snort 2.1 intrusion detection second edition phần 1 pptx

76 365 1
snort 2.1 intrusion detection second edition phần 1 pptx

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

Thông tin tài liệu

Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort2e_FM.qxd 5/5/04 6:54 PM Page i About the First Edition of Snort Intrusion Detection Overall, I found "Snort 2.0" enlightening. The authors have a powerful understanding of the workings of Snort, and apply it in novel ways. —Richard Bejtlich, Top 500 Amazon Reviewer Would I recommend this book to someone already running Snort? Yes! Would I recommend this book to someone considering deploying an IDS? Heck yes! If you attempt to deploy Snort on a pro- duction network without reading this book you should be instantly teleported out of your organization and into the "welcome to Walmart" greeter position at the nearest bigbox store of the world's largest corporation. —Stephen Northcutt, Director, SANs Institute First, Brian Caswell knows more about Snort than anyone on the planet and it shows here. Secondly, the book is over 500 pages long, and is full of configuration examples. It is the ONE Snort book you need if you're actually running a corporate IDS. This pig flies. Highly recommended. —A Reader from Austin, TX This book has proven to be a breath of fresh air. It provides detailed product specifics and is a reliable roadmap to actually rolling out an IDS. And I really appreciate the CD with Snort and the other IDS utilities. The author team is well connected with Snort.org and they obviously had cart blanche in writing this book. —A Reader from Chestnut Hill, MA "An awesome book by Snort gurus! This is an incredible book by the guys from snort.org and Sourcefire—this book is just great and covers everything I could ever have thought to ask about Snort 2.0. —A Syngress customer Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort2e_FM.qxd 5/5/04 6:54 PM Page ii Register for Free Membership to solutions@syngress.com Over the last few years, Syngress has published many best-selling and critically acclaimed books, including Tom Shinder’s Configuring ISA Server 2000, Brian Caswell and Jay Beale’s Snort 2.0 Intrusion Detection, and Angela Orebaugh and Gilbert Ramirez’s Ethereal Packet Sniffing. One of the reasons for the success of these books has been our unique solutions@syngress.com program. Through this site, we’ve been able to provide readers a real time extension to the printed book. As a registered owner of this book, you will qualify for free access to our members-only solutions@syngress.com program. Once you have registered, you will enjoy several benefits, including: ■ Four downloadable e-booklets on topics related to the book. Each booklet is approximately 20-30 pages in Adobe PDF format. They have been selected by our editors from other best-selling Syngress books as providing topic coverage that is directly related to the coverage in this book. ■ A comprehensive FAQ page that consolidates all of the key points of this book into an easy to search web page, pro- viding you with the concise, easy to access data you need to perform your job. ■ A “From the Author” Forum that allows the authors of this book to post timely updates links to related sites, or addi- tional topic coverage that may have been requested by readers. Just visit us at www.syngress.com/solutions and follow the simple registration process. You will need to have this book with you when you register. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there is anything else we can do to make your job easier. Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort2e_FM.qxd 5/5/04 6:54 PM Page iii I Snort 2.1 Intrusion Detection SECOND EDITION OF THE NTERNATIONAL BESTSELLER! Sec ond E dition with Raven Alder • Jacob Babbin •Jay Beale Featuring the Snort Andrew R. Baker Brian Caswell Foreword by Stephen Northcutt Adam Doxtater • James C. Foster Toby Kohlenberg •Michael Rash Development Team Mike Poor Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort2e_FM.qxd 5/5/04 6:54 PM Page iv Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or produc- tion (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Snort™ and the Snort™ pig logo are trademarks of Sourcefire, Inc. Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc. “Syngress:The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 TCVGH39764 002 POFG398HB5 003 8NJH2GAWW2 004 HJIRTCV764 005 CVQ23MZX43 006 VB544DM78X 007 HJJ3EDC7NB 008 2WMKEE329N 009 62T7NC9MW5 010 IM6TGH62N5 PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Snort 2.1 Intrusion Detection, Second Edition Copyright © 2004 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be repro- duced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-931836-04-3 Acquisitions Editor: Christine Kloiber Cover Designer: Michael Kavish Technical Editors: Jay Beale, Brian Caswell, Copy Editor: Beth Roberts Toby Kohlenberg, and Mike Poor Indexer: Nara Wood Page Layout and Art: Patricia Lupien Distributed by O’Reilly & Associates in the United States and Canada. Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort2e_FM.qxd 5/5/04 6:54 PM Page v Acknowledgments We would like to acknowledge the following people for their kindness and support in making this book possible. A special thanks to Marty Roesch and the rest of the Snort developers for all their efforts to maintain Snort: Erek Adams, Andrew R. Baker, Brian Caswell, Roman D., Chris Green, Jed Haile, Jeremy Hewlett, Jeff Nathan, Marc Norton, Chris Reid, Daniel Roelker, Dragos Ruiu, JP Vossen, Daniel Wittenberg, and Fyodor Yarochkin. Syngress books are now distributed in the United States and Canada by O’Reilly & Associates, Inc.The enthusiasm and work ethic at ORA is incredible and we would like to thank everyone there for their time and efforts to bring Syngress books to market:Tim O’Reilly, Laura Baldwin, Mark Brokering, Mike Leonard, Donna Selenko, Bonnie Sheehan, Cindy Davis, Grant Kikkert, Opol Matsutaro, Lynn Schwartz, Steve Hazelwood, Mark Wilson, Rick Brown, Leslie Becker, Jill Lothrop,Tim Hinton, Kyle Hart, Sara Winge, C. J. Rayhill, Peter Pardo, Leslie Crandell, Valerie Dow, Regina Aggio, Pascal Honscher, Preston Paull, Susan Thompson, Bruce Stewart, Laura Schmier, Sue Willing, Mark Jacobsen, Betsy Waliszewski, Dawn Mann, Kathryn Barrett, John Chodacki, and Rob Bullington. The incredibly hard working team at Elsevier Science, including Jonathan Bunkell, Ian Seager, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, Emma Wyatt, Rosie Moss, Chris Hossack, and Krista Leppiko, for making certain that our vision remains worldwide in scope. David Buckland, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, Pang Ai Hua, and Joseph Chan of STP Distributors for the enthusiasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. David Scott,Tricia Wilden, Marilla Burgess, Annette Scott, Geoff Ebbs, Hedley Partis, Bec Lowe, and Mark Langley of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands. Winston Lim of Global Publishing for his help and support with distribution of Syngress books in the Philippines. v Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort2e_FM.qxd 5/5/04 6:54 PM Page vi Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort2e_FM.qxd 5/5/04 6:54 PM Page vii Series Editor, Technical Editor and Contributor Jay Beale is a security specialist focused on host lockdown and security audits. He is the Lead Developer of the Bastille project, which creates a hardening script for Linux, HP-UX, and Mac OS X, a member of the Honeynet Project, and the Linux technical lead in the Center for Internet Security. A frequent conference speaker and trainer, Jay speaks and trains at the Black Hat and LinuxWorld conferences, among others. A senior research scientist with the George Washington University Cyber Security Policy and Research Institute, Jay makes his living as a security consultant through the MD-based firm Intelguardians, LLC, where he works on security architecture reviews, threat mitigation and penetration tests against Unix and Windows targets. Jay wrote the Center for Internet Security’s Unix host security tool, currently in use worldwide by organizations from the Fortune 500 to the Department of Defense. He leads the Center’s