Managing Security with Snort & IDS Tools

Preface

This book explains how to manage your network’s security using the open source tool Snort. The examples in this book are designed for use primarily on a Red Hat Linux machine. They should be fully functional on the latest Red Hat Enterprise Linux version as well as the latest Fedora release by Red Hat. All instructions were documented using the most recent Red Hat releases, patches, and software. The applications were configured using default packages needed for a standard installation, and each machine was secured according to the latest errata.

The instructions in this book apply to other Linux flavors, such as SuSE, Gentoo, Debian, and most Unix variants, including FreeBSD, OpenBSD, and Solaris. Many of the applications are available for download as source or as precompiled binaries. Since performance is often a consideration when deploying an IDS solution, you will probably find that building the applications from source yields the best results. If you do not have the time, desire, or need to build from source, the prebuilt packages should work just fine and install without trouble on most systems. Consult your Linux distribution or Unix-based operating system for further information regarding source compilation and installation. Snort binaries are also available for the Microsoft Windows platform, and instructions for running Snort on a Windows platform are included.

Links to the applications and their respective web sites are provided throughout and at the end of the chapters. Appendix C also contains a compendium of all software programs and applications referenced. Check all software sites regularly for the latest updates and information regarding their use. Many of the programs are under active development and new versions are posted frequently. Some applications require an update with the release of new Linux versions. Stay current with the most recent release in order to avoid any vulnerabilities or security issues that appear over time.

Topics covered include:

Packet capture and analysis using a variety of command-line and GUI utilities.
An introduction to the interpretation of packet headers and content within an IDS environment.
The threats to your organization’s technology assets.
Instructions for installing, configuring, tuning, and customizing an open source, enterprise-level network intrusion detection system (NIDS) for use in corporate and/or home office environments.
A discussion of ways to utilize Snort as a sniffer, a network gateway that blocks malicious traffic, and a passive IDS sensor.
Details on how to configure and tune your Snort IDS installation to maximize the effectiveness and minimize the labor involved in detecting and tracking down attacks.
An in-depth look at a variety of administration tools that assist in the management of the Snort IDS environment.
Strategies for deploying an IDS in switched, high-security, and high-bandwidth environments.

Audience

This book is designed for network, system, and security administrators of large-scale enterprises as well as managers of small businesses or home offices. The instructions should be readable for those with only a small amount of network and Unix experience, but also useful for experienced administrators with a varied background in networking and system administration. To be sure, the more experienced you are, the easier it will be to interpret the results generated by the Snort IDS.

About This Book

Snort can be used for a variety of applications, from acting as a simple network sniffer to an enterprise-class gateway intrusion detection system (IDS). This book discusses the various ways to use Snort, and methods of configuring, tuning, and customizing the application to best suit your environment. Implementing an IDS solution can be a labor-intensive and sometimes overwhelming project. This book helps streamline the processes of the initial setup and ongoing care and feeding of Snort.

All the source code discussed here is freely available for download off the Internet. I have avoided any software that is closed source, requires a license, or costs money. Though links and source code versions do change over time, every effort has been made to keep listings and release numbers for each application as up-to-date as possible. If you find the URL does not work as listed, please check with some of the major open source repositories: http://freshmeat.net and http://sourceforge.net. If you are unable to locate the applications, use a search engine such as http://www.google.com to find the program’s new home or current web site.

Links to required libraries or associated applications are usually found on the home pages of most programs. For example, links to SnortCenter and Barnyard are found on the main Snort page at http://www.snort.org.

Now that you know what this book is about, here is what it’s not about. This book is not a beginner’s guide to packet analysis. It is intended to help you implement viable solutions to everyday intrusion detection problems. This book does not spend countless pages examining the nuances and vagaries of every type of fragmented packet or possible buffer overflow. Instead, it explains how to quickly capture a sampling of network traffic and look for the tell-tale signs that indicate hostile activity.

If you are searching for a theoretical manual that provides detailed insight into every possible security application or that explains how to dissect new intrusive packets, you won’t find it here. This book deals with strategies and speedy implementations using a reasonable, common-sense approach. By the end of this book, the reader will understand that a network-based intrusion detection system is one part of a larger strategy of defense-in-depth. The book is based on the experience of a Network Security Engineer who has both attacked and defended very large corporate networks and systems. Whether you are looking for something to help secure your home network, or looking for an Enterprise-class solution that can watch 2 Gbps of bandwidth in near-real-time, this book will help.

