Log In
Or create an account ->
Imperial Library
Home
About
News
Upload
Forum
Help
Login/SignUp
Index
Managing Security with Snort and IDS Tools
SPECIAL OFFER: Upgrade this ebook with O’Reilly
Preface
Audience
About This Book
Assumptions This Book Makes
Chapter Synopsis
Conventions Used in This Book
Comments and Questions
Acknowledgments
Kerry Cox
Christopher Gerg
1. Introduction
1.1. Disappearing Perimeters
1.2. Defense-in-Depth
1.3. Detecting Intrusions (a Hierarchy of Approaches)
1.4. What Is NIDS (and What Is an Intrusion)?
1.5. The Challenges of Network Intrusion Detection
1.5.1. Prerequisites
1.5.2. False Positives
1.5.3. Missing Prerequisites
1.5.4. Unrealistic Expectations
1.6. Why Snort as an NIDS?
1.7. Sites of Interest
2. Network Traffic Analysis
2.1. The TCP/IP Suite of Protocols
2.1.1. TCP
2.1.1.1. The three-way handshake
2.1.2. UDP
2.1.3. IP
2.1.4. ICMP
2.1.5. ARP
2.2. Dissecting a Network Packet
2.2.1. The IP Header
2.2.2. The TCP Header
2.3. Packet Sniffing
2.4. Installing tcpdump
2.5. tcpdump Basics
2.6. Examining tcpdump Output
2.7. Running tcpdump
2.7.1. Syntax Options
2.7.2. tcpdump Filters
2.7.3. tcpdump Capture of the TCP Three-Way Handshake
2.8. ethereal
2.8.1. Installing from Source
2.8.2. Available Options
2.8.3. ethereal Capture of TCP Three-Way Handshake
2.8.4. Tethereal
2.9. Sites of Interest
3. Installing Snort
3.1. About Snort
3.1.1. Snort's Commercial Counterpart
3.2. Installing Snort
3.2.1. Source Code Installation
3.2.1.1. Build-time options
3.2.2. Windows Installations
3.2.3. Staying Current
3.3. Command-Line Options
3.4. Modes of Operation
3.4.1. Snort as a Sniffer
3.4.2. Snort as a Packet Logger
3.4.3. Snort as an NIDS: Quick and Dirty
3.4.3.1. Get the latest rule sets
3.4.3.2. Initial configuration of the snort.conf file
4. Know Your Enemy
4.1. The Bad Guys
4.1.1. Opportunists, Thieves, and Vandals
4.1.2. Professionals
4.1.3. Disgruntled Current and Former Employees and Contractors
4.1.4. Robots and Worms
4.2. Anatomy of an Attack: The Five Ps
4.2.1. Probe
4.2.1.1. Mining the Web
4.2.1.2. Portscans and software version-mapping
4.2.1.3. Automated vulnerability scanners
4.2.1.4. Web page scanners
4.2.1.5. Other probe tools
4.2.2. Penetrate
4.2.2.1. Authentication grinding
4.2.2.2. Buffer overflows
4.2.2.3. Application behavior boundary flaws
4.2.2.4. System configuration errors
4.2.2.5. User input validation problems
4.2.3. Persist
4.2.4. Propagate
4.2.5. Paralyze
4.3. Denial-of-Service
4.4. IDS Evasion
4.5. Sites of Interest
5. The snort.conf File
5.1. Network and Configuration Variables
5.1.1. Default Variables from snort.conf
5.2. Snort Decoder and Detection Engine Configuration
5.3. Preprocessor Configurations
5.3.1. flow
5.3.2. frag2
5.3.3. stream4
5.3.4. stream4_reassemble
5.3.5. HTTP Inspect Preprocessor
5.3.5.1. http_inspect (global)
5.3.5.2. http_inspect_server
5.3.6. rpc_decode
5.3.7. bo
5.3.8. telnet_decode
5.3.9. flow-portscan
5.3.10. arpspoof
5.3.11. perfmonitor
5.4. Output Configurations
5.4.1. alert_syslog