Linux Security benchmark team and, as a core participant in the non- profit Center’s Unix teams, is working with private enterprises and US agencies to develop Unix security standards for industry and government. Aside from his CIS work, Jay has written a number of articles and book chapters on operating system security. He is a columnist for Information Security Magazine and previously wrote a number of articles for SecurityPortal.com and SecurityFocus.com. He co- authored the Syngress international best-seller Snort 2.0 Intrusion Detection (ISBN: 1-931836-74-4 ) and serves as the series and technical editor of the Syngress Open Source Security series. He is also co- author of Stealing the Network: How to Own a Continent (Syngress ISBN: 1-931836-05-1). Jay’s long-term writing goals include finishing a Linux hardening book focused on Bastille called, Locking Down Linux. Formerly, Jay served as the Security Team Director for MandrakeSoft, helping set company strategy, design security products, and pushing security into the third largest retail Linux distribution. vii Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort2e_FM.qxd 5/5/04 6:54 PM Page viii Technical Editors and Contributors Brian Caswell is a member of the Snort core team, where he is the primary author for the world’s most widely used intrusion detection rulesets. He is a member of the Shmoo group, an interna- tional not-for-profit, non-milindustrial independent private think tank. He was also a technical editor for Snort 2.0 Intrusion Detection (Syngress, ISBN: 1-931836-74-4 ). Currently, Brian is a Research Engineer within the Vulnerability Research Team for Sourcefire, a provider of one of the world’s most advanced and flexible Intrusion Management solutions. Before Sourcefire, Brian was the IDS team leader and all around supergeek for MITRE, a government spon- sored think tank. Not only can Brian do IDS, he was a Pokémon Master Trainer for both Nintendo and Wizards of the Coast, working throughout the infamous Pokémon Training League tours. In his free time, Brian likes to teach his young son Patrick to write perl, reverse engineer network protocols, and autocross at the local SCCA events. Toby Kohlenberg is a Senior Information Security Specialist for Intel Corporation. He does penetration testing, incident response, malware analysis, architecture design and review, intrusion analysis, and various other things that paranoid geeks are likely to spend time dealing with. In the last two years he has been responsible for devel- oping security architectures for world-wide deployments of IDS tech- nologies, secure WLANs, Windows 2000/Active Directory, as well as implementing and training a security operations center. He is also a handler for the Internet Storm Center, which provides plenty of opportunity to practice his analysis skills. He holds the CISSP, GCFW, GCIH, and GCIA certifications. He currently resides in Oregon with his wife and daughters, where he enjoys the 9 months of the year that it rains much more than the 3 months where it’s too hot. viii Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort2e_FM.qxd 5/5/04 6:54 PM Page ix Mike Poor is a Founder and Senior Security Analyst for the DC firm Intelgardians Network Intelligence. In his recent past life he has worked for Sourcefire, as a research engineer, and for the SANS Institute as a member of the technical staff. As a consultant, Mike conducts penetration tests, vulnerability assessments, security audits and architecture reviews. His primary job focus however is in intru- sion detection, response, and mitigation. Mike currently holds both GSEC and GCIA certifications and is an expert in network engi- neering and systems, network and web administration. Mike is an Incident Handler for the Internet Storm Center. Contributors Raven Alder is a Senior Security Engineer for True North Solutions, a consulting firm specializing in network security design and implementation. She specializes in scalable enterprise-level secu- rity, with an emphasis on defense in depth. She designs large-scale firewall and IDS systems, and then performs vulnerability