Assumptions This Book Makes

This book does not make too many demands on the average reader. It is written in an informal manner and is intended for most security administrators, whether they are using Linux (or another Unix offshoot like BSD) or Windows. The main focus of the book will be running Snort on a Linux platform. Even beginning Linux users should have no trouble grasping the concepts. Most applications—along with their installation and configuration—are clearly spelled out. While this book will provide the average user with the ability to get a Snort sensor up and running, professional deployments of any IDS solution benefit from a good knowledge of networking and system administration. Without this background, discrimination of what is naughty and what is nice will be more difficult.

If any of the steps explained in later chapters do not answer all your questions, please consult the application’s home page or subscribe to its mailing list, if one is available. It will be helpful if you are familiar with Usenet newsgroups and can post detailed questions regarding any additional use of the applications presented here. You will find that the open source community surrounding Snort and the related applications is active and incredibly helpful.

This book assumes that you have access to one or more machines, can perform a standard operating system installation, and have a relatively stable connection to the Internet. It also operates on the assumption that a LAN or switched Ethernet network is available for testing purposes. Though this is not required, it does help when monitoring packets flowing between machines and in and out of networks. This book also presupposes that a secure firewall is in place. It is your responsibility to ensure that your network remains safe during the IDS installation and implementation phase. Newly installed systems do not survive long when exposed to the Internet without protection.

Chapter Synopsis

Chapter 1: Introduces the concepts behind network security and intrusion detection.
Chapter 2: Goes into some depth on how the systems on your network use the network to accomplish their tasks. The structure of packets will be examined, equipping you to recognize anomalous network traffic.
Chapter 3: Introduces you to getting Snort up and running quickly using the various command-line options. It discusses the various modes in which Snort can be used, including as a sniffer and packet logger.
Chapter 4: We examine how the “bad guys” attempt to probe, penetrate, persist, propagate, and paralyze your network and systems. Methods of detecting these methods are examined.
Chapter 5: Provides an in-depth examination of this central configuration file. The snort.conf file controls how Snort watches the network and detects malicious activity.
Chapter 6: Strategies for making a Snort deployment as effective and successful as possible are discussed in this chapter.
Chapter 7: The core of a signature-based intrusion detection system are the rules that recognize attacks in progress. One of the real strengths of Snort is the flexibility and discrimination of its rule sets.
Chapter 8: Several mechanisms and strategies can be employed that turn Snort from an intrusion detection system into an intrusion prevention system. These strategies are not without their own risks, however.
Chapter 9: This is perhaps the most important chapter. Proper tuning and thresholding allows security administrators to minimize the number of false positives generated by an IDS sensor, making their time spent working with Snort more efficient and effective.
Chapter 10: ACID is a popular, powerful, web-based IDS management system for managing alerts generated by Snort.
Chapter 11: SnortCenter makes administering multiple IDS sensors much easier.
Chapter 12: A wide variety of tools can help manage a Snort-based IDS deployment. Some of these solutions are more effective than others.
Chapter 13: If your intention is to deploy Snort as an IDS in a high-demand environment, this chapter will help by discussing strategies that ensure nothing is missed by overburdened sensors.
Appendix A: Provides the schemas for the Snort and ACID database tables in order to aid developers in creating new tools or modifying existing tools.
Appendix B: Presents the default snort.conf file for reference when reading the book and configuring sensors. The comments are actually quite good, too.
Appendix C: Provides a compilation of web resources and download sources from throughout the book.

Conventions Used in This Book

The following typographical conventions are used in this book:

Plain text: Indicates menu titles, menu options, menu buttons, preprocessors, and keyboard accelerators (such as Alt and Ctrl).
Italics: Indicates new terms, example URLs, example email addresses, filenames, file extensions, pathnames, directories, and Unix utilities.
Constant width: Indicates commands, options, switches, variables, attributes, keys, functions, types, classes, namespaces, methods, modules, properties, parameters, values, objects, events, event handlers, XML tags, HTML tags, macros, the contents of files, or the output from commands.
Constant width bold: Shows commands or other text that should be typed literally by the user.
Constant width italic: Shows text that should be replaced with user-supplied values.

Tip

This icon signifies a tip, suggestion, or general note.

Warning

This icon indicates a warning or caution.

Comments and Questions

Please address comments and questions concerning this book to the publisher:

O’Reilly Media, Inc.

1005 Gravenstein Highway North

Sebastopol, CA 95472

(800) 998-9938 (in the United States or Canada)

(707) 829-0515 (international or local)

(707) 829-0104 (fax)

We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at:

http://www.oreilly.com/catalog/snortids

To comment or ask technical questions about this book, send email to:

bookquestions@oreilly.com

For more information about our books, conferences, Resource Centers, and the O’Reilly Network, see our web site at:

http://www.oreilly.com

Acknowledgments

The authors wish to thank the people who contributed to this project.

