• • • • • • Table of Contents Index Reviews Reader Reviews Errata Academic Managing Security with Snort and IDS Tools By Kerry J Cox, Christopher Gerg Publisher : O'Reilly Pub Date : August 2004 ISBN : 0-596-00661-6 Pages : 288 This practical guide to managing network security covers reliable methods for detecting network intruders, from using simple packet sniffers to more sophisticated IDS (Intrusion Detection Systems) applications and the GUI interfaces for managing them A comprehensive resource for monitoring illegal entry attempts, Managing Security with Snort and IDS Tools provides step-by-step instructions on getting up and running with Snort 2.1, and how to shut down and secure workstations, servers, firewalls, routers, sensors and other network devices • • • • • • Table of Contents Index Reviews Reader Reviews Errata Academic Managing Security with Snort and IDS Tools By Kerry J Cox, Christopher Gerg Publisher : O'Reilly Pub Date : August 2004 ISBN : 0-596-00661-6 Pages : 288 Copyright Preface Audience About This Book Assumptions This Book Makes Conventions Used in This Book Chapter Synopsis Comments and Questions Acknowledgments Chapter 1 Introduction Section 1.1 Disappearing Perimeters Section 1.2 Defense-in-Depth Section 1.3 Detecting Intrusions (a Hierarchy of Approaches) Section 1.4 What Is NIDS (and What Is an Intrusion)? Section 1.5 The Challenges of Network Intrusion Detection Section 1.6 Why Snort as an NIDS? Section 1.7 Sites of Interest Chapter 2 Network Traffic Analysis Section 2.1 The TCP/IP Suite of Protocols Section 2.2 Dissecting a Network Packet Section 2.4 Installing tcpdump Section 2.6 Examining tcpdump Output Section 2.8 ethereal Section 2.3 Packet Sniffing Section 2.5 tcpdump Basics Section 2.7 Running tcpdump Section 2.9 Sites of Interest Chapter 3 Installing Snort Section 3.1 About Snort Section 3.2 Installing Snort Section 3.3 Command-Line Options Section 3.4 Modes of Operation Chapter 4 Know Your Enemy Section 4.1 The Bad Guys Section 4.2 Anatomy of an Attack: The Five Ps Section 4.3 Denial-of-Service Section 4.4 IDS Evasion Section 4.5 Sites of Interest Chapter 5 The snort.conf File Section 5.1 Network and Configuration Variables Section 5.2 Snort Decoder and Detection Engine Configuration Section 5.4 Output Configurations Section 5.3 Preprocessor Configurations Section 5.5 File Inclusions Chapter 6 Deploying Snort Section 6.1 Deploy NIDS with Your Eyes Open Section 6.2 Initial Configuration Section 6.3 Sensor Placement Section 6.5 Using Snort More Effectively Section 6.4 Securing the Sensor Itself Section 6.6 Sites of Interest Chapter 7 Creating and Managing Snort Rules Section 7.1 Downloading the Rules Section 7.2 The Rule Sets Section 7.3 Creating Your Own Rules Section 7.5 Keeping Things Up-to-Date Section 7.4 Rule Execution Section 7.6 Sites of Interest Chapter 8 Intrusion Prevention Section 8.1 Intrusion Prevention Strategies Section 8.2 IPS Deployment Risks Section 8.3 Flexible Response with Snort Section 8.4 The Snort Inline Patch Section 8.5 Controlling Your Border Section 8.6 Sites of Interest Chapter 9 Tuning and Thresholding Section 9.1 False Positives (False Alarms) Section 9.2 False Negatives (Missed Alerts) Section 9.4 Pass Rules Section 9.3 Initial Configuration and Tuning Section 9.5 Thresholding and Suppression Chapter 10 Using ACID as a Snort IDS Management Console Section 10.1 Software Installation and Configuration Section 10.2 ACID Console Installation Section 10.3 Accessing the ACID Console Section 10.4 Analyzing the Captured Data Section 10.5 Sites of Interest Chapter 11 Using SnortCenter as a Snort IDS Management Console Section 11.1 SnortCenter Console Installation Section 11.2 SnortCenter Agent Installation Section 11.4 Logging In and Surveying the Layout Section 11.3 SnortCenter Management Console Section 11.5 Adding Sensors to the Console Section 11.6 Managing Tasks Chapter 12 Additional Tools for Snort IDS Management Section 12.1 Open Source Solutions Section 12.2 Commercial Solutions Chapter 13 Strategies for High-Bandwidth Implementations of Snort Section 13.1 Barnyard (and Sguil) Section 13.2 Commericial IDS Load Balancers Section 13.3 The IDS Distribution System (I(DS)2) Appendix A Snort and ACID Database Schema Section A.1 acid_ag Appendix B The Default snort.conf File Appendix C Resources Section C.1 From Chapter 1: Introduction Section C.2 From Chapter 2: Network Traffic Analysis Section C.3 From Chapter 4: Know Your Enemy Section C.5 From Chapter 7: Creating and Managing Snort Rules Section C.7 From Chapter 10: Using ACID as a Snort IDS Management Console Section C.9 From Chapter 13: Strategies for High-Bandwidth Implementations of Snort Colophon Index Section C.4 From Chapter 6: Deploying Snort Section C.6 From Chapter 8: Intrusion Prevention Section C.8 From Chapter 12: Additional Tools for Snort IDS Management Copyright © 2004 O'Reilly Media, Inc Printed in the United States of America Published by O'Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472 O'Reilly books may be purchased for educational, business, or sales promotional use Online editions are also available for most titles (http://safari.oreilly.com) For more information, contact our corporate/institutional sales department: (800) 