Cover image for Snort Cookbook

Book Description

If you are a network administrator, you're under a lot of pressureto ensure that mission-critical systems are completely safe frommalicious code, buffer overflows, stealth port scans, SMB probes,OS fingerprinting attempts, CGI attacks, and other networkintruders. Designing a reliable way to detect intruders before theyget in is an essential--but often overwhelming--challenge. Snort,the defacto open source standard of intrusion detection tools, iscapable of performing real-time traffic analysis and packet loggingon IP network. It can perform protocol analysis, content searching,and matching. Snort can save countless headaches; the new SnortCookbook will save countless hours of sifting through dubiousonline advice or wordy tutorials in order to leverage the fullpower of SNORT. Each recipe in the popular and practicalproblem-solution-discussion O'Reilly cookbook format contains aclear and thorough description of the problem, a concise butcomplete discussion of a solution, and real-world examples thatillustrate that solution. The Snort Cookbook coversimportant issues that sys admins and security pros will useveryday, such as:

  • installation

  • optimization

  • logging

  • alerting

  • rules and signatures

  • detecting viruses

  • countermeasures

  • detecting common attacks

  • administration

  • honeypots

  • log analysis

  • But the Snort Cookbook offers far more than quickcut-and-paste solutions to frustrating security issues. Those wholearn best in the trenches--and don't have the hours to spare topore over tutorials or troll online for best-practice snippets ofadvice--will find that the solutions offered in this ultimate Snortsourcebook not only solve immediate problems quickly, but alsoshowcase the best tips and tricks they need to master be securitygurus--and still have a life.