5.4.2. log_tcpdump
5.4.3. Database
5.4.3.1. MySQL
5.4.3.2. PostgreSQL
5.4.3.3. ODBC
5.4.3.4. MsSQL
5.4.3.5. Oracle
5.4.4. unified
5.5. File Inclusions
6. Deploying Snort
6.1. Deploy NIDS with Your Eyes Open
6.2. Initial Configuration
6.2.1. Targeted IDS
6.3. Sensor Placement
6.3.1. Systems and Networks to Watch
6.3.2. Creating Connection Points
6.3.3. Encrypted Traffic
6.4. Securing the Sensor Itself
6.4.1. Choose an Operating System
6.4.2. Configure Interfaces
6.4.3. Disable Unnecessary Services
6.4.4. Apply Patches and Updates
6.4.5. Utilize Robust Authentication
6.4.6. Monitor System Logs
6.5. Using Snort More Effectively
6.6. Sites of Interest
7. Creating and Managing Snort Rules
7.1. Downloading the Rules
7.2. The Rule Sets
7.3. Creating Your Own Rules
7.3.1. Snort Rule Headers
7.3.2. Rule Options
7.3.3. Common Rule Options
7.4. Rule Execution
7.5. Keeping Things Up-to-Date
7.6. Sites of Interest
8. Intrusion Prevention
8.1. Intrusion Prevention Strategies
8.2. IPS Deployment Risks
8.3. Flexible Response with Snort
8.3.1. The react Response
8.4. The Snort Inline Patch
8.4.1. Configuring Snort
8.4.2. Creating Rules for the Snort Inline Patch
8.5. Controlling Your Border
8.5.1. Installing SnortSAM
8.5.2. Patching Snort to Enable Support for SnortSAM
8.5.3. Starting SnortSAM
8.5.4. Supporting the SnortSAM Output Plug-in
8.5.5. Modifying Rules That Trigger Block Requests
8.6. Sites of Interest
9. Tuning and Thresholding
9.1. False Positives (False Alarms)
9.2. False Negatives (Missed Alerts)
9.2.1. Common Causes of False Negatives
9.3. Initial Configuration and Tuning
9.3.1. Tailoring the Decoder and Preprocessors
9.3.1.1. The Snort decoder configuration
9.3.1.2. The flow preprocessor
9.3.1.3. The frag2 preprocessor
9.3.1.4. The stream4_reassemble preprocessor
9.3.1.5. The http_inspect preprocessor
9.3.1.6. The flow-portscan preprocessor
9.3.2. Tailoring the Rule Set
9.3.2.1. General rule set pruning (trimming high noise rule sets)
9.3.2.2. Tuning individual rules
9.4. Pass Rules
9.5. Thresholding and Suppression
9.5.1. Simple Thresholds
9.5.2. Global Thresholds
9.5.3. Suppression Rules
10. Using ACID as a Snort IDS Management Console
10.1. Software Installation and Configuration
10.1.1. MySQL Installation and Configuration
10.1.1.1. MySQL RPM install
10.1.1.2. Performing a MySQL source install
10.1.1.3. Adding tables and permissions
10.1.1.4. Cleaning house or reinstalling
10.1.2. Installing the Web Server
10.1.3. Installing Apache2
10.1.3.1. Installing from RPMs
10.1.3.2. Compiling the latest Apache code from source
10.1.3.3. Testing Apache and PHP
10.1.3.4. Managing dependencies
10.1.3.5. Running a secure web site
10.1.4. Final Apache Configurations
10.2. ACID Console Installation
10.2.1. Confirming GD Support
10.2.2. Customizing the ACID Configuration Files
10.2.3. The ACID Console
10.2.4. Initializing the ACID Web Page
10.3. Accessing the ACID Console
10.3.1. Using ACID
10.3.1.1. Main ACID page
10.3.1.2. Alert information
10.3.1.3. Searching and graphing