998-9938 or corporate@oreilly.com Nutshell Handbook, the Nutshell Handbook logo, and the O'Reilly logo are registered trademarks of O'Reilly Media, Inc Managing Security with Snort and IDS Tools, the image of a man on a rope with an ax, and related trade dress are trademarks of O'Reilly Media, Inc Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks Where those designations appear in this book, and O'Reilly Media, Inc was aware of a trademark claim, the designations have been printed in caps or initial caps While every precaution has been taken in the preparation of this book, the publisher and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein Preface This book explains how to manage your network's security using the open source tool Snort The examples in this book are designed for use primarily on a Red Hat Linux machine They should be fully functional on the latest Red Hat Enterprise Linux version as well as the latest Fedora release by Red Hat All instructions were documented using the most recent Red Hat releases, patches, and software The applications were configured using default packages needed for a standard installation, and each machine was secured according to the latest errata The instructions in this book apply to other Linux flavors, such as SuSE, Gentoo, Debian, and most Unix variants, including FreeBSD, OpenBSD, and Solaris Many of the applications are available for download as source or as precompiled binaries Since performance is often a consideration when deploying an IDS solution, you will probably find that building the applications from source yields the best results If you do not have the time, desire, or need to build from source, the prebuilt packages should work just fine and install without trouble on most systems Consult your Linux distribution or Unix-based operating system for further information regarding source compilation and installation Snort binaries are also available for the Microsoft Windows platform, and instructions for running Snort on a Windows platform are included Links to the applications and their respective web sites are provided throughout and at the end of the chapters Appendix C also contains a compendium of all software programs and applications referenced Check all software sites regularly for the latest updates and information regarding their use Many of the programs are under active development and new versions are posted frequently Some applications require an update with the release of new Linux versions Stay current with the most recent release in order to avoid any vulnerabilities or security issues that appear over time Topics covered include: Packet capture and analysis using a variety of commandline and GUI utilities An introduction to the interpretation of packet headers and content within an IDS environment The threats to your organization's technology assets Instructions for installing, configuring, tuning, and customizing an open source, enterprise-level network intrusion detection system (NIDS) for use in corporate and/or home office environments A discussion of ways to utilize Snort as a sniffer, a network gateway that blocks malicious traffic, and a passive IDS sensor Details on how to configure and tune your Snort IDS installation to maximize the effectiveness and minimize the labor involved in detecting and tracking down attacks An in-depth look at a variety of administration tools that assist in the management of the Snort IDS environment Strategies for deploying an IDS in switched, high-security, and high-bandwidth environments Audience This book is designed for network, system, and security administrators of large-scale enterprises as well as managers of small businesses or home offices The instructions should be readable for those with only a small amount of network and Unix experience, but also useful for experienced administrators with a varied background in networking and system administration To be sure, the more experienced you are, the easier it will be to interpret the results generated by the Snort IDS specifying a single address specifying multiple addresses variables to define servers running services that have specific rules SnortCenter 2nd 3rd 4th adding new rules adding sensors to console Admin drop-down menu automatic updates browsing console editing custom rules installing agent installing console prerequisites logging in and surveying layout management console features managing false positive and false negative alerts managing tasks Output Plugins selection Resources link creating a new rule Sensor Configuration menu Edit tool Output Plugin Selection Preprocessor Selection drop-down menu Rule Category Overview link Rule Policy Templates section Rules Selection drop-down menu Variable Selection drop-down menu Sensor Console button trickiest part updating rules and signatures snortdb-extra.gz file SnortReport 2nd SnortSAM 2nd 3rd downloading installing output plug-in patching Snort to enable support for starting snortsam.conf file options accept daemon defaultkey dontblock include ipchains iptables logfile loglevel pix port rollbackhosts rollbacksleeptime rollbackthreshold skiphosts skipinterval SnortSnarf 2nd Snot 2nd SoBig worm software download resources software version-mapping