Cover image for Managing Security with Snort & IDS Tools

Book description

Intrusion detection is not for the faint at heart. But, if you are a network administrator chances are you're under increasing pressure to ensure that mission-critical systems are safe--in fact impenetrable--from malicious code, buffer overflows, stealth port scans, SMB probes, OS fingerprinting attempts, CGI attacks, and other network intruders. Designing a reliable way to detect intruders before they get in is a vital but daunting challenge. Because of this, a plethora of complex, sophisticated, and pricy software solutions are now available. In terms of raw power and features, SNORT, the most commonly used Open Source Intrusion Detection System, (IDS) has begun to eclipse many expensive proprietary IDSes. In terms of documentation or ease of use, however, SNORT can seem overwhelming. Which output plugin to use? How do you to email alerts to yourself? Most importantly, how do you sort through the immense amount of information Snort makes available to you? Many intrusion detection books are long on theory but short on specifics and practical examples. Not Managing Security with Snort and IDS Tools. This new book is a thorough, exceptionally practical guide to managing network security using Snort 2.1 (the latest release) and dozens of other high-quality open source other open source intrusion detection programs. Managing Security with Snort and IDS Tools covers reliable methods for detecting network intruders, from using simple packet sniffers to more sophisticated IDS (Intrusion Detection Systems) applications and the GUI interfaces for managing them. A comprehensive but concise guide for monitoring illegal entry attempts, this invaluable new book explains how to shut down and secure workstations, servers, firewalls, routers, sensors and other network devices. Step-by-step instructions are provided to quickly get up and running with Snort. Each chapter includes links for the programs discussed, and additional links at the end of the book give administrators access to numerous web sites for additional information and instructional material that will satisfy even the most serious security enthusiasts. Managing Security with Snort and IDS Tools maps out a proactive--and effective--approach to keeping your systems safe from attack.

Table of Contents

  1. Managing Security with Snort and IDS Tools
    1. SPECIAL OFFER: Upgrade this ebook with O’Reilly
    2. Preface
      1. Audience
      2. About This Book
      3. Assumptions This Book Makes
      4. Chapter Synopsis
      5. Conventions Used in This Book
      6. Comments and Questions
      7. Acknowledgments
        1. Kerry Cox
        2. Christopher Gerg
    3. 1. Introduction
      1. 1.1. Disappearing Perimeters
      2. 1.2. Defense-in-Depth
      3. 1.3. Detecting Intrusions (a Hierarchy of Approaches)
      4. 1.4. What Is NIDS (and What Is an Intrusion)?
      5. 1.5. The Challenges of Network Intrusion Detection
        1. 1.5.1. Prerequisites
        2. 1.5.2. False Positives
        3. 1.5.3. Missing Prerequisites
        4. 1.5.4. Unrealistic Expectations
      6. 1.6. Why Snort as an NIDS?
      7. 1.7. Sites of Interest
    4. 2. Network Traffic Analysis
      1. 2.1. The TCP/IP Suite of Protocols
        1. 2.1.1. TCP
          1. 2.1.1.1. The three-way handshake
        2. 2.1.2. UDP
        3. 2.1.3. IP
        4. 2.1.4. ICMP
        5. 2.1.5. ARP
      2. 2.2. Dissecting a Network Packet
        1. 2.2.1. The IP Header
        2. 2.2.2. The TCP Header
      3. 2.3. Packet Sniffing
      4. 2.4. Installing tcpdump
