Snort Cookbook

Larger Cover

Snort Cookbook

By Angela Orebaugh, Simon Biles, Jacob Babbin

Publisher: O'Reilly Media

Released: March 2005

Pages: 288

If you are a network administrator, you're under a lot of pressure to ensure that mission-critical systems are completely safe from malicious code, buffer overflows, stealth port scans, SMB probes, OS fingerprinting attempts, CGI attacks, and other network intruders. Designing a reliable way to detect intruders before they get in is an essential--but often overwhelming--challenge. Snort, the defacto open source standard of intrusion detection tools, is capable of performing real-time traffic analysis and packet logging on IP network. It can perform protocol analysis, content searching, and matching. Snort can save countless headaches; the new Snort Cookbook will save countless hours of sifting through dubious online advice or wordy tutorials in order to leverage the full power of SNORT.

Each recipe in the popular and practical problem-solution-discussion O'Reilly cookbook format contains a clear and thorough description of the problem, a concise but complete discussion of a solution, and real-world examples that illustrate that solution. The Snort Cookbook covers important issues that sys admins and security pros will us everyday, such as:

installation
optimization
logging
alerting
rules and signatures
detecting viruses
countermeasures
detecting common attacks
administration
honeypots
log analysis

But the Snort Cookbook offers far more than quick cut-and-paste solutions to frustrating security issues. Those who learn best in the trenches--and don't have the hours to spare to pore over tutorials or troll online for best-practice snippets of advice--will find that the solutions offered in this ultimate Snort sourcebook not only solve immediate problems quickly, but also showcase the best tips and tricks they need to master be security gurus--and still have a life.

Chapter 1 Installation and Optimization
1. Introduction
2. Installing Snort from Source on Unix
3. Installing Snort Binaries on Linux
4. Installing Snort on Solaris
5. Installing Snort on Windows
6. Uninstalling Snort from Windows
7. Installing Snort on Mac OS X
8. Uninstalling Snort from Linux
9. Upgrading Snort on Linux
10. Monitoring Multiple Network Interfaces
11. Invisibly Tapping a Hub
12. Invisibly Sniffing Between Two Network Points
13. Invisibly Sniffing 100 MB Ethernet
14. Sniffing Gigabit Ethernet
15. Tapping a Wireless Network
16. Positioning Your IDS Sensors
17. Capturing and Viewing Packets
18. Logging Packets That Snort Captures
19. Running Snort to Detect Intrusions
20. Reading a Saved Capture File
21. Running Snort as a Linux Daemon
22. Running Snort as a Windows Service
23. Capturing Without Putting the Interface into Promiscuous Mode
24. Reloading Snort Settings
25. Debugging Snort Rules
26. Building a Distributed IDS (Plain Text)
27. Building a Distributed IDS (Encrypted)
Chapter 2 Logging, Alerts, and Output Plug-ins
1. Introduction
2. Logging to a File Quickly
3. Logging Only Alerts
4. Logging to a CSV File
5. Logging to a Specific File
6. Logging to Multiple Locations
7. Logging in Binary
8. Viewing Traffic While Logging
9. Logging Application Data
10. Logging to the Windows Event Viewer
11. Logging Alerts to a Database
12. Installing and Configuring MySQL
13. Configuring MySQL for Snort
14. Using PostgreSQL with Snort and ACID
15. Logging in PCAP Format (TCPDump)
16. Logging to Email
17. Logging to a Pager or Cell Phone
18. Optimizing Logging
19. Reading Unified Logged Data
20. Generating Real-Time Alerts
21. Ignoring Some Alerts
22. Logging to System Logfiles
23. Fast Logging
24. Logging to a Unix Socket
25. Not Logging
26. Prioritizing Alerts
27. Capturing Traffic from a Specific TCP Session
28. Killing a Specific Session
Chapter 3 Rules and Signatures
1. Introduction
2. How to Build Rules
3. Keeping the Rules Up to Date
4. Basic Rules You Shouldn't Leave Home Without
5. Dynamic Rules
6. Detecting Binary Content
7. Detecting Malware
8. Detecting Viruses
9. Detecting IM
10. Detecting P2P
11. Detecting IDS Evasion
12. Countermeasures from Rules
13. Testing Rules
14. Optimizing Rules
15. Blocking Attacks in Real Time
16. Suppressing Rules
17. Thresholding Alerts
18. Excluding from Logging
19. Carrying Out Statistical Analysis
Chapter 4 Preprocessing: An Introduction
1. Introduction
2. Detecting Stateless Attacks and Stream Reassembly
3. Detecting Fragmentation Attacks and Fragment Reassembly with Frag2
4. Detecting and Normalizing HTTP Traffic
5. Decoding Application Traffic
6. Detecting Port Scans and Talkative Hosts
7. Getting Performance Metrics
8. Experimental Preprocessors
9. Writing Your Own Preprocessor
Chapter 5 Administrative Tools
1. Introduction
2. Managing Snort Sensors
3. Installing and Configuring IDScenter
4. Installing and Configuring SnortCenter
5. Installing and Configuring Snortsnarf
6. Running Snortsnarf Automatically
7. Installing and Configuring ACID
8. Securing ACID
9. Installing and Configuring Swatch
10. Installing and Configuring Barnyard
11. Administering Snort with IDS Policy Manager
12. Integrating Snort with Webmin
13. Administering Snort with HenWen
14. Newbies Playing with Snort Using EagleX
Chapter 6 Log Analysis
1. Introduction
2. Generating Statistical Output from Snort Logs
3. Generating Statistical Output from Snort Databases
4. Performing Real-Time Data Analysis
5. Generating Text-Based Log Analysis
6. Creating HTML Log Analysis Output
7. Tools for Testing Signatures
8. Analyzing and Graphing Logs
9. Analyzing Sniffed (Pcap) Traffic
10. Writing Output Plug-ins
Chapter 7 Miscellaneous Other Uses
1. Introduction
2. Monitoring Network Performance
3. Logging Application Traffic
4. Recognizing HTTP Traffic on Unusual Ports
5. Creating a Reactive IDS
6. Monitoring a Network Using Policy-Based IDS
7. Port Knocking
8. Obfuscating IP Addresses
9. Passive OS Fingerprinting
10. Working with Honeypots and Honeynets
11. Performing Forensics Using Snort
12. Snort and Investigations
13. Snort as Legal Evidence in the U.S.
14. Snort as Evidence in the U.K.
15. Snort as a Virus Detection Tool
16. Staying Legal

