Jay Beale
James C. Foster
Jeffrey Posluns Technical Advisor
Brian Caswell Technical Editor
PUBLISHED BY
Syngress Publishing, Inc.800 Hingham StreetRockland, MA 02370
Syngress Publishing, Inc.800 Hingham StreetRockland, MA 02370
Copyright © 2003 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.
 |
| Snort2 Intrusion Detection |
Jeffrey Posluns (SSCP, CISSP, CISA, CCNP, CCDA, GSEC) is the
Founder of SecuritySage, a leading-edge information security and privacy
consulting firm. Jeffrey oversees and directs the professional services
teams, product reviews, and innovative product development. Jeffrey has
over 11 years experience specializing in security methodologies, audits
and controls. He has extensive expertise in the analysis of hacker tools and
techniques, intrusion detection, security policies, forensics and incident
response. Jeffrey is an industry-recognized leader known for his ability to
identify trends, resolve issues, and provide the highest quality of customer
service, educational seminars and thought-provoking presentations.
Prior to SecuritySage, Jeffrey founded and co-founded several e-commerce
and security initiatives, where he served as President and/or Chief
Technology Officer. His responsibilities included such areas as the strategy
and implementation of corporate initiatives, project management, professional
and managed services, as well as research and development. He has
also authored a variety of security-specific books, including the SSCP
Certification Study Guide & DVD Training System (Syngress Publishing,
ISBN: 1-931836-80-9), as well as whitepapers, financial and securityrelated
software, and security toolkits.
Jeffrey is looked to as an authority to speak on IT security related
issues and trends at conferences, in the media and law enforcement
forums. He is a regular speaker at industry conferences organized by such
groups as the Information Systems Audit and Control Association
(ISACA) and the Association of Certified Fraud Examiners (ACFE).
Jeffrey is also a trainer for the CISSP certification course.
Ryan Russell has worked in the IT field for over 13 years, focusing on
information security for the last seven. He is the primary author of Hack
Proofing Your Network: Internet Tradecraft (Syngress Publishing, ISBN: 1-
928994-15-6), and is a frequent technical editor for the Hack Proofing
series of books. Ryan founded the vuln-dev mailing list, and moderated
it for three years under the alias “Blue Boar.” He is a frequent lecturer at
security conferences, and can often be found participating in security
mailing lists and Web site discussions. Most recently, Ryan has been
writing Enforcer, an anti-worm product that uses Snort as its sensor technology.
Ryan is the Director of Software Engineering for AnchorIS.com.
Technical Editor
Brian Caswell, a highly respected member of the Snort Community, is
the Webmaster for the Snort.org site and the primary individual responsible
for maintaining the rules that drive the Snort intrusion detection
system. He is highly experienced in deploying intrusion detection systems
in both small businesses and enterprise-sized environments, and has spoke
on the topic multiple times at the CanSecWest conferences in 2002 and
2003. Brian is an employee of Sourcefire, provider of one of the world's
most advanced and flexible intrusion management solutions based on the
Snort IDS and founded by the original developer of Snort. In 2002,
Sourcefire was recognized as one of the most influential vendors in the IT
security marketplace by Information Security Magazine.
