If you are building a castle, you dig a moat and put up high walls, you may even build two layers of security—a perimeter and a more secure keep—but at the end of the day, you still need a way for supplies and people to get in and out. To make this part of your castle secure, you post watchmen, guards, and soldiers to ensure that only those who should be are getting in. Often you’ll find that physical security in a company is similar, complete with locked doors, pass cards, and security guards.
The principles of securing a computer system are no different than those of securing any other system, but often this final layer of security is left out. Too often people assume that the perimeter protection of the firewall is sufficient to keep all attackers at bay, not considering that attackers might just walk over the bridge through the front gate. All firewalls have rules that allow access—otherwise, you might as well not have the network connection in the first place—and usually it is these rules that are used by a malicious attacker to breach your network. Attackers don’t kick down the door, they walk through it pretending to be someone else.
An intrusion detection system (IDS) doesn’t exist to check the identity of people coming through a firewall; it keeps an eye out for behavior from those people that is against the rules. It is the security guard who watches to see if someone is trying the lock on the door marked “Private.”
This book is about Snort, an open source IDS, freely available to all who wish to make use of it, with updates provided by a large community of developers. It covers all topics from installation through tuning it to your needs, even mentioning some things it wasn’t originally designed to do. At the end of this book, you should be able to place a security guard on your network to make sure it stays secure.
This book is for network, security, and system administrators for networks of any size. It is written to cover as many of the operating systems Snort will run on as possible and should be accessible to anyone with a little experience with any of them. There are a few sections where programming experience might make life a bit easier, but these are few and far between and are written in Perl, which is nearly English anyway.
Here is the breakdown of the chapters:
This chapter contains the basics of installation, configuration, optimization, and placement. These are the basics of your Snort sensor; start here if you are a beginner.
This chapter covers the areas of logging activity with Snort and creating alerts. What good is a sentry if there is no way of communicating the warnings and keeping track of what has happened? If you need to tune your logging and alerting, there are some recipes here that may solve your problems.
This chapter covers the creation of Snort rules and signatures to detect specific types of traffic. Signature and rule writing has sometimes been seen as a bit of a black art. This chapter clarifies the syntax for you and gives you some pointers on good rule writing.
This chapter details the Snort preprocessors, which control the way that Snort handles certain types of network traffic. Preprocessors are one of the most powerful features of Snort, allowing you to pick and choose the way Snort deals with certain types of packets. This chapter covers their use and configuration.
This chapter gives some usage instructions for certain Snort administrative tools, allowing ease of configuration and administration. This chapter is for those people for whom the command line is not a friend. Snort need not be a painful experience for you; there are recipes in here for using graphical tools to control your Snort installation.
This chapter covers log analysis of recorded data. Snort can generate more logs than you can read in a decade. This chapter details log analysis tools that help you sift through the chaff to find the wheat.
This chapter covers some other interesting uses of Snort, more than packet sniffing and intrusion detection. This chapter contains all the things we couldn’t fit in to all the other chapters and includes some ideas you might like to investigate further as to things for which you might find Snort useful.
The following typographical conventions are used in this book:
Indicates menu titles, menu options, menu buttons, and keyboard accelerators (such as Alt and Ctrl).
Indicates new terms, URLs, email addresses, filenames, file extensions, pathnames, directories, and Unix utilities.
Constant width
Indicates commands, options, switches, variables, attributes, keys, functions, types, classes, namespaces, methods, modules, properties, parameters, values, objects, events, event handlers, XML tags, HTML tags, macros, the contents of files, or the output from commands.
Constant width
bold
Shows commands or other text that should be typed literally by the user.
Constant width italic
Shows text that should be replaced with user-supplied values.
This book is here to help you get your job done. In general, you may use the code in this book in your programs and documentation. You do not need to contact us for permission unless you’re reproducing a significant portion of the code. For example, writing a program that uses several chunks of code from this book does not require permission. Selling or distributing a CD-ROM of examples from O’Reilly books does require permission. Answering a question by citing this book and quoting example code does not require permission. Incorporating a significant amount of example code from this book into your product’s documentation does require permission.
We appreciate, but do not require, attribution. An attribution includes the title, author, publisher, and ISBN. For example: "Snort Cookbook, by Angela Orebaugh, Simon Biles, and Jacob Babbin. Copyright 2005 O’Reilly Media, Inc., 0-596-00791-4.”
If you feel your use of code examples falls outside fair use or the permission given above, feel free to contact us at permissions@oreilly.com.
When you see a Safari® Enabled icon on the cover of your favorite technology book, that means the book is available online through the O’Reilly Network Safari Bookshelf.
Safari offers a solution that’s better than e-books. It’s a virtual library that lets you easily search thousands of top tech books, cut and paste code samples, download chapters, and find quick answers when you need the most accurate, current information. Try it for free at http://safari.oreilly.com.
Please address comments and questions concerning this book to the publisher:
O’Reilly & Associates, Inc. |
1005 Gravenstein Highway North |
Sebastopol, CA 95472 |
(800) 998-9938 (in the United States or Canada) |
(707) 829-0515 (international or local) |
(707) 829-0104 (fax) |
We have a web page for this book, where we list errata, examples, and any additional information. You can access this page at:
http://www.oreilly.com/catalog/snortckbk |
To comment or ask technical questions about this book, send email to:
bookquestions@oreilly.com |
For more information about our books, conferences, Resource Centers, and the O’Reilly Network, see our web site at:
http://www.oreilly.com |
The authors wish to thank the people who contributed to this project.