assess- ments and penetration tests to make sure they are performing opti- mally. In her copious spare time, she teaches network security for LinuxChix.org and checks cryptographic vulnerabilities for the Open Source Vulnerability Database. Raven lives in the Washington DC area. Jacob Babbin works as a contractor with a government agency filling the role of Intrusion Detection Team Lead. He has worked in both private industry as a security professional and in government space in a variety of IT security roles. He is a speaker at several IT security conferences and is a frequent assistant in SANS Security Essentials Bootcamp, Incident Handling and Forensics courses. He lives in Virginia. ix Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com [...]... Initialization Parser Detection Function What Do I Add to the Rest of the System? 16 5 16 6 16 6 16 6 16 7 16 8 16 9 17 1 17 2 17 3 17 3 17 3 17 4 17 4 17 4 17 5 17 5 17 6 17 6 17 6 17 8 17 9 18 0 xvii xviii Contents Simpo PDF Merge and Split Unregistered... 12 3 Installing MySQL 12 4 Installing from RPM 12 4 Installing from Source 12 6 Installing Snort 12 7 A Brief Word about Sentinix GNU/Linux 12 8 Installing Snort from Source 12 9 Enabling Features via configure 13 1 Installing Snort from RPM 13 2 Installing Snort. .. 10 8 Gentoo 10 9 A Word about Hardened/Specialized Linux Distributions 11 0 Preparing for the Installation 11 2 Installing pcap 11 2 Installing libpcap from Source 11 3 Look Ma! No GUI! 11 7 Installing libpcap from RPM 12 2 Installing libpcre... 18 0 18 2 18 2 18 3 Chapter 5 Playing by the Rules 18 5 Introduction 18 6 Dissecting Rules 18 7 Matching Ports 18 7 Matching Simple Strings 18 7 Using Preprocessor Output 18 8 Using Variables 18 8 Snort Configuration 19 1... 409 410 413 413 416 Contents Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Using SGUIL 416 Summary Scripts 418 snort_ stat.pl 419 Using SnortSnarf 422 Installing SnortSnarf 422 Configuring Snort to Work with SnortSnarf ... 15 0 Option 1: Using OpenBSD Ports 15 2 Option 2: Using Prepackaged OpenBSD Ports 15 5 Option 3: Installing Snort from Source 15 7 Installing Bleeding-Edge Versions of Snort 15 9 Summary 16 1 Solutions Fast Track 16 1 Frequently Asked Questions 16 3 Chapter 4 Inner Workings Introduction... book.The authors of this Snort 2 .1 Intrusion Detection, Second Edition have produced a book with a simple focus, to teach you how to use Snort, from the basics of getting started to advanced rule configuration, they cover all aspects of using Snort, including basic installation, preprocessor config­ uration, and optimization of your Snort system I hope you can begin to see why I say Snort is one of the best... 611 Snortsam 619 Installation 619 Architecture 6 21 Snort Output Plug-In 6 21 Blocking Agent 622 Snortsam in Action 624 WWWBoard passwd.txt Access Attack 626 NFS mountd Overflow Attack 633 Fwsnort ... to Snort 2.0 Intrusion Detection (Syngress, ISBN: 19 318 36744), Hacking the Code:ASP NET Web Application Security (Syngress, ISBN: 1- 932266-65-8), and Special Ops Host and Network Security for Microsoft, Unix, and Oracle (Syngress, ISBN: 19 318 36698) as well as Hacking Exposed, Fourth Edition, Advanced Intrusion Detection, Anti-Hacker Toolkit Second Edition, and Anti-Spam Toolkit James has attended Yale,... 311 312 312 314 315 316 3 21 322 322 326 326 327 333 338 338 339 342 343 345 348 349 349 350 350 xxi xxii Contents Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com myPluginRestart (AlertW3CRestart) 350 Running and Testing the Snort W3C Output Plug-in . Split Unregistered Version - http://www.simpopdf.com 29 5 _Snort2 e_FM.qxd 5/5/04 6:54 PM Page iii I Snort 2. 1 Intrusion Detection SECOND EDITION OF THE NTERNATIONAL BESTSELLER! Sec ond E. KEY SERIAL NUMBER 0 01 TCVGH39764 0 02 POFG398HB5 003 8NJH2GAWW2 004 HJIRTCV764 005 CVQ23MZX43 006 VB544DM78X 007 HJJ3EDC7NB 008 2WMKEE 329 N 009 62T7NC9MW5 010 IM6TGH62N5 PUBLISHED BY Syngress. Version - http://www.simpopdf.com 29 5 _Snort2 e_FM.qxd 5/5/04 6:54 PM Page i About the First Edition of Snort Intrusion Detection Overall, I found " ;Snort 2. 0" enlightening. The authors