Table of Contents
Foreword
Chapter 1 Intrusion Detection Systems
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
What Is Intrusion Detection? . . . . . . . . . . . . . . . . . . . . . . . . . .2
Network IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Host-Based IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Distributed IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
A Trilogy of Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Directory Traversal Vulnerability . . . . . . . . . . . . . . . . . . . . . .8
CodeRed Worm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Nimda Worm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
What Is an Intrusion? . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Using Snort to Catch Intrusions . . . . . . . . . . . . . . . . . . . . .13
Directory Traversal Detection Using Snort . . . . . . . . . . .13
CodeRed Detection Using Snort . . . . . . . . . . . . . . . . . .14
Nimda Detection Using Snort . . . . . . . . . . . . . . . . . . . .15
Why Are Intrusion Detection Systems Important? . . . . . . . . . . .16
Why Are Attackers Interested in Me? . . . . . . . . . . . . . . . . .16
Where Does an IDS Fit with
the Rest of My Security Plan? . . . . . . . . . . . . . . . . . . . . .17
Doesn’t My Firewall Serve as an IDS? . . . . . . . . . . . . . . . . .18
Where Else Should I Be Looking for Intrusions? . . . . . . . . .18
Backdoors and Trojans . . . . . . . . . . . . . . . . . . . . . . . . .19
What Else Can Be Done with Intrusion Detection? . . . . . . .20
Monitoring Database Access . . . . . . . . . . . . . . . . . . . . . . .20
Monitoring DNS Functions . . . . . . . . . . . . . . . . . . . . . . . .21
E-Mail Server Protection . . . . . . . . . . . . . . . . . . . . . . . . . .21
Using an IDS to Monitor My Company Policy . . . . . . . . . .22
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . .26
Chapter 2 Introducing Snort 2.0
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28
What Is Snort? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29
Snort System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . .31
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Other Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Exploring Snort’s Features . . . . . . . . . . . . . . . . . . . . . . . . . . .33
Packet Sniffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Preprocessor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .35
Detection Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Alerting/Logging Component . . . . . . . . . . . . . . . . . . . . . .37
Using Snort on Your Network . . . . . . . . . . . . . . . . . . . . . . . . .41
Snort’s Uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Using Snort as a Packet Sniffer and Logger . . . . . . . . . . .42
Using Snort as an NIDS . . . . . . . . . . . . . . . . . . . . . . . .47
Snort and Your Network Architecture . . . . . . . . . . . . . . . . .48
Snort and Switched Networks . . . . . . . . . . . . . . . . . . . .51
Pitfalls When Running Snort . . . . . . . . . . . . . . . . . . . . . . .53
False Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Upgrading Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Security Considerations with Snort . . . . . . . . . . . . . . . . . . . . .54
Snort Is Susceptible to Attacks . . . . . . . . . . . . . . . . . . . . . .55
Securing Your Snort System . . . . . . . . . . . . . . . . . . . . . . . .56
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .58
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . .60
Chapter 3 Installing Snort
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62
A Brief Word about Linux Distributions . . . . . . . . . . . . . . . . . .63
Debian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63
Slackware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Gentoo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Installing PCAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Installing libpcap from Source . . . . . . . . . . . . . . . . . . . . . .67
Installing libpcap from RPM . . . . . . . . . . . . . . . . . . . . . . .74
Installing Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Installing Snort from Source . . . . . . . . . . . . . . . . . . . . . . .75
Customizing Your Installation: Editing the snort.conf File . . .76
Enabling Features via configure . . . . . . . . . . . . . . . . . . . .79
Installing Snort from RPM . . . . . . . . . . . . . . . . . . . . . . . .80
Installation on the Microsoft Windows Platform . . . . . . . . . .82
Installing Bleeding-Edge Versions of Snort . . . . . . . . . . . . . .88
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . .91
Chapter 4 Snort: The Inner Workings
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
Snort Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Capturing Network Traffic . . . . . . . . . . . . . . . . . . . . . . . .96
The OSI and TCP/IP Models . . . . . . . . . . . . . . . . . . . .96
Packet Sniffing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
A Network Card in Promiscuous Mode . . . . . . . . . . . .101
What Is the libpcap Library? . . . . . . . . . . . . . . . . . . . .101
How Does Snort Link into libpcap? . . . . . . . . . . . . . . .102
Decoding Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103
