• Table of Contents

  Page V

• + Preface

  Page IX

  • Audience

    Page X

  • About This Book

    Page X

  • Assumptions This Book Makes

    Page XI

  • Chapter Synopsis

    Page XII

  • Conventions Used in This Book

    Page XIII

  • Comments and Questions

    Page XIV

  • + Acknowledgments

    Page XIV

    • Kerry Cox

      Page XIV

    • Christopher Gerg

      Page XVI

• + Introduction

  Page 1

  • Disappearing Perimeters

    Page 1

  • Defense-in-Depth

    Page 2

  • Detecting Intrusions (a Hierarchy ofApproaches)

    Page 3

  • What Is NIDS (and What Is an Intrusion)?

    Page 3

  • + The Challenges of Network Intrusion Detection

    Page 5

    • Prerequisites

      Page 5

    • False Positives

      Page 5

    • Missing Prerequisites

      Page 6

    • Unrealistic Expectations

      Page 6

  • Why Snort as an NIDS?

    Page 6

  • Sites of Interest

    Page 8

• + Network Traffic Analysis

  Page 9

  • + The TCP/IP Suite of Protocols

    Page 10

    • + TCP

      Page 10

      • The three-way handshake

        Page 11

    • UDP

      Page 11

    • IP

      Page 12

    • ICMP

      Page 12

    • ARP

      Page 12

  • + Dissecting a Network Packet

    Page 13

    • The IP Header

      Page 14

    • The TCP Header

      Page 16

  • Packet Sniffing

    Page 17

  • Installing tcpdump

    Page 18

  • tcpdump Basics

    Page 19

  • Examining tcpdump Output

    Page 19

  • + Running tcpdump

    Page 21

    • Syntax Options

      Page 22

    • tcpdump Filters

      Page 23

    • tcpdump Capture of the TCP Three-Way Handshake

      Page 23

  • + ethereal

    Page 24

    • Installing from Source

      Page 24

    • Available Options

      Page 24

    • ethereal Capture of TCP Three-Way Handshake

      Page 27

    • Tethereal

      Page 28

  • Sites of Interest

    Page 30

• + Installing Snort

  Page 31

  • + About Snort

    Page 31

    • Snort’s Commercial Counterpart

      Page 31

  • + Installing Snort

    Page 32

    • + Source Code Installation

      Page 32

      • Build-time options

        Page 33

    • Windows Installations

      Page 33

    • Staying Current

      Page 34

  • Command-Line Options

    Page 34

  • + Modes of Operation

    Page 39

    • Snort as a Sniffer

      Page 39

    • Snort as a Packet Logger

      Page 43

    • + Snort as an NIDS: Quick and Dirty

      Page 44

      • Get the latest rule sets

        Page 44

      • Initial configuration of the snort.conf file

        Page 45

• + Know Your Enemy

  Page 51

  • + The Bad Guys

    Page 51

    • Opportunists, Thieves, and Vandals

      Page 51

    • Professionals

      Page 52

    • Disgruntled Current and Former Employees and Contractors

      Page 52

    • Robots and Worms

      Page 53

  • + Anatomy of an Attack: The Five Ps

    Page 53

    • + Probe

      Page 54

      • Mining the Web

        Page 54

      • Portscans and software version-mapping

        Page 55

      • Automated vulnerability scanners

        Page 58

      • Web page scanners

        Page 62

      • Other probe tools

        Page 64

    • + Penetrate

      Page 64

      • Authentication grinding

        Page 65

      • Buffer overflows

        Page 66

      • Application behavior boundary flaws

        Page 66

      • System configuration errors

        Page 66

      • User input validation problems

        Page 67

    • Persist

      Page 67

    • Propagate

      Page 68

    • Paralyze

      Page 68

  • Denial-of-Service

    Page 68

  • IDS Evasion

    Page 69

  • Sites of Interest

    Page 72

• + The snort.conf File

  Page 73

  • + Network and Configuration Variables

    Page 74

    • Default Variables from snort.conf

      Page 75

  • Snort Decoder and Detection Engine Configuration

    Page 77

  • + Preprocessor Configurations

    Page 78

    • flow

      Page 79

    • frag2

      Page 79

    • stream4

      Page 80

    • stream4_reassemble

      Page 83

    • + HTTP Inspect Preprocessor

      Page 84

      • http_inspect (global)