      5. 2.5. tcpdump Basics
      6. 2.6. Examining tcpdump Output
      7. 2.7. Running tcpdump
        1. 2.7.1. Syntax Options
        2. 2.7.2. tcpdump Filters
        3. 2.7.3. tcpdump Capture of the TCP Three-Way Handshake
      8. 2.8. ethereal
        1. 2.8.1. Installing from Source
        2. 2.8.2. Available Options
        3. 2.8.3. ethereal Capture of TCP Three-Way Handshake
        4. 2.8.4. Tethereal
      9. 2.9. Sites of Interest
    5. 3. Installing Snort
      1. 3.1. About Snort
        1. 3.1.1. Snort's Commercial Counterpart
      2. 3.2. Installing Snort
        1. 3.2.1. Source Code Installation
          1. 3.2.1.1. Build-time options
        2. 3.2.2. Windows Installations
        3. 3.2.3. Staying Current
      3. 3.3. Command-Line Options
      4. 3.4. Modes of Operation
        1. 3.4.1. Snort as a Sniffer
        2. 3.4.2. Snort as a Packet Logger
        3. 3.4.3. Snort as an NIDS: Quick and Dirty
          1. 3.4.3.1. Get the latest rule sets
          2. 3.4.3.2. Initial configuration of the snort.conf file
    6. 4. Know Your Enemy
      1. 4.1. The Bad Guys
        1. 4.1.1. Opportunists, Thieves, and Vandals
        2. 4.1.2. Professionals
        3. 4.1.3. Disgruntled Current and Former Employees and Contractors
        4. 4.1.4. Robots and Worms
      2. 4.2. Anatomy of an Attack: The Five Ps
        1. 4.2.1. Probe
          1. 4.2.1.1. Mining the Web
          2. 4.2.1.2. Portscans and software version-mapping
          3. 4.2.1.3. Automated vulnerability scanners
          4. 4.2.1.4. Web page scanners
          5. 4.2.1.5. Other probe tools
        2. 4.2.2. Penetrate
          1. 4.2.2.1. Authentication grinding
          2. 4.2.2.2. Buffer overflows
          3. 4.2.2.3. Application behavior boundary flaws
          4. 4.2.2.4. System configuration errors
          5. 4.2.2.5. User input validation problems
        3. 4.2.3. Persist
        4. 4.2.4. Propagate
        5. 4.2.5. Paralyze
      3. 4.3. Denial-of-Service
      4. 4.4. IDS Evasion
      5. 4.5. Sites of Interest
    7. 5. The snort.conf File
      1. 5.1. Network and Configuration Variables
        1. 5.1.1. Default Variables from snort.conf
      2. 5.2. Snort Decoder and Detection Engine Configuration
      3. 5.3. Preprocessor Configurations
        1. 5.3.1. flow
        2. 5.3.2. frag2
        3. 5.3.3. stream4
        4. 5.3.4. stream4_reassemble
        5. 5.3.5. HTTP Inspect Preprocessor
          1. 5.3.5.1. http_inspect (global)
          2. 5.3.5.2. http_inspect_server
        6. 5.3.6. rpc_decode
        7. 5.3.7. bo
        8. 5.3.8. telnet_decode
        9. 5.3.9. flow-portscan
        10. 5.3.10. arpspoof
        11. 5.3.11. perfmonitor
      4. 5.4. Output Configurations
        1. 5.4.1. alert_syslog
        2. 5.4.2. log_tcpdump
        3. 5.4.3. Database
          1. 5.4.3.1. MySQL
          2. 5.4.3.2. PostgreSQL
          3. 5.4.3.3. ODBC
          4. 5.4.3.4. MsSQL
          5. 5.4.3.5. Oracle
        4. 5.4.4. unified
      5. 5.5. File Inclusions
    8. 6. Deploying Snort
      1. 6.1. Deploy NIDS with Your Eyes Open
      2. 6.2. Initial Configuration
        1. 6.2.1. Targeted IDS
      3. 6.3. Sensor Placement
        1. 6.3.1. Systems and Networks to Watch
        2. 6.3.2. Creating Connection Points
        3. 6.3.3. Encrypted Traffic
      4. 6.4. Securing the Sensor Itself
        1. 6.4.1. Choose an Operating System
        2. 6.4.2. Configure Interfaces
        3. 6.4.3. Disable Unnecessary Services
        4. 6.4.4. Apply Patches and Updates
        5. 6.4.5. Utilize Robust Authentication
        6. 6.4.6. Monitor System Logs