Storage of Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
Processing Packets 101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
Preprocessors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
The _decode Family of Preprocessors . . . . . . . . . . . . . .107
The frag2 Preprocessor . . . . . . . . . . . . . . . . . . . . . . . .107
The stream4 Preprocessor . . . . . . . . . . . . . . . . . . . . . .109
The portscan Family of Preprocessors . . . . . . . . . . . . . .110
Other Preprocessors . . . . . . . . . . . . . . . . . . . . . . . . . .113
Understanding Rule Parsing and Detection Engines . . . . . . . .114
Rules Builder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
Rule Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115
What Is a 3D Linked List? . . . . . . . . . . . . . . . . . . . . . .118
How a Packet Is Matched . . . . . . . . . . . . . . . . . . . . . .119
Pass Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
Detection Plug-Ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123
Snort 2.0 Rule Design . . . . . . . . . . . . . . . . . . . . . . . .123
Output and Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124
Snort as a Quick Sniffer . . . . . . . . . . . . . . . . . . . . . . . . .125
Output Format . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
Berkeley Packet Filter Commands . . . . . . . . . . . . . . . .126
Log to Disk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127
Log In to a pcap Format . . . . . . . . . . . . . . . . . . . . . . .127
Intrusion Detection Mode . . . . . . . . . . . . . . . . . . . . . . . .128
Snort Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
Logging Formats . . . . . . . . . . . . . . . . . . . . . . . . . . . .130
Snort for Honeypot Capture and Analysis . . . . . . . . . . . . .131
Logging to Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Snort Reporting Front Ends . . . . . . . . . . . . . . . . . . . .133
Alerting Using SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . .134
Barnyard and Unified Output . . . . . . . . . . . . . . . . . . . . .135
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .136
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . .138
Chapter 5 Playing by the Rules
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142
Understanding Configuration Files . . . . . . . . . . . . . . . . . . . . .143
Defining and Using Variables . . . . . . . . . . . . . . . . . . . . . .143
Using Variables for Instructions . . . . . . . . . . . . . . . . . .145
Including Rule Files . . . . . . . . . . . . . . . . . . . . . . . . . . . .150
The Rule Header . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .150
Rule Action Options . . . . . . . . . . . . . . . . . . . . . . . . . . . .151
Supported Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . .154
Assigning Source and Destination IP Addresses to Rules . . .155
Assigning Source and Destination Ports . . . . . . . . . . . . . . .157
Understanding Direction Operators . . . . . . . . . . . . . . . . .159
Activate and Dynamic Rule Characteristics . . . . . . . . . . . .159
The Rule Body . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161
Rule Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162
ASCII Content . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162
Including Binary Content . . . . . . . . . . . . . . . . . . . . . .162
The depth Option . . . . . . . . . . . . . . . . . . . . . . . . . . .163
The offset Option . . . . . . . . . . . . . . . . . . . . . . . . . . .164
The nocase Option . . . . . . . . . . . . . . . . . . . . . . . . . . .164
The session Option . . . . . . . . . . . . . . . . . . . . . . . . . .164
Uniform Resource Identifier Content . . . . . . . . . . . . .164
The stateless Option . . . . . . . . . . . . . . . . . . . . . . . . . .165
Regular Expressions . . . . . . . . . . . . . . . . . . . . . . . . . .165
Flow Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165
IP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167
Fragmentation Bits . . . . . . . . . . . . . . . . . . . . . . . . . . .167
Equivalent Source and Destination IP Option . . . . . . . .168
IP Protocol Options . . . . . . . . . . . . . . . . . . . . . . . . . .168
ID Option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168
Type of Service Option . . . . . . . . . . . . . . . . . . . . . . . .169
Time-To-Live Option . . . . . . . . . . . . . . . . . . . . . . . . .169
TCP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .169
Sequence Number Options . . . . . . . . . . . . . . . . . . . . .169
TCP Flags Option . . . . . . . . . . . . . . . . . . . . . . . . . . .169
TCP ACK Option . . . . . . . . . . . . . . . . . . . . . . . . . . .170
ICMP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171
ID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171
Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171
The icode Option . . . . . . . . . . . . . . . . . . . . . . . . . . .172
The itype Option . . . . . . . . . . . . . . . . . . . . . . . . . . . .172
Rule Identifier Options . . . . . . . . . . . . . . . . . . . . . . . . . .172
Snort ID Options . . . . . . . . . . . . . . . . . . . . . . . . . . . .172
Rule Revision Number . . . . . . . . . . . . . . . . . . . . . . .173
Severity Identifier Option . . . . . . . . . . . . . . . . . . . . . .173