        Page 84

      • http_inspect_server

        Page 85

    • rpc_decode

      Page 89

    • bo

      Page 89

    • telnet_decode

      Page 90

    • flow-portscan

      Page 90

    • arpspoof

      Page 94

    • perfmonitor

      Page 94

  • + Output Configurations

    Page 95

    • alert_syslog

      Page 96

    • log_tcpdump

      Page 97

    • + Database

      Page 97

      • MySQL

        Page 99

      • PostgreSQL

        Page 99

      • ODBC

        Page 99

      • MsSQL

        Page 99

      • Oracle

        Page 99

    • unified

      Page 99

  • File Inclusions

    Page 100

• + Deploying Snort

  Page 101

  • Deploy NIDS with Your Eyes Open

    Page 102

  • + Initial Configuration

    Page 103

    • Targeted IDS

      Page 103

  • + Sensor Placement

    Page 103

    • Systems and Networks to Watch

      Page 104

    • Creating Connection Points

      Page 105

    • Encrypted Traffic

      Page 106

  • + Securing the Sensor Itself

    Page 107

    • Choose an Operating System

      Page 108

    • Configure Interfaces

      Page 109

    • Disable Unnecessary Services

      Page 110

    • Apply Patches and Updates

      Page 110

    • Utilize Robust Authentication

      Page 110

    • Monitor System Logs

      Page 111

  • Using Snort More Effectively

    Page 111

  • Sites of Interest

    Page 111

• + Creating and Managing Snort Rules

  Page 112

  • Downloading the Rules

    Page 113

  • The Rule Sets

    Page 114

  • + Creating Your Own Rules

    Page 118

    • Snort Rule Headers

      Page 118

    • Rule Options

      Page 120

    • Common Rule Options

      Page 122

  • Rule Execution

    Page 130

  • Keeping Things Up-to-Date

    Page 130

  • Sites of Interest

    Page 130

• + Intrusion Prevention

  Page 131

  • Intrusion Prevention Strategies

    Page 131

  • IPS Deployment Risks

    Page 133

  • + Flexible Response with Snort

    Page 134

    • The react Response

      Page 135

  • + The Snort Inline Patch

    Page 136

    • Configuring Snort

      Page 136

    • Creating Rules for the Snort Inline Patch

      Page 137

  • + Controlling Your Border

    Page 137

    • Installing SnortSAM

      Page 138

    • Patching Snort to Enable Support for SnortSAM

      Page 138

    • Starting SnortSAM

      Page 139

    • Supporting the SnortSAM Output Plug-in

      Page 141

    • Modifying Rules That Trigger Block Requests

      Page 142

  • Sites of Interest

    Page 142

• + Tuning and Thresholding

  Page 143

  • False Positives (False Alarms)

    Page 143

  • + False Negatives (Missed Alerts)

    Page 144

    • Common Causes of False Negatives

      Page 145

  • + Initial Configuration and Tuning

    Page 146

    • + Tailoring the Decoder and Preprocessors

      Page 146

      • The Snort decoder configuration

        Page 147

      • The flow preprocessor

        Page 147

      • The frag2 preprocessor

        Page 147

      • The stream4_reassemble preprocessor

        Page 148

      • The http_inspect preprocessor

        Page 148

      • The flow-portscan preprocessor

        Page 148

    • + Tailoring the Rule Set

      Page 149

      • General rule set pruning (trimming high noise rule sets)