Colophon

Title:

Snort Cookbook

By:

Angela Orebaugh, Simon Biles, Jacob Babbin

Publisher:

O'Reilly Media

Formats:

Print
Ebook
Safari Books Online

Print:

March 2005

Ebook:

February 2009

Pages:

288

Print ISBN:

978-0-596-00791-1

| ISBN 10:

0-596-00791-4

Ebook ISBN:

978-0-596-10468-9

| ISBN 10:

0-596-10468-5

Angela Orebaugh

Angela Orebaugh is an information security technologist, scientist, and author with a broad spectrum of expertise in information assurance. She synergizes her 15 years of hands-on experiences within industry, academia, and government to advise clients on information assurance strategy, management, and technologies.

Ms. Orebaugh is involved in several security initiatives with the National Institute of Standards and Technology (NIST), including technical Special Publications (800 series), the National Vulnerability Database (NVD), Security Content Automation Protocol (SCAP) project, and secure eVoting.

Ms. Orebaugh is an Adjunct Professor for George Mason University where she performs research and teaching in intrusion detection and forensics. She developed and teaches the Intrusion Detection curriculum, a core requirement for the Forensics program in the Department of Electrical and Computer Engineering. Her current research interests include peer-reviewed publications in the areas of intrusion detection and prevention, data mining, attacker profiling, user behavior analysis, and network forensics.

Ms. Orebaugh is the author of the Syngress best seller's Nmap in the Enterprise, Wireshark and Ethereal Network Protocol Analyzer Toolkit, and Ethereal Packet Sniffing. She has also co-authored the Snort Cookbook, Intrusion Prevention and Active Response, and How to Cheat at Configuring Open Source Security Tools. Angela is a frequent speaker at a variety of security conferences and technology events, including the SANS Institute and The Institute for Applied Network Security.

Ms. Orebaugh holds a Masters degree in Computer Science and a Bachelors degree in Computer Information Systems from James Madison University. She is currently completing her dissertation for her Ph.D. at George Mason University, with a concentration in Information Security.

View Angela Orebaugh's full profile page.
Simon Biles

Simon Biles is currently Director of Thinking Security Ltd. an Information Security Consultancy based near Oxford in the UK. The company deals with all aspects of InfoSec from Incident Response and Forensics through to ISO 27001 work. He is currently studying for his MSc in Forensic Computing at Shrivenham with Cranfield University. He holds a CISSP, is Certified as an ISO17799 Lead Auditor, is a Chartered IT Professional with the British Computer Society and is also a member of F3 - the UK's First Forensic Forum. Currently he is involved in a project to define and support best practices in Forensics - you can find out more about this at the Open Forensics Group.

View Simon Biles's full profile page.
Jacob Babbin

Jake Babbin works as a contractor with a government agency filling the role of Intrusion Detection Team Lead. He has worked in both private industry as a security professional and in government space in a variety of IT security roles. He is a speaker at several IT security conferences and is a frequent assistant in SANS Security Essentials Bootcamp, Incident Handling and Forensics courses. Jake lives in Virginia.

View Jacob Babbin's full profile page.