Classification Identifier Option . . . . . . . . . . . . . . . . . .173
External References . . . . . . . . . . . . . . . . . . . . . . . . . .175
Miscellaneous Rule Options . . . . . . . . . . . . . . . . . . . . . .175
Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .175
Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176
TAG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176
Dsize . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176
RPC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177
Real-Time Countermeasures . . . . . . . . . . . . . . . . . . .177
Components of a Good Rule . . . . . . . . . . . . . . . . . . . . . . . .178
Action Events . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .179
Ensuring Proper Content . . . . . . . . . . . . . . . . . . . . . . . . .179
Merging Subnet Masks . . . . . . . . . . . . . . . . . . . . . . . . . .182
Testing Your Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185
Stress Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185
Individual Snort Rule Tests . . . . . . . . . . . . . . . . . . . . . . .186
Berkeley Packet Filter Tests . . . . . . . . . . . . . . . . . . . . . . .186
Tuning Your Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187
Configuring Rule Variables . . . . . . . . . . . . . . . . . . . . . . .187
Disabling Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188
Berkeley Packet Filters . . . . . . . . . . . . . . . . . . . . . . . . . . .189
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . .195
Chapter 6 Preprocessors
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198
What Is a Preprocessor? . . . . . . . . . . . . . . . . . . . . . . . . . . . .199
Preprocessor Options for Reassembling Packets . . . . . . . . . . . .200
The stream4 Preprocessor . . . . . . . . . . . . . . . . . . . . . . . .200
TCP Statefulness . . . . . . . . . . . . . . . . . . . . . . . . . . . .201
Session Reassembly . . . . . . . . . . . . . . . . . . . . . . . . . .210
stream4’s Output . . . . . . . . . . . . . . . . . . . . . . . . . . . .213
frag2—Fragment Reassembly and Attack Detection . . . . . .213
Configuring frag2 . . . . . . . . . . . . . . . . . . . . . . . . . . . .214
frag2 Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .216
Preprocessor Options for Decoding and Normalizing Protocols .216
Telnet Negotiation . . . . . . . . . . . . . . . . . . . . . . . . . . . . .217
Configuring the telnet_negotiation Preprocessor . . . . . .217
telnet_negotiation Output . . . . . . . . . . . . . . . . . . . . . .217
HTTP Normalization . . . . . . . . . . . . . . . . . . . . . . . . . . .218
Configuring the HTTP Normalization Preprocessor . . .219
http_decode’s Output . . . . . . . . . . . . . . . . . . . . . . . . .221
rpc_decode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222
Configuring rpc_decode . . . . . . . . . . . . . . . . . . . . . . .222
rpc_decode Output . . . . . . . . . . . . . . . . . . . . . . . . . .224
Preprocessor Options for Nonrule or Anomaly-Based Detection 224
portscan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225
Configuring the portscan Preprocessor . . . . . . . . . . . . .226
Back Orifice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .227
Configuring the Back Orifice Preprocessor . . . . . . . . . .228
General Nonrule-Based Detection . . . . . . . . . . . . . . . . . .228
Experimental Preprocessors . . . . . . . . . . . . . . . . . . . . . . . . . .228
arpspoof . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .229
asn1_decode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230
fnord . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230
portscan2 and conversation . . . . . . . . . . . . . . . . . . . . . . .231
Configuring the portscan2 Preprocessor . . . . . . . . . . . .231
Configuring the conversation Preprocessor . . . . . . . . . .232
perfmonitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233
Writing Your Own Preprocessor . . . . . . . . . . . . . . . . . . . . . .234
Reassembling Packets . . . . . . . . . . . . . . . . . . . . . . . . . . .234
Decoding Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234
Nonrule or Anomaly-Based Detection . . . . . . . . . . . . . . .235
Setting Up My Preprocessor . . . . . . . . . . . . . . . . . . . . . .236
What Am I Given by Snort? . . . . . . . . . . . . . . . . . . . . . .238
Examining the Argument Parsing Code . . . . . . . . . . . .251
Getting the Preprocessor’s Data Back into Snort . . . . . . .257
Adding the Preprocessor into Snort . . . . . . . . . . . . . . . . .257
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .260
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .261
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . .264
Chapter 7 Implementing Snort Output Plug-Ins
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268
What Is an Output Plug-In? . . . . . . . . . . . . . . . . . . . . . . . . .268
Key Components of an Output Plug-In . . . . . . . . . . . . . .270
Exploring Output Plug-In Options . . . . . . . . . . . . . . . . . . . .271
Default Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .271
Syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .277
PCAP Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .278
Snortdb . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279
