Cover image for Snort Cookbook

Book description

If you are a network administrator, you're under a lot of pressure to ensure that mission-critical systems are completely safe from malicious code, buffer overflows, stealth port scans, SMB probes, OS fingerprinting attempts, CGI attacks, and other network intruders. Designing a reliable way to detect intruders before they get in is an essential--but often overwhelming--challenge. Snort, the defacto open source standard of intrusion detection tools, is capable of performing real-time traffic analysis and packet logging on IP network. It can perform protocol analysis, content searching, and matching. Snort can save countless headaches; the new Snort Cookbook will save countless hours of sifting through dubious online advice or wordy tutorials in order to leverage the full power of SNORT. Each recipe in the popular and practical problem-solution-discussion O'Reilly cookbook format contains a clear and thorough description of the problem, a concise but complete discussion of a solution, and real-world examples that illustrate that solution. The Snort Cookbook covers important issues that sys admins and security pros will us everyday, such as:

  • installation

  • optimization

  • logging

  • alerting

  • rules and signatures

  • detecting viruses

  • countermeasures

  • detecting common attacks

  • administration

  • honeypots

  • log analysis

But the Snort Cookbook offers far more than quick cut-and-paste solutions to frustrating security issues. Those who learn best in the trenches--and don't have the hours to spare to pore over tutorials or troll online for best-practice snippets of advice--will find that the solutions offered in this ultimate Snort sourcebook not only solve immediate problems quickly, but also showcase the best tips and tricks they need to master be security gurus--and still have a life.

