PureSecure.............325
IDScenter.................326
Chapter 16: Ten Snort Information Resources
The Snort.org Web Site............327
The Snort Mailing Lists................328
The SANS Institute ...............328
The Whitehats Security Forums...............328
The SecurityFocus IDS Mailing List..................329
The WINSNORT.com Web Site ..............329
The My-snort.org Web Site................329
The LinuxSecurity.com Web Site...............329
The Freshmeat.net Web Site ............329
Our Web Site .....................330
Appendix A: What’s On the CD-ROM . . . . . . . . . .331
Index.................337
About This Book
Snort For Dummies is a reference guide for installing, configuring, deploying
and managing Snort IDS sensors on your network. This book covers everything
from why you need an IDS, to installing Snort, to dealing with network
attacks, to deploying multiple Snort sensors. There are thousands of ways
that Snort can be deployed and a myriad of databases, logging systems, and
tools it works with. We focus on the tools and techniques that are widely
deployed and known to work best with Snort, all the while remaining generic
enough that the information should be helpful no matter what your situation.
Whether you’re watching for attacks on a home network, a small company
network, or an enterprise network, Snort For Dummies provides you with the
information you need.
● Screenshot ●
Purchase Now !
Just with Paypal
Just with Paypal
Product details
Price
|
|
|---|---|
File Size
| 7,217 KB |
Print Length
|
385 pages |
File Type
|
PDF format |
ISBN
| 0-7645-6835-3 |
Copyright
|
2004 by Wiley Publishing, Inc
|
●▬▬❂❂▬▬●
●▬❂▬●
●❂●
═════● ●═════