Unified Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284
Why Should I Use Unified Logs? . . . . . . . . . . . . . . . . .285
What Do I Do with These Unified Files? . . . . . . . . . . .286
Writing Your Own Output Plug-In . . . . . . . . . . . . . . . . . . . .289
Why Should I Write an Output Plug-In? . . . . . . . . . . . . .289
Setting Up My Output Plug-In . . . . . . . . . . . . . . . . . . . .291
Dealing with Snort Output . . . . . . . . . . . . . . . . . . . . . . .295
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .299
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . .301
Chapter 8 Exploring the Data Analysis Tools
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
Using Swatch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .304
Performing a Swatch Installation . . . . . . . . . . . . . . . . . . . .305
Configuring Swatch . . . . . . . . . . . . . . . . . . . . . . . . . . . .306
Using Swatch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .308
Using ACID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .311
Installing ACID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312
Prerequisites for Installing ACID . . . . . . . . . . . . . . . . .313
Configuring ACID . . . . . . . . . . . . . . . . . . . . . . . . . . . . .319
Using ACID . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322
Querying the Database . . . . . . . . . . . . . . . . . . . . . . . .324
Alert Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .326
Graphical Features of ACID . . . . . . . . . . . . . . . . . . . . .329
Managing Alert Databases . . . . . . . . . . . . . . . . . . . . . .330
Using SnortSnarf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332
Installing SnortSnarf . . . . . . . . . . . . . . . . . . . . . . . . . . . .332
Configuring Snort to Work with SnortSnarf . . . . . . . . . . .334
Basic Usage of SnortSnarf . . . . . . . . . . . . . . . . . . . . . . . .335
Using IDScenter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .337
Installing IDScenter . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338
Configuring IDScenter . . . . . . . . . . . . . . . . . . . . . . . . . .339
Minimal Configuration of IDScenter . . . . . . . . . . . . . .339
Basic Usage of IDScenter . . . . . . . . . . . . . . . . . . . . . . . . .341
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .348
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .349
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . .350
Chapter 9 Keeping Everything Up to Date
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .354
Applying Patches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .354
Updating Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .355
How Are the Rules Maintained? . . . . . . . . . . . . . . . . . . . .356
How Do I Get Updates to the Rules? . . . . . . . . . . . . . . . .358
Oinkmaster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .359
How Do I Merge These Changes? . . . . . . . . . . . . . . . . . .362
Using IDScenter to Merge Rules . . . . . . . . . . . . . . . . .363
Testing Rule Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .364
Testing the New Rules . . . . . . . . . . . . . . . . . . . . . . . . . .368
Watching for Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369
Mailing Lists and News Services to Watch . . . . . . . . . . . . .369
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .370
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .370
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . .372
Chapter 10 Optimizing Snort
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .376
How Do I Choose What Hardware to Use? . . . . . . . . . . . . . .376
What Constitutes “Good” Hardware? . . . . . . . . . . . . . . . .378
Processors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .378
RAM Requirements . . . . . . . . . . . . . . . . . . . . . . . . . .379
Storage Medium . . . . . . . . . . . . . . . . . . . . . . . . . . . .379
Network Interface Card . . . . . . . . . . . . . . . . . . . . . . .379
How Do I Test My Hardware? . . . . . . . . . . . . . . . . . . . . .380
How Do I Choose What
Operating System to Use? . . . . . . . . . . . . . . . . . . . . . . . . . . .382
What Makes a “Good” OS for a NIDS? . . . . . . . . . . . . . .382
What OS Should I Use? . . . . . . . . . . . . . . . . . . . . . . . . .387
How Do I Test My OS Choice? . . . . . . . . . . . . . . . . . . . .388
Speeding Up Your Snort Installation . . . . . . . . . . . . . . . . . . . .389
Deciding Which Rules to Enable . . . . . . . . . . . . . . . . . . .390
Configuring Preprocessors for Speed . . . . . . . . . . . . . . . . .392
Using Generic Variables . . . . . . . . . . . . . . . . . . . . . . . . . .393
Choosing an Output Plug-In . . . . . . . . . . . . . . . . . . . . . .394
Benchmarking Your Deployment . . . . . . . . . . . . . . . . . . . . . .395
Benchmark Characteristics . . . . . . . . . . . . . . . . . . . . . . . .396
Attributes of a Good Benchmark . . . . . . . . . . . . . . . . .396
Attributes of a Poor Benchmark . . . . . . . . . . . . . . . . . .397
What Options Are Available for Benchmarking? . . . . . . . . .397
IDS Informer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .398
IDS Wakeup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .401