Table of Contents

  1. Snort Cookbook
    1. SPECIAL OFFER: Upgrade this ebook with O’Reilly
    2. Preface
      1. Audience
      2. Contents of This Book
      3. Conventions Used in This Book
      4. Using Code Examples
      5. Safari Enabled
      6. How to Contact Us
      7. Acknowledgments
        1. Angela Orebaugh
        2. Simon Biles
        3. Jake Babbin
    3. 1. Installation and Optimization
      1. Introduction
      2. 1.1. Installing Snort from Source on Unix
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      3. 1.2. Installing Snort Binaries on Linux
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      4. 1.3. Installing Snort on Solaris
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      5. 1.4. Installing Snort on Windows
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      6. 1.5. Uninstalling Snort from Windows
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      7. 1.6. Installing Snort on Mac OS X
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      8. 1.7. Uninstalling Snort from Linux
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      9. 1.8. Upgrading Snort on Linux
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      10. 1.9. Monitoring Multiple Network Interfaces
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      11. 1.10. Invisibly Tapping a Hub
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      12. 1.11. Invisibly Sniffing Between Two Network Points
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      13. 1.12. Invisibly Sniffing 100 MB Ethernet
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      14. 1.13. Sniffing Gigabit Ethernet
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      15. 1.14. Tapping a Wireless Network
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      16. 1.15. Positioning Your IDS Sensors
        1. Problem
        2. Solution
        3. Discussion
          1. Small business (or geek at home)
          2. Medium-sized business
          3. Larger organizations
        4. See Also
      17. 1.16. Capturing and Viewing Packets
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      18. 1.17. Logging Packets That Snort Captures
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      19. 1.18. Running Snort to Detect Intrusions
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      20. 1.19. Reading a Saved Capture File
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      21. 1.20. Running Snort as a Linux Daemon
        1. Problem
        2. Solution
        3. See Also
      22. 1.21. Running Snort as a Windows Service
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      23. 1.22. Capturing Without Putting the Interface into Promiscuous Mode
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      24. 1.23. Reloading Snort Settings
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      25. 1.24. Debugging Snort Rules
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      26. 1.25. Building a Distributed IDS (Plain Text)
        1. Problem
        2. Solution
        3. Discussion
          1. Client side
          2. Server side
        4. See Also
      27. 1.26. Building a Distributed IDS (Encrypted)
        1. Problem
        2. Solution
          1. Client side
          2. Encryption only
          3. Server side
        3. Discussion
        4. See Also
    4. 2. Logging, Alerts, and Output Plug-ins
      1. Introduction
      2. 2.1. Logging to a File Quickly
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      3. 2.2. Logging Only Alerts
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      4. 2.3. Logging to a CSV File
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      5. 2.4. Logging to a Specific File
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      6. 2.5. Logging to Multiple Locations
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      7. 2.6. Logging in Binary
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      8. 2.7. Viewing Traffic While Logging
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      9. 2.8. Logging Application Data
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      10. 2.9. Logging to the Windows Event Viewer
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      11. 2.10. Logging Alerts to a Database
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      12. 2.11. Installing and Configuring MySQL
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      13. 2.12. Configuring MySQL for Snort
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      14. 2.13. Using PostgreSQL with Snort and ACID
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      15. 2.14. Logging in PCAP Format (TCPDump)
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      16. 2.15. Logging to Email
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      17. 2.16. Logging to a Pager or Cell Phone
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      18. 2.17. Optimizing Logging
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      19. 2.18. Reading Unified Logged Data
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      20. 2.19. Generating Real-Time Alerts
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      21. 2.20. Ignoring Some Alerts
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      22. 2.21. Logging to System Logfiles
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      23. 2.22. Fast Logging
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      24. 2.23. Logging to a Unix Socket
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      25. 2.24. Not Logging
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      26. 2.25. Prioritizing Alerts
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      27. 2.26. Capturing Traffic from a Specific TCP Session
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      28. 2.27. Killing a Specific Session
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
    5. 3. Rules and Signatures
      1. Introduction
      2. 3.1. How to Build Rules
        1. Problem
        2. Solution
          1. Protocol rules
          2. Port rules
          3. Application rules
        3. Discussion
        4. See Also
      3. 3.2. Keeping the Rules Up to Date
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      4. 3.3. Basic Rules You Shouldn't Leave Home Without
        1. Problem
        2. Solution
        3. Discussion
        4. See also
      5. 3.4. Dynamic Rules
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      6. 3.5. Detecting Binary Content
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      7. 3.6. Detecting Malware
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      8. 3.7. Detecting Viruses
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      9. 3.8. Detecting IM
        1. Problem
        2. Solution
          1. AOL IM
          2. Yahoo! IM (YIM)
          3. MSN IM
        3. Discussion
        4. See Also
      10. 3.9. Detecting P2P
        1. Problem
        2. Solution
          1. Kazaa
          2. BitTorrent
          3. Gnutella
        3. Discussion
        4. See Also
      11. 3.10. Detecting IDS Evasion
        1. Problem
        2. Solution
        3. Discussion
          1. Stream4
          2. Frag2
          3. Arpspoof
          4. Http_inspect
        4. See Also
      12. 3.11. Countermeasures from Rules
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      13. 3.12. Testing Rules
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      14. 3.13. Optimizing Rules
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      15. 3.14. Blocking Attacks in Real Time
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      16. 3.15. Suppressing Rules
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      17. 3.16. Thresholding Alerts
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      18. 3.17. Excluding from Logging
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      19. 3.18. Carrying Out Statistical Analysis
        1. Problem
        2. Solution
        3. Discussion
          1. closed-dport
          2. dead-dest
          3. odd-dport
          4. odd-port-dest
          5. odd-typecode
        4. See Also
    6. 4. Preprocessing: An Introduction
      1. Introduction
      2. 4.1. Detecting Stateless Attacks and Stream Reassembly
        1. Problem
        2. Solution
          1. Stream4
          2. Stream4_reassemble
        3. Discussion
          1. stream4_reassemble
        4. See Also
      3. 4.2. Detecting Fragmentation Attacks and Fragment Reassembly with Frag2
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      4. 4.3. Detecting and Normalizing HTTP Traffic
        1. Problem
        2. Solution
          1. Global examples
          2. Server examples
        3. Discussion
        4. See Also
      5. 4.4. Decoding Application Traffic
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      6. 4.5. Detecting Port Scans and Talkative Hosts
        1. Problem
        2. Solution
          1. Portscan
          2. Portscan2
          3. Flow-portscan
        3. Discussion
        4. See Also
      7. 4.6. Getting Performance Metrics
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      8. 4.7. Experimental Preprocessors
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      9. 4.8. Writing Your Own Preprocessor
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
    7. 5. Administrative Tools
      1. Introduction
      2. 5.1. Managing Snort Sensors
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      3. 5.2. Installing and Configuring IDScenter
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      4. 5.3. Installing and Configuring SnortCenter
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      5. 5.4. Installing and Configuring Snortsnarf
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      6. 5.5. Running Snortsnarf Automatically
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      7. 5.6. Installing and Configuring ACID
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      8. 5.7. Securing ACID
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      9. 5.8. Installing and Configuring Swatch
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      10. 5.9. Installing and Configuring Barnyard
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      11. 5.10. Administering Snort with IDS Policy Manager
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      12. 5.11. Integrating Snort with Webmin
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      13. 5.12. Administering Snort with HenWen
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      14. 5.13. Newbies Playing with Snort Using EagleX
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
    8. 6. Log Analysis
      1. Introduction
      2. 6.1. Generating Statistical Output from Snort Logs
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      3. 6.2. Generating Statistical Output from Snort Databases
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      4. 6.3. Performing Real-Time Data Analysis
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      5. 6.4. Generating Text-Based Log Analysis
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      6. 6.5. Creating HTML Log Analysis Output
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      7. 6.6. Tools for Testing Signatures
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      8. 6.7. Analyzing and Graphing Logs
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      9. 6.8. Analyzing Sniffed (Pcap) Traffic
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      10. 6.9. Writing Output Plug-ins
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
    9. 7. Miscellaneous Other Uses
      1. Introduction
      2. 7.1. Monitoring Network Performance
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      3. 7.2. Logging Application Traffic
        1. Problem
        2. Solution
        3. Description
        4. See Also
      4. 7.3. Recognizing HTTP Traffic on Unusual Ports
        1. Problem
        2. Solution
        3. Description
        4. See Also
      5. 7.4. Creating a Reactive IDS
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      6. 7.5. Monitoring a Network Using Policy-Based IDS
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      7. 7.6. Port Knocking
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      8. 7.7. Obfuscating IP Addresses
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      9. 7.8. Passive OS Fingerprinting
        1. Problem
        2. Solution
          1. snortfp
          2. p0f
          3. Sourcefire RNA
        3. Discussion
          1. snortfp
          2. p0f
        4. See Also
      10. 7.9. Working with Honeypots and Honeynets
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      11. 7.10. Performing Forensics Using Snort
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      12. 7.11. Snort and Investigations
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      13. 7.12. Snort as Legal Evidence in the U.S.
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      14. 7.13. Snort as Evidence in the U.K.
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      15. 7.14. Snort as a Virus Detection Tool
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
      16. 7.15. Staying Legal
        1. Problem
        2. Solution
        3. Discussion
        4. See Also
    10. About the Authors
    11. Colophon
    12. SPECIAL OFFER: Upgrade this ebook with O’Reilly