Ngày đăng: 13/08/2014, 12:21

Từ khóa liên quan

Mục lục

  • Snort 2 1 Intrusion Detection, Second Edition

    • Cover

  • Contents

  • Foreword

  • Chapter 1 Intrusion Detection Systems

    • Introducing Intrusion Detection Systems

      • What Is an Intrusion?

        • Legal Definitions

        • Scanning vs Compromise

        • Viruses and Worms-SQL Slammer

        • Live Attacks-Sendmail Buffer Overflow

      • How an IDS Works

        • What the IDS Is Watching

        • How the IDS Watches Your Network

        • How the IDS Takes the Data It Gathers and Finds Intrusion Attempts

        • What the IDS Does When It Finds an Attack Attempt

    • Answering Common IDS Questions

      • Why Are Intrusion Detection Systems Important?

      • Why Doesn't My Firewall Serve as an IDS?

      • Why Are Attackers Interested in Me?

        • Automated Scanning/Attacking Doesn't Care Who You Are

        • Desirable Resources Make You a Target

        • Political or Emotional Motivations

      • Where Does an IDS Fit with the Rest of My Security Plan?

      • Where Should I Be Looking for Intrusions?

        • Operating System Security-Backdoors and Trojans

        • Physical Security

        • Application Security and Data Integrity

        • Correlation of All These Sources

      • What Will an IDS Do for Me?

        • Continuously Watch Packets on Your Network and Understand Them

        • Read Hundreds of Megs of Logs Daily and Look for Specific Issues

        • Create Tremendous Amounts of Data No Matter How Well You Tune It

        • Create So Much Data that If You Don't Tune It, You Might as Well Not Have It

        • Find Subtle Trends in Large Amounts of Data that Might Not Otherwise Be Noticed

        • Supplement Your Other Protection Mechanisms

        • Act as a Force Multiplier Competent System/ Network Administrator

        • Let You Know When It Looks Like You Are Under Attack

      • What Won't an IDS Do for Me?

        • Replace the Need for Someone Who Is Knowledgeable about Security

        • Catch Every Attack that Occurs

        • Prevent Attacks from Occurring

        • Prevent Attacks from Succeeding Automatically (in Most Cases)

        • Replace Your Other Protection Mechanisms

        • What Else Can Be Done with Intrusion Detection?

    • Fitting Snort into Your Security Architecture

      • Viruses, Worms, and Snort

      • Known Exploit Tools and Snort

      • Writing Your Own Signatures with Snort

      • Using an IDS to Monitor Your Company Policy

    • Analyzing Your IDS Design and Investment

      • False Positives versus False Negatives

      • Fooling an IDS

        • IDS Evasion Techniques

      • Return on Investment-Is It Worth It?

    • Defining IDS Terminology

      • Intrusion Prevention Systems (HIPS and NIPS)

      • Gateway IDS

      • Network Node IDS

      • Protocol Analysis

      • Target-Based IDS

    • Summary

    • Solutions Fast Track

    • Frequently Asked Questions

  • Chapter 2 Introducing Snort 2 1

    • Introduction

    • What Is Snort?

    • Understanding Snort's System Requirements

      • Hardware

        • Operating System

        • Other Software

    • Exploring Snort's Features

      • Packet Decoder

      • The Preprocessors

        • Example: HTTPInspect

        • Example: flow-portscan

      • The Detection Engine

        • Flow-Portscan as Example Feature

        • Rules and Matching

        • Thresholding and Suppression

      • The Alerting and Logging Components

        • Output Plug-Ins

        • Unified Output

    • Using Snort on Your Network

      • Using Snort as a Packet Sniffer and Logger

      • Using Snort as a NIDS

      • Snort and Your Network Architecture

        • Snort and Switched Networks

      • Pitfalls When Running Snort

        • False Alerts

        • Upgrading Snort

    • Considering System Security While Using Snort

      • Snort Is Susceptible to Attacks

        • Detecting a Snort System on the Network

        • Attacking Snort

        • Attacking the Underlying System

      • Securing Your Snort System

    • Summary

    • Solutions Fast Track

    • Frequently Asked Questions

  • Chapter 3 Installing Snort

    • Introduction

    • Making the Right Choices

      • Linux over OpenBSD?