Sneeze . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .403
Miscellaneous Options . . . . . . . . . . . . . . . . . . . . . . . .404
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .406
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .407
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . .408
Chapter 11 Mucking Around with Barnyard
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .412
What Is Barnyard? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .413
Preparation and Installation of Barnyard . . . . . . . . . . . . . . . . .413
How Does Barnyard Work? . . . . . . . . . . . . . . . . . . . . . . . . . .418
Using the Barnyard Configuration File . . . . . . . . . . . . . . .419
Barnyard Innards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .421
Configuration Declarations . . . . . . . . . . . . . . . . . . . . .421
Data Processors . . . . . . . . . . . . . . . . . . . . . . . . . . . . .421
Output Plug-Ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . .422
Create and Display a Binary Log Output File . . . . . . . . . . .425
Running Barnyard . . . . . . . . . . . . . . . . . . . . . . . . . . .427
Barnyard Output Explanation . . . . . . . . . . . . . . . . . . .429
What Are the Output Options for Barnyard? . . . . . . . . . . . . . .430
But I Want My Output Like “This” . . . . . . . . . . . . . . . . . . . .431
An Example Output Plug-In . . . . . . . . . . . . . . . . . . . . . .432
Using plugbase.h and plugbase.c . . . . . . . . . . . . . . . . . .454
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .456
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .457
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . .458
Chapter 12 Advanced Snort
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .462
Policy-Based IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .462
Defining a Network Policy for the IDS . . . . . . . . . . . . . . .464
An Example of Policy-Based IDS . . . . . . . . . . . . . . . . . . .468
Policy-Based IDS in Production . . . . . . . . . . . . . . . . . . . .475
Inline IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .478
Where Did the Inline IDS for Snort Come From? . . . . . . .479
Installation of Snort in Inline Mode . . . . . . . . . . . . . . . . .480
Using Inline IDS to Protect Your Network . . . . . . . . . . . .497
Is Inline IDS the Tool for Me? . . . . . . . . . . . . . . . . . . .499
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .501
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .501
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . .502
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .503
Introduction
“Intruder Alert! Intruder Alert! Warning,Will Robinson!” When we heard that
ominous announcement emanating from a robot as it twisted and turned with arms
thrashing and head spinning, we sat galvanized to our televisions waiting for the
intruder to reveal itself.Would this be the end of Will Robinson, as we knew him?
All right, this might be a bit dramatic for a prelude to a discussion of intrusion
detection, but with most security administrators, when a beeper goes off
there is a moment of anxiety. Is this the big one? Did they get in? Do they own
my network? Do they own my data?
These and many other questions flood the mind of the well-prepared security
administrator. On the other hand, the ill-prepared security administrator, being
totally unaware of the intrusion, experiences little anxiety. For him, the anxiety comes later.
Okay, so how can a security-minded administrator protect his network from
intrusions? The answer to that question is quite simple, with an intrusion detection system.
What Is Intrusion Detection?
Webster’s dictionary defines an intrusion as “the act of thrusting in, or of entering
into a place or state without invitation, right, or welcome.” When we speak of
intrusion detection, we are referring to the act of detecting an unauthorized
intrusion by a computer on a network.This unauthorized access, or intrusion, is an
attempt to compromise, or otherwise do harm, to other network devices.
An Intrusion Detection System (IDS) is the high-tech equivalent of a burglar
alarm—a burglar alarm configured to monitor access points, hostile activities, and
known intruders.The simplest way to define an IDS might be to describe it as a
specialized tool that knows how to read and interpret the contents of log files
from routers, firewalls, servers, and other network devices. Furthermore, an IDS
often stores a database of known attack signatures and can compare patterns of
activity, traffic, or behavior it sees in the logs it is monitoring against those signatures
to recognize when a close match between a signature and current or recent
behavior occurs. At that point, the IDS can issue alarms or alerts, take various
kinds of automatic action ranging from shutting down Internet links or specific
servers to launching backtraces, and make other active attempts to identify
attackers and actively collect evidence of their nefarious activities.
● Screenshot ●
Purchase Now !
Just with Paypal
Just with Paypal
Product details
Price
|
|
|---|---|
File Size
| 7,211 KB |
Pages
|
559 p |
File Type
|
PDF format |
ISBN
| 1-931836-74-4 |
Copyright
| 2003 by Syngress Publishing, Inc |
●▬▬❂❂▬▬●
●▬❂▬●
●❂●
═════● ●═════