Kerry Cox

I owe many thanks to all the people who shared with me their time, talents, and experiences while patiently answering my questions. Thanks especially to all the employees at KSL, Bonneville International, Bonneville Communications, LDS Business College, and Deseret Management Corporation who allowed me to install intrusion detection systems on their servers and then critiqued the systems’ performance, providing me with feedback that assisted in many ways to make this a better book.

I would especially like to thank all the technical and nontechnical staff with whom I work at Bonneville International, KSL, and the Deseret Management Corporation: Greg James, Roger Graves, Owen Smoot, Don Huntsman, Steve Tolman, Edward Cheadle, Brent Cherrington, Mark Fenton, Jason Williams, Hal Whitlock, Steve Wise, Bryan Carter, Brent Cole, Karl Hancock, Trevor Gunnell, Jamie Hall, Kevin McReynolds, Julie Hill, Jason Jones, Amy Kimball, Pat Neilson, and the many others whom I may have forgotten.

According to Eric S. Raymond, “Given enough eyeballs, all bugs are shallow.” This was especially true of the assistance I received from many friends and co-workers. There are fewer errors here than there might otherwise have been thanks to their diligence in proofing this material. I am deeply indebted to these people for the time and effort they took to verify the accuracy of what I wrote. I consider each and every one contributing editors to this work. This is as much for them as it is for the readers.

I wish especially to thank the following people, who spent many hours reviewing and critiquing the text and code of this book before submissions were sent to O’Reilly. I am extremely grateful to Jason Jones for checking each chapter’s syntax and tightening up the content. He pointed out some crucial items that made the reading flow better. Our conversations to and from work every day helped to improve the quality of this material. I am deeply indebted to him for all his work.

I wish to thank Brad Hokanson for testing the source code and installing numerous programs on his machines. He proved that everything shown here actually works on various operating systems. His work with encryption and wireless security was most valuable. I want to thank Jason Williams for his help in proofing the layout and looking over the subject matter for viability. Edward Cheadle was very helpful in implementing many of these applications in real-world scenarios. His feedback improved much of the content.

Thanks to Steve Scott for his assistance in providing detailed IDS documentation. Also, I owe many thanks to Patrick S. Harper for his useful notes and explanations for performing a full source-code install. His excellent paper has helped many a beginner on the road to configuring a working IDS box. Thanks also to Jamie Hall and Karl Hancock for continued feedback from their own experiences with open source intrusion detection systems.

I also need to thank Jason Williams again, for providing me with the laptop on which I ran Linux. Many are the nights and days on the train I was able to write this book thanks to his donation. It proved very useful for testing Kismet and AirSnort and setting up wireless security applications.

My hat is also off to Mike Loukides for his assistance in bringing this book to print. He provided invaluable suggestions for improving the layout, content, and syntax of each chapter. I value his input and appreciate the trust he has placed in me. I want to also thank the several technical reviewers who proofed this document for potential flaws or errors. I want to personally thank Edin Dizdarevic for his close scrutiny, analysis, and commentary. I very much enjoyed his German commentary and notes on each section. Thanks also to the other editors who contributed their time and talents to making this a better book: Kevin Binsfield, Andrea Barisani, Daniel Harrison, and Adam Hogan.

I would especially like to thank my wife, Karen, for her encouragement. It was she who suggested I write this book and stood by me these past few months. Her unwavering support has not gone unnoticed. I have also my boys to thank for their encouragement. Kids, I’m finally done. Let’s play.

Christopher Gerg

This book would not have been possible without the support of my peers, friends, and family. The Security Services team that I work with at Berbee Information Networks is the most talented and diverse group of people I’ve had the privilege to work and learn with. I’ve learned more in the last five years than I have up to that point in my life. Paul Tatarsky, Matt Jach, Peyton Engel, David Klann, and Joe Mondloch have shared their wit and large brains with me most generously. I hope I’m able to repay a fraction of the debt I owe. (Assume the horse stance...)

Thanks to Eric Patterson for everything.

Of course, I wouldn’t be able to accomplish much of anything without the support of my wife, Becky, and our two crumb-crunchers, Matthew (shorty) and Sarah (the Bunner). They keep me sane and centered. Well, centered, anyway.

Standard thanks to my Mother and Father for having me and setting the stage for my career and fruitful adulthood. (Hi, Jessika!)

A special thanks to Jim Elliot for introducing me to my editor, Mike Loukides. Thanks, Mike, for giving me the opportunity to step into this project. The work of John Ives, the technical reviewer, was excellent—thank you very much.

Get Managing Security with Snort & IDS Tools now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Managing Security with Snort & IDS Tools by Kerry J. Cox, Christopher Gerg