www.sharexxx.net - free books & magazines 363_Web_App_FM.qxd 12/19/06 10:46 AM Page ii www.syngress.com Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our cus- tomers. We are also committed to extending the utility of the book you pur- chase via additional materials available from our Web site. SOLUTIONS WEB SITE To register your book, visit www.syngress.com/solutions. Once registered, you can access our solutions@syngress.com Web pages. There you may find an assort- ment of value-added features such as free e-books related to the topic of this book, URLs of related Web sites, FAQs from the book, corrections, and any updates from the author(s). ULTIMATE CDs Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of expertise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few. DOWNLOADABLE E-BOOKS For readers who can’t wait for hard copy, we offer most of our titles in down- loadable Adobe PDF form. These e-books are often available weeks before hard copies, and are priced affordably. SYNGRESS OUTLET Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings. SITE LICENSING Syngress has a well-established program for site licensing our e-books onto servers in corporations, educational institutions, and large organizations. Contact us at sales@syngress.com for more information. CUSTOM PUBLISHING Many organizations welcome the ability to combine parts of multiple Syngress books, as well as their own content, into a single volume for their own internal use. Contact us at sales@syngress.com for more information. Visit us at 402_Snort2.6_FM.qxd 1/26/07 2:57 PM Page i 402_Snort2.6_FM.qxd 1/26/07 2:57 PM Page ii Jay Beale’s Open Source Security Series Foreword by Stephen Northcutt, President, The SANS Technology Institute Toby Kohlenberg Technical Editor Raven Alder • Dr. Everett F. (Skip) Carter, Jr • James C. Foster • Matt Jonkman • Raffael Marty • Eric Seagren Snort ® IDS and IPS Toolkit Featuring Jay Beale and Members of the Snort Team Andrew R. Baker Joel Esler NETWORK ATTACK EXAMPLES 402_Snort2.6_FM.qxd 1/26/07 2:57 PM Page iii Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other inci- dental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc.“Syngress:The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Elsevier, Inc. Brands and product names mentioned in this book are trade- marks or service marks of their respective companies. Snort and the Snort logo are registered trademarks of Sourcefire, Inc. KEY SERIAL NUMBER 001 HJIRTCV764 002 PO9873D5FG 003 829KM8NJH2 004 854HLM329D 005 CVPLQ6WQ23 006 VBP965T5T5 007 HJJJ863WD3E 008 2987GVTWMK 009 629MP5SDJT 010 IMWQ295T6T PUBLISHED BY Syngress Publishing, Inc. Elsevier, Inc. 30 Corporate Dr. Burlington, MA 01803 Snort Intrusion Detection and Prevention Toolkit Copyright © 2007 by Syngress Publishing, Inc.All rights reserved. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. 1 2 3 4 5 6 7 8 9 0 ISBN-10: 1-59749-099-7 ISBN-13: 978-1-59749-099-3 Sourcefire is a registered trademark of Sourcefire, Inc. Publisher: Andrew Williams Page Layout and Art: Patricia Lupien Acquisitions Editor: Erin Heffernan Copy Editor: Audrey Doyle Technical Editor:Toby Kohlenburg Indexer: Julie Kawabata Cover Designer: Michael Kavish For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director, at Syngress Publishing; email m.peder sen@elsevier.com or call 781-359-2450. 402_Snort2.6_FM.qxd 1/26/07 2:57 PM Page iv Acknowledgments v A special thanks to Marty Roesch and the rest of the Snort developers for all their efforts to maintain Snort: Erek Adams, Andrew R. Baker, Brian Caswell, Roman D., Chris Green, Jed Haile, Jeremy Hewlett, Jeff Nathan, Marc Norton, Chris Reid, Daniel Roelker, Marty Roesch, Dragos Ruiu, JP Vossen. Daniel Wittenberg, and Fyodor Yarochkin. Thank you to Mike Guiterman, Michele Perry, and Joseph Boyle at Sourcefire for making this book possible. 402_Snort2.6_FM.qxd 1/26/07 2:57 PM Page v 402_Snort2.6_FM.qxd 1/26/07 2:57 PM Page vi vii Technical Editor Toby Kohlenberg is a Senior Information Security Specialist for Intel Corporation. He does penetration testing, incident response, malware analysis, architecture design and review, intrusion analysis, and various other things that paranoid geeks are likely to spend time dealing with. In the last two years he has been responsible for devel- oping security architectures for world-wide deployments of IDS technologies, secure WLANs, Windows 2000/Active Directory, as well as implementing and training a security operations center. He is also a handler for the Internet Storm Center, which provides plenty of opportunity to practice his analysis skills. He holds the CISSP, GCFW, GCIH, and GCIA certifications. He currently resides in Oregon with his wife and daughters, where he enjoys the 9 months of the year that it rains much more than the 3 months where it’s too hot. Raven Alder is a Senior Security Engineer for IOActive, a con- sulting firm specializing in network security design and implemen- tation. She specializes in scalable enterprise-level security, with an emphasis on defense in depth. She designs large-scale firewall and IDS systems, and then performs vulnerability assessments and pene- tration tests to make sure they are performing optimally. In her copious spare time, she teaches network security for LinuxChix.org and checks cryptographic vulnerabilities for the Open Source Vulnerability Database. Raven lives in Seattle, WA. Raven was a contributor to Nessus Network Auditing (Syngress Publishing, ISBN: 1931836086). Raven Alder is the author of Chapters 1 and 2. Contributing Authors 402_Snort2.6_FM.qxd 