        Page 149

      • Tuning individual rules

        Page 150

  • Pass Rules

    Page 151

  • + Thresholding and Suppression

    Page 151

    • Simple Thresholds

      Page 151

    • Global Thresholds

      Page 153

    • Suppression Rules

      Page 153

• + Using ACID as a Snort IDS Management Console

  Page 155

  • + Software Installation and Configuration

    Page 156

    • + MySQL Installation and Configuration

      Page 156

      • MySQL RPM install

        Page 157

      • Performing a MySQL source install

        Page 158

      • Adding tables and permissions

        Page 159

      • Cleaning house or reinstalling

        Page 162

    • Installing the Web Server

      Page 163

    • + Installing Apache2

      Page 163

      • Installing from RPMs

        Page 163

      • Compiling the latest Apache code from source

        Page 164

      • Testing Apache and PHP

        Page 165

      • Managing dependencies

        Page 166

      • Running a secure web site

        Page 166

    • Final Apache Configurations

      Page 169

  • + ACID Console Installation

    Page 171

    • Confirming GD Support

      Page 172

    • Customizing the ACID Configuration Files

      Page 173

    • The ACID Console

      Page 176

    • Initializing the ACID Web Page

      Page 176

  • + Accessing the ACID Console

    Page 177

    • + Using ACID

      Page 177

      • Main ACID page

        Page 178

      • Alert information

        Page 179

      • Searching and graphing

        Page 180

      • Data snapshots

        Page 180

  • + Analyzing the Captured Data

    Page 181

    • + Tracking the Alerts

      Page 181

      • Viewing the packet

        Page 182

      • Identifying known attacks

        Page 185

      • Notifying the offender

        Page 185

      • Searching the database

        Page 187

      • Graphing data for viewing

        Page 188

    • The Ongoing Use of the ACID Console

      Page 190

  • Sites of Interest

    Page 192

• + Using SnortCenter as a Snort IDS Management Console

  Page 193

  • + SnortCenter Console Installation

    Page 193

    • + Prerequisites

      Page 193

      • Installing curl Binary

        Page 194

    • Installing the Console Software

      Page 194

  • + SnortCenter Agent Installation

    Page 196

    • Prerequisites

      Page 196

    • Installing the Agent

      Page 196

  • SnortCenter Management Console

    Page 197

  • + Logging In and Surveying the Layout

    Page 198

    • Sensor Console

      Page 199

    • Sensor Configuration

      Page 200

    • + Resources

      Page 201

      • Creating a new rule

        Page 201

    • Additional Resources

      Page 203

    • Admin

      Page 203

  • + Adding Sensors to the Console

    Page 204

    • Configuring Sensors Within the SnortCenter Console

      Page 204

  • + Managing Tasks

    Page 205

    • + Updating Rules and Signatures

      Page 205

      • Automatic update feature

        Page 205

    • Managing False Positives and Negatives

      Page 206

    • Editing Custom Rules

      Page 206

• + Additional Tools for Snort IDS Management

  Page 208

  • + Open Source Solutions

    Page 208

    • SnortReport

      Page 208

    • SnortSnarf

      Page 209

    • Cerebus

      Page 211

    • IDS Policy Manager

      Page 212

    • Oinkmaster

      Page 214

  • + Commercial Solutions

    Page 214

    • Applied Watch Console

      Page 214

    • PureSecure Console

      Page 215

    • Sourcefire Management Console

      Page 216

• + Strategies for High-Bandwidth Implementations of Snort

  Page 217

  • + Barnyard (and Sguil)

    Page 218

    • Configuring Snort’s Unified Binary Output

      Page 219

    • Installing Barnyard

      Page 219

    • The barnyard.conf File

      Page 219

    • Barnyard Command-Line Options

      Page 221

    • Sguil: An Alternative Management Console

      Page 223

  • + Commericial IDS Load Balancers

    Page 224

    • F5 Network’s VLAN Mirroring with Big Iron Switches

      Page 225

    • Radware’s Fireproof Appliance

      Page 225

    • Top Layer Network’s IDS Balancer

      Page 225

  • + The IDS Distribution System (I(DS)2)

    Page 226

    • A Little Background

      Page 226

    • The Solution

      Page 226

    • + Installation

      Page 228

      • Layer 2 cross-connect

        Page 230

      • Policy router

        Page 231

• + Snort and ACID Database Schema

  Page 233

  • acid_ag

    Page 234

  • acid_ag_alert

    Page 234

  • acid_event

    Page 234

  • acid_ip_cache

    Page 234

  • data

    Page 235

  • detail

    Page 235

  • encoding

    Page 235

  • event

    Page 235

  • icmphdr

    Page 235

  • iphdr

    Page 236

  • opt

    Page 236

  • reference

    Page 236

  • reference_system

    Page 236

  • schema

    Page 237

  • sensor

    Page 237

  • sig_class

    Page 237

  • sig_reference

    Page 237

  • signature

    Page 237

  • tcphdr

    Page 238

  • udphdr

    Page 238

• The Default snort.conf File

  Page 239

• + Resources

  Page 251

  • From Chapter1: Introduction

    Page 251

  • From Chapter2: Network Traffic Analysis

    Page 251

  • From Chapter4: Know Your Enemy

    Page 251

  • From Chapter6: Deploying Snort

    Page 252

  • From Chapter7: Creating and Managing Snort Rules

    Page 253

  • From Chapter8: Intrusion Prevention

    Page 253

  • From Chapter10: Using ACID as a Snort IDS Management Console

    Page 253

  • From Chapter12: Additional Tools for Snort IDS Management

    Page 253

  • From Chapter13: Strategies for High-Bandwidth Implementations of Snort

    Page 253

• Index

  Page 255

Intrusion detection is not for the faint at heart. But, if you are a network administrator chances are you're under increasing pressure to ensure that mission-critical systems are safe--in fact impenetrable--from malicious code, buffer overflows, stealth port scans, SMB probes, OS fingerprinting attempts, CGI attacks, and other network intruders.

Designing a reliable way to detect intruders before they get in is a vital but daunting challenge. Because of this, a plethora of complex, sophisticated, and pricy software solutions are now available. In terms of raw power and features, SNORT, the most commonly used Open Source Intrusion Detection System, (IDS) has begun to eclipse many expensive proprietary IDSes. In terms of documentation or ease of use, however, SNORT can seem overwhelming. Which output plugin to use? How do you to email alerts to yourself? Most importantly, how do you sort through the immense amount of information Snort makes available to you?

Many intrusion detection books are long on theory but short on specifics and practical examples. Not Managing Security with Snort and IDS Tools. This new book is a thorough, exceptionally practical guide to managing network security using Snort 2.1 (the latest release) and dozens of other high-quality open source other open source intrusion detection programs.

Managing Security with Snort and IDS Tools covers reliable methods for detecting network intruders, from using simple packet sniffers to more sophisticated IDS (Intrusion Detection Systems) applications and the GUI interfaces for managing them. A comprehensive but concise guide for monitoring illegal entry attempts, this invaluable new book explains how to shut down and secure workstations, servers, firewalls, routers, sensors and other network devices.

Step-by-step instructions are provided to quickly get up and running with Snort. Each chapter includes links for the programs discussed, and additional links at the end of the book give administrators access to numerous web sites for additional information and instructional material that will satisfy even the most serious security enthusiasts.

Managing Security with Snort and IDS Tools maps out a proactive--and effective--approach to keeping your systems safe from attack.