Colophon

Our look is the result of reader comments, our own experimentation, and feedback from distribution channels. Distinctive covers complement our distinctive approach to technical topics, breathing personality and life into potentially dry subjects. The image on the cover of Snort Cookbook is of a charging soldier clad in traditional Scottish military dress. In 1747, the Act for the Abolition of Highland Dress provided that no man or boy in Scotland, except officers and soldiers, could wear clothes commonly called Highland garb. Specifically, this meant plaid, philabeg, or little kilt, trews, and shoulderbelt. Some historians record that, immediately after this act was passed, orders were given to kill on the spot anyone dressed in this fashion. However, since Highland regiments had a widespread reputation for their agility, bravery, and heroism, especially during the Napoleonic Wars, the tartan soon became imbued with new prestige and glamour. In fact, Highlanders made such a great impression on their enemies that it was said the French believed there were twelve battalions of them in the British army, instead of two.

The weapon carried by the soldier in this image is a bayonet. Although generally considered the infantryman's assault weapon, this instrument was originally intended for defense. With the combined length of the musket and bayonet, infantry standing two and three deep could hold their ground against a sudden rush of cavalry. Adam Witwer was the production editor, and Linley Dolby was the copyeditor for Snort Cookbook. Lydia Onofrei performed the source check. Ann Schirmer proofread the text. Sarah Sherman and Claire Cloutier provided quality control. Lucie Haskins wrote the index.

Emma Colby designed the cover of this book, based on a series design by Edie Freedman. The cover image is a 19th-century engraving from the Dover Pictorial Archive. Karen Montgomery produced the cover layout with Adobe InDesign CS using Adobe's ITC Garamond font.

David Futato designed the interior layout. This book was converted by Judy Hoer to FrameMaker 5.5.6 with a format conversion tool created by Erik Ray, Jason McIntosh, Neil Walls, and Mike Sierra that uses Perl and XML technologies. The text font is Linotype Birka; the heading font is Adobe Myriad Condensed; and the code font is LucasFont's TheSans Mono Condensed. The illustrations that appear in the book were produced by Robert Romano, Jessamyn Read, and Lesley Borash using Macromedia FreeHand MX and Adobe Photoshop CS. The tip and warning icons were drawn by Christopher Bing. This colophon was written by Lydia Onofrei.

Description

Table of Contents

Product Details

About the Author

Colophon

Recommended for You

Chapter 1 Installation and Optimization

Introduction

Installing Snort from Source on Unix

Installing Snort Binaries on Linux

Installing Snort on Solaris

Installing Snort on Windows

Uninstalling Snort from Windows

Installing Snort on Mac OS X

Uninstalling Snort from Linux

Upgrading Snort on Linux

Monitoring Multiple Network Interfaces

Invisibly Tapping a Hub

Invisibly Sniffing Between Two Network Points

Invisibly Sniffing 100 MB Ethernet

Sniffing Gigabit Ethernet

Tapping a Wireless Network

Positioning Your IDS Sensors

Capturing and Viewing Packets

Logging Packets That Snort Captures

Running Snort to Detect Intrusions

Reading a Saved Capture File

Running Snort as a Linux Daemon

Running Snort as a Windows Service

Capturing Without Putting the Interface into Promiscuous Mode

Reloading Snort Settings

Debugging Snort Rules

Building a Distributed IDS (Plain Text)

Building a Distributed IDS (Encrypted)

Chapter 2 Logging, Alerts, and Output Plug-ins

Introduction

Logging to a File Quickly

Logging Only Alerts

Logging to a CSV File

Logging to a Specific File

Logging to Multiple Locations

Logging in Binary

Viewing Traffic While Logging

Logging Application Data

Logging to the Windows Event Viewer

Logging Alerts to a Database

Installing and Configuring MySQL

Configuring MySQL for Snort

Using PostgreSQL with Snort and ACID

Logging in PCAP Format (TCPDump)

Logging to Email

Logging to a Pager or Cell Phone

Optimizing Logging

Reading Unified Logged Data

Generating Real-Time Alerts

Ignoring Some Alerts

Logging to System Logfiles

Fast Logging

Logging to a Unix Socket

Not Logging

Prioritizing Alerts

Capturing Traffic from a Specific TCP Session

Killing a Specific Session

Chapter 3 Rules and Signatures

Introduction

How to Build Rules

Keeping the Rules Up to Date

Basic Rules You Shouldn't Leave Home Without

Dynamic Rules

Detecting Binary Content

Detecting Malware

Detecting Viruses

Detecting IM

Detecting P2P

Detecting IDS Evasion

Countermeasures from Rules

Testing Rules

Optimizing Rules

Blocking Attacks in Real Time

Suppressing Rules

Thresholding Alerts

Excluding from Logging

Carrying Out Statistical Analysis

Chapter 4 Preprocessing: An Introduction

Introduction

Detecting Stateless Attacks and Stream Reassembly