1/26/07 2:57 PM Page vii viii Andrew R. Baker is the Product Maintenance Manager for Sourcefire, Inc. His work experience includes the development and use of intrusion detection systems, security event correlation, as well as the use of vulnerability scanning software, network intrusion anal- ysis, and network infrastructure management. Andrew has been involved in the Snort project since 2000. He is the primary devel- oper for Barnyard, which he started working on in 2001 to address performance problems with the existing output plugins. Andrew has instructed and developed material for the SANS Institute, which is known for providing information security training and GIAC certifications. He has an MBA from the R.H. Smith School of Business at the University of Maryland and a Bachelors of Science in Computer Science from the University of Alabama at Birmingham. Andrew R. Baker is the author of Chapters 5 and 13. Dr. Everett F. (Skip) Carter, Jr. is President of Taygeta Network Security Services (a division of Taygeta Scientific Inc.).Taygeta Scientific Inc. provides contract and consulting services in the areas of scientific computing, smart instrumentation, and specialized data analysis.Taygeta Network Security Services provides security ser- vices for real-time firewall and IDS management and monitoring, passive network traffic analysis audits, external security reviews, forensics, and incident investigation. Skip holds a Ph.D. and an M.S. in Applied Physics from Harvard University. In addition he holds two Bachelor of Science degrees (Physics and Geophysics) from the Massachusetts Institute of Technology. Skip is a member of the American Society for Industrial Security (ASIS). He was contributing author of Syngress Publishing’s book, Hack Proofing XML (ISBN: 1931836507). He has authored several articles for Dr. Dobbs Journal and Computer Language as well as numerous scientific papers and is a former columnist for Forth Dimensions magazine. Skip resides in Monterey, CA, with his wife,Trace, and his son, Rhett. Dr. Everett F. (Skip) Carter, Jr. is the author of Chapter 12. 402_Snort2.6_FM.qxd 1/26/07 2:57 PM Page viii [...]... an NIDS 55 Snort and Your Network Architecture 55 Snort and Switched Networks 59 Pitfalls When Running Snort 60 False Alerts 61 Upgrading Snort 61 Security Considerations with Snort 62 Snort Is Susceptible to Attacks 62 Securing Your Snort. .. Snort 137 Configuring Snort Options 140 Using a Snort GUI Front End 146 Configuring IDS Policy Manager 146 Configuring Snort on a Linux System 153 Configuring Snort Options 153 Using a GUI Front-End for Snort 158 Basic Analysis and Security Engine 159 Other Snort. .. 2 Network IDS 5 Host-Based IDS 6 Distributed IDS 7 How an IDS Works 8 Where Snort Fits 10 Intrusion Detection and Network Vulnerabilities 11 Identifying Worm Infections with IDS 11 Identifying Server Exploit Attempts with IDS ... Attack Response Based on IDS Alerts 561 SnortSam 562 Fwsnort 562 snort_ inline 563 Attack and Response 563 SnortSam 570 Installation 571 Architecture 572 Snort Output Plug-In ... employees who can actually do the work Snort Intrusion Detection and Prevention Toolkit is a great book, and it can teach you the core network traffic acquisition and analysis skills; this is a tested and proven guide to operate Snort At one point, the creator of Snort, xxxiii 402 _Snort2 .6_Fore.qxd xxxiv 1/25/07 12:49 PM Page xxxiv Foreword Marty Roesch, referred to Snort as a lightweight intrusion detection... Exploring Snort s Features 39 Packet Sniffer 41 Preprocessor 41 Detection Engine 42 Alerting/Logging Component 44 Using Snort on Your Network 47 Snort s Uses 49 Using Snort as a Packet Sniffer and Logger 50 Using Snort. .. 12 Decisions and Cautions with IDS 13 Why Are Intrusion Detection Systems Important? 15 Why Are Attackers Interested in Me? 16 What Will an IDS Do for Me? 17 What Won’t an IDS Do for Me? 18 Where Does an IDS Fit with the Rest of My Security Plan? 20 Doesn’t My Firewall Serve As an IDS? 20 Where Else... 128 Monitoring Your Snort Sensor 128 Summary 129 Solutions Fast Track 129 Frequently Asked Questions 131 402 _Snort2 .6_TOC.qxd 1/25/07 12:52 PM Page xxi Contents Chapter 4 Configuring Snort and Add-Ons 133 Placing Your NIDS 134 Configuring Snort on a Windows System... Security Analyst, Joel developed and deployed his own IDS system, based on Snort, tcpdump, p0f, and pads throughout the Army’s networks With successful results, he quickly advanced to be the Director of Computer Defense and Information Assurance Branch of the RCERT-S, which held him responsible for many aspects of Vulnerability Scanning, IDS Deployment, and Snort Rule creation for the Army In August of 2005,... 710 Frequently Asked Questions 714 Index 717 xxxi 402 _Snort2 .6_TOC.qxd 1/25/07 12:52 PM Page xxxii 402 _Snort2 .6_Fore.qxd 1/25/07 12:49 PM Page xxxiii Foreword Snort Intrusion Detection and Prevention Toolkit is one of the most important books on information security; that is, if you not only read the book, but also put the knowledge . Raffael Marty • Eric Seagren Snort ® IDS and IPS Toolkit Featuring Jay Beale and Members of the Snort Team Andrew R. Baker Joel Esler NETWORK ATTACK EXAMPLES 402 _Snort2 .6_FM.qxd 1/26/07 2:57. Logger . . . . . . . .50 Using Snort as an NIDS . . . . . . . . . . . . . . . . . . . . . .55 Snort and Your Network Architecture . . . . . . . . . . . . . .55 Snort and Switched Networks . . . .2 Network IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Host-Based IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Distributed IDS . . . . . .