Solaris 9 installation guide Source IP field (rule headers) Source Port field (rule headers) source routing Sourcefire 2nd Management Console SPAN port (Cisco) SPAN ports spanning multiple ports into single monitor port SQL Server database servers, detecting attacks to SQL Server, disabling rule set SQL Slammer worm sql.rules SQL_SERVERS variable (snort.conf) src-ignore-net option (flow-portscan preprocessor) SSH (Secure Shell) SSL Accelerator SSL proxies 2nd sslproxy Stacheldraht rules stacks (TCP/IP) Staniford, Stuart stateless; rule option stats_interval option (flow preprocessor) stealth interface Steele, Michael E Stick 2nd stopping Snort stream4 preprocessor 2nd stream4_reassemble preprocessor configuring stress-testing IDS machines subversion Sullo suppression rules 2nd syntax switches Cisco configured to span several ports enterprise-class listing SYN (synchronize sequence numbers) packet SYN FIN scan attempt synchronize sequence numbers (SYN) packet syslog server, sending alerts to system configuration errors [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Y] [Z] talker-fixed-threshold option (flow-portscan preprocessor) talker-fixed-window option (flow-portscan preprocessor) talker-sliding-scale-factor option (flow-portscan preprocessor) talker-sliding-threshold option (flow-portscan preprocessor) talker-sliding-window option (flow-portscan preprocessor) targeting IDS TCP (Transmission Control Protocol) header three-way handshake tcp-penalties option (flow-portscan preprocessor) TCP/IP suite of protocols ARP ICMP IP TCP UDP tcpdump 2nd -n and -nn options 2nd -s option -v option -x option basics capture example filters homepage installing output capture of TCP three-way handshake data within the < and > characters replacing running syntax options writing data to temp file tcphdr table telnet sessions, detecting dangerous traffic transmitted in telnet.rules telnet_decode preprocessor TELNET_SERVERS variable (snort.conf) Tenable Security 2nd Tethereal 2nd TFTP (Trivial File Transfer Protocol) TFTP service, detecting attacks to tftp.rules thieves three-way handshake (TCP) threshold type thresholding example thresholding 2nd difference between standalone thresholds and those included in rules examples global threshold commands global thresholds simple threshold rules timeout option (frag2 preprocessor) timeout option (stream4 preprocessor) timestamps in UTC format tools that can bypass security restrictions Top Layer Networks Traffic Direction operator (rule headers) traffic encryption 2nd Trin00 Trojan horse ttl: rule option ttl_limit option (frag2 preprocessor) ttl_limit option (stream4 preprocessor) tuning Snort [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Y] [Z] u_encode option (http_inspect_server) UDP (User Datagram Protocol) udphdr table UIDs, changing after initialization umask: option (snort.conf) unified binary output, configuring unified logs unique-memcap option (flow-portscan preprocessor) unique-rows option (flow-portscan preprocessor) Uniqueness tracker component (flow-portscan preprocessor) Unix systems, disabling rule sets unreachable destination alerts Unreal Tournament 2004 uricontent: rule option user input validation problems utc option (snort.conf) utf_8 option (http_inspect_server) [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Y] [Z] validation problems, user input vandals verbose option (snort.conf) version number, displaying virus.rules Virusdot.org viruses Visscher, Bamm VLANs, mirroring multiple VTP (Virtual Terminal Protocol) vulnerability scanners [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Y] [Z] warn (react response keyword) Watchguard firewall and SnortSAM web attack detection rules web page scanners web resources web servers, detecting attacks to web sites that give out company information web sites, running secure automating startup certificates creating test certificate generating random key on port 443 unlocking secure certificate web-attacks.rules web-cgi.rules web-client.rules web-coldfusion.rules web-frontpage.rules web-iis.rules web-misc.rules web-php.rules webcrawling utilities Welchia worm Whisker Whisker+SSL WHOIS services, free Windows systems, disabling rule sets Windows versus Linux when deciding which OS to use for Snort sensor Windows-attacking worms, detecting WinDump 2nd winpcap WinPcap worms [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Y] [Z] X-Windows sessions, detecting attacks to x11.rules [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Y] [Z] year, including in alerts and logfiles [SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Y] [Z] zlib file ... Reviews Reader Reviews Errata Academic Managing Security with Snort and IDS Tools By Kerry J Cox, Christopher Gerg Publisher : O'Reilly Pub Date : August 2004 ISBN : 0-596-00661-6 Pages : 288 Copyright.. .and IDS Tools provides step-by-step instructions on getting up and running with Snort 2.1, and how to shut down and secure workstations, servers, firewalls, routers, sensors and other network devices... O'Reilly logo are registered trademarks of O'Reilly Media, Inc Managing Security with Snort and IDS Tools, the image of a man on a rope with an ax, and related trade dress are trademarks of O'Reilly Media, Inc