10.3.1.4. Data snapshots
10.4. Analyzing the Captured Data
10.4.1. Tracking the Alerts
10.4.1.1. Viewing the packet
10.4.1.2. Identifying known attacks
10.4.1.3. Notifying the offender
10.4.1.4. Searching the database
10.4.1.5. Graphing data for viewing
10.4.2. The Ongoing Use of the ACID Console
10.5. Sites of Interest
11. Using SnortCenter as a Snort IDS Management Console
11.1. SnortCenter Console Installation
11.1.1. Prerequisites
11.1.1.1. Installing curl Binary
11.1.2. Installing the Console Software
11.2. SnortCenter Agent Installation
11.2.1. Prerequisites
11.2.2. Installing the Agent
11.3. SnortCenter Management Console
11.4. Logging In and Surveying the Layout
11.4.1. Sensor Console
11.4.2. Sensor Configuration
11.4.3. Resources
11.4.3.1. Creating a new rule
11.4.4. Additional Resources
11.4.5. Admin
11.5. Adding Sensors to the Console
11.5.1. Configuring Sensors Within the SnortCenter Console
11.6. Managing Tasks
11.6.1. Updating Rules and Signatures
11.6.1.1. Automatic update feature
11.6.2. Managing False Positives and Negatives
11.6.3. Editing Custom Rules
12. Additional Tools for Snort IDS Management
12.1. Open Source Solutions
12.1.1. SnortReport
12.1.2. SnortSnarf
12.1.3. Cerebus
12.1.4. IDS Policy Manager
12.1.5. Oinkmaster
12.2. Commercial Solutions
12.2.1. Applied Watch Console
12.2.2. PureSecure Console
12.2.3. Sourcefire Management Console
13. Strategies for High-Bandwidth Implementations of Snort
13.1. Barnyard (and Sguil)
13.1.1. Configuring Snort's Unified Binary Output
13.1.2. Installing Barnyard
13.1.3. The barnyard.conf File
13.1.4. Barnyard Command-Line Options
13.1.5. Sguil: An Alternative Management Console
13.2. Commericial IDS Load Balancers
13.2.1. F5 Network's VLAN Mirroring with Big Iron Switches
13.2.2. Radware's Fireproof Appliance
13.2.3. Top Layer Network's IDS Balancer
13.3. The IDS Distribution System (I(DS)2)
13.3.1. A Little Background
13.3.2. The Solution
13.3.3. Installation
13.3.3.1. Layer 2 cross-connect
13.3.3.2. Policy router
A. Snort and ACID Database Schema
A.1. acid_ag
A.1.1. acid_ag_alert
A.1.1.1. acid_event
A.1.1.2. acid_ip_cache
A.1.1.3. data
A.1.1.4. detail
A.1.1.5. encoding
A.1.1.6. event
A.1.1.7. icmphdr
A.1.1.8. iphdr
A.1.1.9. opt
A.1.1.10. reference
A.1.1.11. reference_system
A.1.1.12. schema
A.1.1.13. sensor
A.1.1.14. sig_class
A.1.1.15. sig_reference
A.1.1.16. signature
A.1.1.17. tcphdr
A.1.1.18. udphdr
B. The Default snort.conf File
C. Resources
C.1. From Chapter 1: Introduction
C.2. From Chapter 2: Network Traffic Analysis
C.3. From Chapter 4: Know Your Enemy
C.4. From Chapter 6: Deploying Snort
C.5. From Chapter 7: Creating and Managing Snort Rules
C.6. From Chapter 8: Intrusion Prevention
C.7. From Chapter 10: Using ACID as a Snort IDS Management Console
C.8. From Chapter 12: Additional Tools for Snort IDS Management
C.9. From Chapter 13: Strategies for High-Bandwidth Implementations of Snort
About the Authors
Colophon
SPECIAL OFFER: Upgrade this ebook with O’Reilly
← Prev
Back
Next →
← Prev
Back
Next →