      5. 6.5. Using Snort More Effectively
      6. 6.6. Sites of Interest
    9. 7. Creating and Managing Snort Rules
      1. 7.1. Downloading the Rules
      2. 7.2. The Rule Sets
      3. 7.3. Creating Your Own Rules
        1. 7.3.1. Snort Rule Headers
        2. 7.3.2. Rule Options
        3. 7.3.3. Common Rule Options
      4. 7.4. Rule Execution
      5. 7.5. Keeping Things Up-to-Date
      6. 7.6. Sites of Interest
    10. 8. Intrusion Prevention
      1. 8.1. Intrusion Prevention Strategies
      2. 8.2. IPS Deployment Risks
      3. 8.3. Flexible Response with Snort
        1. 8.3.1. The react Response
      4. 8.4. The Snort Inline Patch
        1. 8.4.1. Configuring Snort
        2. 8.4.2. Creating Rules for the Snort Inline Patch
      5. 8.5. Controlling Your Border
        1. 8.5.1. Installing SnortSAM
        2. 8.5.2. Patching Snort to Enable Support for SnortSAM
        3. 8.5.3. Starting SnortSAM
        4. 8.5.4. Supporting the SnortSAM Output Plug-in
        5. 8.5.5. Modifying Rules That Trigger Block Requests
      6. 8.6. Sites of Interest
    11. 9. Tuning and Thresholding
      1. 9.1. False Positives (False Alarms)
      2. 9.2. False Negatives (Missed Alerts)
        1. 9.2.1. Common Causes of False Negatives
      3. 9.3. Initial Configuration and Tuning
        1. 9.3.1. Tailoring the Decoder and Preprocessors
          1. 9.3.1.1. The Snort decoder configuration
          2. 9.3.1.2. The flow preprocessor
          3. 9.3.1.3. The frag2 preprocessor
          4. 9.3.1.4. The stream4_reassemble preprocessor
          5. 9.3.1.5. The http_inspect preprocessor
          6. 9.3.1.6. The flow-portscan preprocessor
        2. 9.3.2. Tailoring the Rule Set
          1. 9.3.2.1. General rule set pruning (trimming high noise rule sets)
          2. 9.3.2.2. Tuning individual rules
      4. 9.4. Pass Rules
      5. 9.5. Thresholding and Suppression
        1. 9.5.1. Simple Thresholds
        2. 9.5.2. Global Thresholds
        3. 9.5.3. Suppression Rules
    12. 10. Using ACID as a Snort IDS Management Console
      1. 10.1. Software Installation and Configuration
        1. 10.1.1. MySQL Installation and Configuration
          1. 10.1.1.1. MySQL RPM install
          2. 10.1.1.2. Performing a MySQL source install
          3. 10.1.1.3. Adding tables and permissions
          4. 10.1.1.4. Cleaning house or reinstalling
        2. 10.1.2. Installing the Web Server
        3. 10.1.3. Installing Apache2
          1. 10.1.3.1. Installing from RPMs
          2. 10.1.3.2. Compiling the latest Apache code from source
          3. 10.1.3.3. Testing Apache and PHP
          4. 10.1.3.4. Managing dependencies
          5. 10.1.3.5. Running a secure web site
        4. 10.1.4. Final Apache Configurations
      2. 10.2. ACID Console Installation
        1. 10.2.1. Confirming GD Support
        2. 10.2.2. Customizing the ACID Configuration Files
        3. 10.2.3. The ACID Console
        4. 10.2.4. Initializing the ACID Web Page
      3. 10.3. Accessing the ACID Console
        1. 10.3.1. Using ACID
          1. 10.3.1.1. Main ACID page
          2. 10.3.1.2. Alert information
          3. 10.3.1.3. Searching and graphing
          4. 10.3.1.4. Data snapshots
      4. 10.4. Analyzing the Captured Data
        1. 10.4.1. Tracking the Alerts
          1. 10.4.1.1. Viewing the packet
          2. 10.4.1.2. Identifying known attacks
          3. 10.4.1.3. Notifying the offender
          4. 10.4.1.4. Searching the database
          5. 10.4.1.5. Graphing data for viewing
        2. 10.4.2. The Ongoing Use of the ACID Console