      • Stripping Linux

        • Stripping out the Candy

    • A Brief Word about Linux Distributions

      • Debian

      • Slackware

      • Gentoo

        • A Word about Hardened/Specialized Linux Distributions

    • Preparing for the Installation

      • Installing pcap

        • Installing libpcap from Source

        • Look Ma! No GUI!

        • Installing libpcap from RPM

        • Installing libpcre

        • Installing MySQL

        • Installing from RPM

        • Installing from Source

    • Installing Snort

      • A Brief Word about Sentinix GNU/Linux

      • Installing Snort from Source

        • Enabling Features via configure

      • Installing Snort from RPM

      • Installing Snort Using apt

      • Configuring Snort IDS

      • Customizing Your Installation: Editing the snort conf File

        • Installation on the MS Windows Platform

        • Command-Line Switches

      • Installing on OpenBSD

        • Option 1: Using OpenBSD Ports

        • Option 2: Using Prepackaged OpenBSD Ports

        • Option 3: Installing Snort from Source

      • Installing Bleeding-Edge Versions of Snort

    • Summary

    • Solutions Fast Track

    • Frequently Asked Questions

  • Chapter 4 Inner Workings

    • Introduction

      • The Life of a Packet Inside Snort

        • Decoders

      • The Detection Engine

        • The Old Detection Engine

        • The New Detection Engine

        • Tagging

        • Thresholding

        • Suppression

        • Logging

    • Adding New Functionality

      • What Is a Detection Plug-In?

      • Writing Your Own Detection Plug-In

        • Copyright and License

        • Includes

        • Data Structures

        • Functions

        • Setup

        • Initialization

        • Parser

        • Detection Function

        • What Do I Add to the Rest of the System?

        • Testing

    • Summary

    • Solutions Fast Track

    • Frequently Asked Questions

  • Chapter 5 Playing by the Rules

    • Introduction

    • Dissecting Rules

      • Matching Ports

      • Matching Simple Strings

      • Using Preprocessor Output

    • Using Variables

      • Snort Configuration

    • Understanding Rule Headers

      • Rule Actions

        • When Should You Use a Pass Rule?

        • Custom Rules Actions

        • Using Activate and Dynamic Rules

    • Rule Options

      • Rule Content

        • ASCII Content

        • Including Binary Content

        • The depth Option

        • The offset Option

        • The nocase Option

        • The session Option

        • Uniform Resource Identifier Content

        • The stateless Option

        • Regular Expressions

        • Flow Control

      • IP Options

        • Fragmentation Bits

        • Equivalent Source and Destination IP Option

        • IP Protocol Options

        • ID Option

        • Type of Service Option

        • Time-To-Live Option

      • TCP Options

        • Sequence Number Options

        • TCP Flags Option

        • TCP ACK Option

      • ICMP Options

        • ID

        • Sequence

        • The icode Option

        • The itype Option

      • Meta-Data Options

        • Snort ID Options

        • Rule Revision Number

        • Severity Identifier Option

        • Classification Identifier Option

        • External References

      • Miscellaneous Rule Options

        • Messages

        • Logging

        • TAG

        • dsize

        • RPC

        • Real-Time Countermeasures

    • Writing Good Rules

      • What Makes a Good Rule?

      • Action Events

      • Ensuring Proper Content

      • Merging Subnet Masks

      • What Makes a Bad Rule?