A wise person once told me “The more you risk, the greater the reward.” I would like to thank those who have taken a risk on this book, and who have taken a risk in me.
First, I would like to thank O’Reilly Media, Inc. for providing the opportunity to write this book. Nat Torkington, Tatiana Diaz, and Allison Randal provided the support and expertise to make this book a reality. I thank my coauthors for working diligently and providing outstanding technical expertise.
I would like to thank Eric Cole for his constant guidance, encouragement, advice, and continuing words of wisdom. I would like to thank all the amazing people at Sytex who understand the importance of research, exploration, and knowledge.
There are lots of family, friends, and colleagues who have seen me through this process. I would like to thank Rafiq Jamaldinian for his support and encouragement, you are $$$; Natalie Givans and Tom Fuhrman for their advice and mentorship; Brett Wagner, Michelle Morrow, Susan Rogers, Angela Mitchell, Ryan Lewkowski, Svonne Stickley, and Becky Pinkard for always being there; and all those at SANS who believe in me and provide great opportunities to learn, write, and speak about security.
Most importantly, I would like to extend a heartfelt thanks to Tammy Wilt, whose constant patience and encouragement, and forgoing of precious time on nights and weekends, have made this dream a reality. Without your love and strength, I would not be where I am today; you are the best. I would also like to thank Dennis and Peggy Wilt for their support and encouragement through all of my life’s endeavors. Also a special thanks to my parents Bruce Orebaugh and Janie Spitzer who have taught me the value of hard work and accomplishments. Thanks to the rest of my family Jim Spitzer, Jamie Spitzer, Justin Spitzer, Austin Spitzer, Pam Mathes, Kelsey Mathes, Jean Snider, Leo Snider, Lisa Snider, Julia Orebaugh, Cari Orebaugh, Rita Orebaugh, Allen Smith, Georgia Smith, and Zachary Smith. Duzer and Hailey, who let Mom work at the dog park, and Tag and Cody whose memories live strong.
Wow. It’s done! I’d like to thank very much my coauthors who have made this possible and taught me some things that I didn’t know along the way. Thanks also go to all at O’Reilly who have pushed this along and kept us going. Many thanks to our excellent technical review panel who set us on the straight and narrow on a few occasions: Garreth Jeremiah, Pete Herzog, Mark Lucking, and Tobias Rice.
When I started writing this book, this was the bit I always thought about how I was going to have so much to say and now that I’m getting to it, I don’t know where to start!
My children have all been very supportive and understanding, they didn’t kick up any fuss at all when I stole my computer (“Daddy’s `puter”) back from them, preventing them from either surfing the BBC children’s web sites or playing Freelancer, and quite how my wife puts up with me turning the computer on again at the end of a day when everyone else is asleep, I will never understand. Thank you so much—all of you. I love you dearly and wouldn’t have been able to do this without you.
I would like very much to dedicate this book to the memory of two people—it was only going to be one, but sadly my Granny passed away a few weeks before this was all finished. Thank you for years of support and love. We will always be thinking of you.
My other dedication, who was there from the start, was a wonderful woman who saw me all the way through my school years. She even taught me English at one point, and strangely I came across her report of me a little while ago where she comments upon my “casual attitude to work” and how my “interest wanes when he has to show sustained effort”! She was the kindest person and had time for everyone—she dedicated her life to helping others in all sorts of charity work. So tragically, she died at an early age of cancer, a great loss to the world. To the memory of Mrs. S. R. Lea.
I hope that you, the readers, find this book and the topics covered inside useful to your daily tasks and roles, while helping think of other ways and means to solve problems that you may or may not deal with currently. I’d like to thank: O’Reilly for making this book possible, especially Tatiana and Allison (our editors) who stuck with us to the end on this book.
My fellow co-authors, especially Angie, without whom I wouldn’t have gotten the privilege of working on this book. My friends: Jay Beale for starting me out on this path and allowing me to learn from him, Mike Poor for teaching me so much about my packet fu and believing in me enough to push me into SANS, Ed Skoudis for allowing me to learn from a master—what to look for, how to think as an attacker, and how to plan for those attacks.
The entire SANS staff. Marty Roesch for all his help with questions and code. My entire IONA security group (Justin, Dave, Todd, Kenise, Lou, and Kenny, just to name a few) for putting up with the odd hours and days of not seeing me other than buried in my laptop writing on this book.
My cats, Kitt, Gizmo, and Furbal, who “helped” the book writing process along with many a night of deleting, adding spaces, and even adding content...that was then taken out...by walking across the keyboard, hitting Esc at the wrong moment, or any number of creative means to cause problems . . . thanks, guys.
My family for support and, lastly, my fiancée, Jackie, for all of the support and encouragement on this book. Though it’s amazing she put up with the many, many, many nights and weekends of my typing away on this book.
There are many others that have helped directly or indirectly that number too many to name, and to all of you, I am grateful.
Happy hunting (packets)!