    Table of Contents

    1. Snort Cookbook
      1. SPECIAL OFFER: Upgrade this ebook with O’Reilly
      2. Preface
        1. Audience
        2. Contents of This Book
        3. Conventions Used in This Book
        4. Using Code Examples
        5. Safari Enabled
        6. How to Contact Us
        7. Acknowledgments
          1. Angela Orebaugh
          2. Simon Biles
          3. Jake Babbin
      3. 1. Installation and Optimization
        1. Introduction
        2. 1.1. Installing Snort from Source on Unix
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        3. 1.2. Installing Snort Binaries on Linux
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        4. 1.3. Installing Snort on Solaris
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        5. 1.4. Installing Snort on Windows
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        6. 1.5. Uninstalling Snort from Windows
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        7. 1.6. Installing Snort on Mac OS X
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        8. 1.7. Uninstalling Snort from Linux
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        9. 1.8. Upgrading Snort on Linux
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        10. 1.9. Monitoring Multiple Network Interfaces
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        11. 1.10. Invisibly Tapping a Hub
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        12. 1.11. Invisibly Sniffing Between Two Network Points
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        13. 1.12. Invisibly Sniffing 100 MB Ethernet
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        14. 1.13. Sniffing Gigabit Ethernet
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        15. 1.14. Tapping a Wireless Network
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        16. 1.15. Positioning Your IDS Sensors
          1. Problem
          2. Solution
          3. Discussion
            1. Small business (or geek at home)
            2. Medium-sized business
            3. Larger organizations
          4. See Also
        17. 1.16. Capturing and Viewing Packets
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        18. 1.17. Logging Packets That Snort Captures
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        19. 1.18. Running Snort to Detect Intrusions
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        20. 1.19. Reading a Saved Capture File
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        21. 1.20. Running Snort as a Linux Daemon
          1. Problem
          2. Solution
          3. See Also
        22. 1.21. Running Snort as a Windows Service
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        23. 1.22. Capturing Without Putting the Interface into Promiscuous Mode
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        24. 1.23. Reloading Snort Settings
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        25. 1.24. Debugging Snort Rules
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        26. 1.25. Building a Distributed IDS (Plain Text)
          1. Problem
          2. Solution
          3. Discussion
            1. Client side
            2. Server side
          4. See Also
        27. 1.26. Building a Distributed IDS (Encrypted)
          1. Problem
          2. Solution
            1. Client side
            2. Encryption only
            3. Server side
          3. Discussion
          4. See Also
      4. 2. Logging, Alerts, and Output Plug-ins
        1. Introduction
        2. 2.1. Logging to a File Quickly
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        3. 2.2. Logging Only Alerts
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        4. 2.3. Logging to a CSV File
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        5. 2.4. Logging to a Specific File
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        6. 2.5. Logging to Multiple Locations
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        7. 2.6. Logging in Binary
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        8. 2.7. Viewing Traffic While Logging
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        9. 2.8. Logging Application Data
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        10. 2.9. Logging to the Windows Event Viewer
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        11. 2.10. Logging Alerts to a Database
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        12. 2.11. Installing and Configuring MySQL
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        13. 2.12. Configuring MySQL for Snort
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        14. 2.13. Using PostgreSQL with Snort and ACID
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        15. 2.14. Logging in PCAP Format (TCPDump)
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        16. 2.15. Logging to Email
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        17. 2.16. Logging to a Pager or Cell Phone
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        18. 2.17. Optimizing Logging
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        19. 2.18. Reading Unified Logged Data
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        20. 2.19. Generating Real-Time Alerts
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        21. 2.20. Ignoring Some Alerts
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        22. 2.21. Logging to System Logfiles
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        23. 2.22. Fast Logging
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        24. 2.23. Logging to a Unix Socket
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        25. 2.24. Not Logging
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        26. 2.25. Prioritizing Alerts
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        27. 2.26. Capturing Traffic from a Specific TCP Session
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        28. 2.27. Killing a Specific Session
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
      5. 3. Rules and Signatures
        1. Introduction
        2. 3.1. How to Build Rules
          1. Problem
          2. Solution
            1. Protocol rules
            2. Port rules
            3. Application rules
          3. Discussion
          4. See Also
        3. 3.2. Keeping the Rules Up to Date
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        4. 3.3. Basic Rules You Shouldn't Leave Home Without
          1. Problem
          2. Solution
          3. Discussion
          4. See also
        5. 3.4. Dynamic Rules
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        6. 3.5. Detecting Binary Content
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        7. 3.6. Detecting Malware
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        8. 3.7. Detecting Viruses
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        9. 3.8. Detecting IM
          1. Problem
          2. Solution
            1. AOL IM
            2. Yahoo! IM (YIM)
            3. MSN IM
          3. Discussion
          4. See Also
        10. 3.9. Detecting P2P
          1. Problem
          2. Solution
            1. Kazaa
            2. BitTorrent
            3. Gnutella
          3. Discussion
          4. See Also
        11. 3.10. Detecting IDS Evasion
          1. Problem
          2. Solution
          3. Discussion
            1. Stream4
            2. Frag2
            3. Arpspoof
            4. Http_inspect
          4. See Also
        12. 3.11. Countermeasures from Rules
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        13. 3.12. Testing Rules
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        14. 3.13. Optimizing Rules
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        15. 3.14. Blocking Attacks in Real Time
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        16. 3.15. Suppressing Rules
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        17. 3.16. Thresholding Alerts
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        18. 3.17. Excluding from Logging
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        19. 3.18. Carrying Out Statistical Analysis
          1. Problem
          2. Solution
          3. Discussion
            1. closed-dport
            2. dead-dest
            3. odd-dport
            4. odd-port-dest
            5. odd-typecode
          4. See Also
      6. 4. Preprocessing: An Introduction
        1. Introduction
        2. 4.1. Detecting Stateless Attacks and Stream Reassembly
          1. Problem
          2. Solution
            1. Stream4
            2. Stream4_reassemble
          3. Discussion
            1. stream4_reassemble
          4. See Also
        3. 4.2. Detecting Fragmentation Attacks and Fragment Reassembly with Frag2
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        4. 4.3. Detecting and Normalizing HTTP Traffic
          1. Problem
          2. Solution
            1. Global examples
            2. Server examples
          3. Discussion
          4. See Also
        5. 4.4. Decoding Application Traffic
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        6. 4.5. Detecting Port Scans and Talkative Hosts
          1. Problem
          2. Solution
            1. Portscan
            2. Portscan2
            3. Flow-portscan
          3. Discussion
          4. See Also
        7. 4.6. Getting Performance Metrics
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        8. 4.7. Experimental Preprocessors
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        9. 4.8. Writing Your Own Preprocessor
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
      7. 5. Administrative Tools
        1. Introduction
        2. 5.1. Managing Snort Sensors
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        3. 5.2. Installing and Configuring IDScenter
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        4. 5.3. Installing and Configuring SnortCenter
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        5. 5.4. Installing and Configuring Snortsnarf
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        6. 5.5. Running Snortsnarf Automatically
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        7. 5.6. Installing and Configuring ACID
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        8. 5.7. Securing ACID
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        9. 5.8. Installing and Configuring Swatch
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        10. 5.9. Installing and Configuring Barnyard
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        11. 5.10. Administering Snort with IDS Policy Manager
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        12. 5.11. Integrating Snort with Webmin
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        13. 5.12. Administering Snort with HenWen
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        14. 5.13. Newbies Playing with Snort Using EagleX
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
      8. 6. Log Analysis
        1. Introduction
        2. 6.1. Generating Statistical Output from Snort Logs
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        3. 6.2. Generating Statistical Output from Snort Databases
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        4. 6.3. Performing Real-Time Data Analysis
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        5. 6.4. Generating Text-Based Log Analysis
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        6. 6.5. Creating HTML Log Analysis Output
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        7. 6.6. Tools for Testing Signatures
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        8. 6.7. Analyzing and Graphing Logs
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        9. 6.8. Analyzing Sniffed (Pcap) Traffic
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        10. 6.9. Writing Output Plug-ins
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
      9. 7. Miscellaneous Other Uses
        1. Introduction
        2. 7.1. Monitoring Network Performance
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        3. 7.2. Logging Application Traffic
          1. Problem
          2. Solution
          3. Description
          4. See Also
        4. 7.3. Recognizing HTTP Traffic on Unusual Ports
          1. Problem
          2. Solution
          3. Description
          4. See Also
        5. 7.4. Creating a Reactive IDS
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        6. 7.5. Monitoring a Network Using Policy-Based IDS
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        7. 7.6. Port Knocking
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        8. 7.7. Obfuscating IP Addresses
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        9. 7.8. Passive OS Fingerprinting
          1. Problem
          2. Solution
            1. snortfp
            2. p0f
            3. Sourcefire RNA
          3. Discussion
            1. snortfp
            2. p0f
          4. See Also
        10. 7.9. Working with Honeypots and Honeynets
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        11. 7.10. Performing Forensics Using Snort
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        12. 7.11. Snort and Investigations
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        13. 7.12. Snort as Legal Evidence in the U.S.
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        14. 7.13. Snort as Evidence in the U.K.
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        15. 7.14. Snort as a Virus Detection Tool
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
        16. 7.15. Staying Legal
          1. Problem
          2. Solution
          3. Discussion
          4. See Also
      10. About the Authors
      11. Colophon
      12. SPECIAL OFFER: Upgrade this ebook with O’Reilly