      5. 10.5. Sites of Interest
    13. 11. Using SnortCenter as a Snort IDS Management Console
      1. 11.1. SnortCenter Console Installation
        1. 11.1.1. Prerequisites
          1. 11.1.1.1. Installing curl Binary
        2. 11.1.2. Installing the Console Software
      2. 11.2. SnortCenter Agent Installation
        1. 11.2.1. Prerequisites
        2. 11.2.2. Installing the Agent
      3. 11.3. SnortCenter Management Console
      4. 11.4. Logging In and Surveying the Layout
        1. 11.4.1. Sensor Console
        2. 11.4.2. Sensor Configuration
        3. 11.4.3. Resources
          1. 11.4.3.1. Creating a new rule
        4. 11.4.4. Additional Resources
        5. 11.4.5. Admin
      5. 11.5. Adding Sensors to the Console
        1. 11.5.1. Configuring Sensors Within the SnortCenter Console
      6. 11.6. Managing Tasks
        1. 11.6.1. Updating Rules and Signatures
          1. 11.6.1.1. Automatic update feature
        2. 11.6.2. Managing False Positives and Negatives
        3. 11.6.3. Editing Custom Rules
    14. 12. Additional Tools for Snort IDS Management
      1. 12.1. Open Source Solutions
        1. 12.1.1. SnortReport
        2. 12.1.2. SnortSnarf
        3. 12.1.3. Cerebus
        4. 12.1.4. IDS Policy Manager
        5. 12.1.5. Oinkmaster
      2. 12.2. Commercial Solutions
        1. 12.2.1. Applied Watch Console
        2. 12.2.2. PureSecure Console
        3. 12.2.3. Sourcefire Management Console
    15. 13. Strategies for High-Bandwidth Implementations of Snort
      1. 13.1. Barnyard (and Sguil)
        1. 13.1.1. Configuring Snort's Unified Binary Output
        2. 13.1.2. Installing Barnyard
        3. 13.1.3. The barnyard.conf File
        4. 13.1.4. Barnyard Command-Line Options
        5. 13.1.5. Sguil: An Alternative Management Console
      2. 13.2. Commericial IDS Load Balancers
        1. 13.2.1. F5 Network's VLAN Mirroring with Big Iron Switches
        2. 13.2.2. Radware's Fireproof Appliance
        3. 13.2.3. Top Layer Network's IDS Balancer
      3. 13.3. The IDS Distribution System (I(DS)2)
        1. 13.3.1. A Little Background
        2. 13.3.2. The Solution
        3. 13.3.3. Installation
          1. 13.3.3.1. Layer 2 cross-connect
          2. 13.3.3.2. Policy router
    16. A. Snort and ACID Database Schema
      1. A.1. acid_ag
        1. A.1.1. acid_ag_alert
          1. A.1.1.1. acid_event
          2. A.1.1.2. acid_ip_cache
          3. A.1.1.3. data
          4. A.1.1.4. detail
          5. A.1.1.5. encoding
          6. A.1.1.6. event
          7. A.1.1.7. icmphdr
          8. A.1.1.8. iphdr
          9. A.1.1.9. opt
          10. A.1.1.10. reference
          11. A.1.1.11. reference_system
          12. A.1.1.12. schema
          13. A.1.1.13. sensor
          14. A.1.1.14. sig_class
          15. A.1.1.15. sig_reference
          16. A.1.1.16. signature
          17. A.1.1.17. tcphdr
          18. A.1.1.18. udphdr
    17. B. The Default snort.conf File
    18. C. Resources
      1. C.1. From Chapter 1: Introduction
      2. C.2. From Chapter 2: Network Traffic Analysis
      3. C.3. From Chapter 4: Know Your Enemy
      4. C.4. From Chapter 6: Deploying Snort
      5. C.5. From Chapter 7: Creating and Managing Snort Rules
      6. C.6. From Chapter 8: Intrusion Prevention
      7. C.7. From Chapter 10: Using ACID as a Snort IDS Management Console
      8. C.8. From Chapter 12: Additional Tools for Snort IDS Management
      9. C.9. From Chapter 13: Strategies for High-Bandwidth Implementations of Snort
    19. About the Authors
    20. Colophon
    21. SPECIAL OFFER: Upgrade this ebook with O’Reilly