      • The Evolution of a Rule: From Start to Finish

    • Summary

    • Solutions Fast Track

    • Frequently Asked Questions

  • Chapter 6 Preprocessors

    • Introduction

    • What Is a Preprocessor?

    • Preprocessor Options for Reassembling Packets

      • The stream4 Preprocessor

        • TCP Statefulness

        • Session Reassembly

        • Stream4's Output

      • Frag2-Fragment Reassembly and Attack Detection

        • Configuring Frag2

        • Frag2 Output

      • Flow

        • Configuring Flow

        • Frag2 Output

    • Preprocessor Options for Decoding and Normalizing Protocols

      • Telnet Negotiation

        • Telnet Negotiation Output

      • HTTP Normalization

        • Configuring the HTTP Normalization Preprocessor

        • HTTP Decode's Output

      • rpc_decode

        • Configuring rpc_decode

        • rpc_decode Output

    • Preprocessor Options for Nonrule or Anomaly-Based Detection

      • Portscan

        • Configuring the Portscan Preprocessor

      • Back Orifice

        • Configuring the Back Orifice Preprocessor

      • General Nonrule-Based Detection

    • Experimental Preprocessors

      • arpspoof

      • ASN1_decode

      • Fnord

      • preprocessor fnordPreprocessor fnordportscan2 and conversation

        • Configuring the portscan2 Preprocessor

        • Configuring the conversation Preprocessor

      • perfmonitor

    • Writing Your Own Preprocessor

      • Reassembling Packets

      • Decoding Protocols

      • Nonrule or Anomaly-Based Detection

      • Setting Up My Preprocessor

      • What Am I Given by Snort?

        • Examining the Argument Parsing Code

        • Getting the Preprocessor's Data Back into Snort

      • Adding the Preprocessor into Snort

    • Summary

    • Solutions Fast Track

    • Frequently Asked Questions

  • Chapter 7 Implementing Snort Output Plug-Ins

    • Introduction

    • What Is an Output Plug-In?

      • Key Components of an Output Plug-In

    • Exploring Output Plug-In Options

      • Default Logging

      • SNMP Traps

      • XML Logging

      • Syslog

      • SMB Alerting

      • PCAP Logging

      • Snortdb

      • MySQL versus PostgreSQL

      • Unified Logs

        • Why Should I Use Unified Logs?

        • What Do I Do with These Unified Files?

    • Writing Your Own Output Plug-In

      • Why Should I Write an Output Plug-In?

      • Setting Up Your Output Plug-In

      • Creating Snort's W3C Output Plug-In

        • myPluginSetup (AlertW3CSetup)

        • myPluginInit (AlertW3CInit)

        • myPluginAlert (AlertW3C)

        • myPluginCleanExit (AlertW3CCleanExit)

        • myPluginRestart (AlertW3CRestart)

        • Running and Testing the Snort W3C Output Plug-in

      • Dealing with Snort Output

    • Tackling Common Output Plug-In Problems

    • Summary

    • Solutions Fast Track

    • Frequently Asked Questions

  • Chapter 8 Dealing with the Data

    • Introduction

    • What Is Intrusion Analysis?

      • Snort Alerts

        • Snort Packet Data

        • Examine the Rule

        • Validate the Traffic

        • Attack Mechanism

        • Intrusion Data Correlation

        • Following Up on the Analysis Results

    • Intrusion Analysis Tools

      • Database Front Ends

        • ACID

      • Installing ACID

        • Prerequisites for Installing ACID

      • Configuring ACID

      • Using ACID

        • Querying the Database

        • Alert Groups

        • Graphical Features of ACID

        • Managing Alert Databases

      • SGUIL

        • Installing SGUIL

        • Step 1: Create the SGUIL Database

        • Step 2: Installing Sguild, the Server

        • Step 3: Install a SGUIL Client

        • Step 4: Install the Sensor Scripts

        • Step 5: Install Xscriptd

      • Using SGUIL

      • Summary Scripts

        • snort_stat pl

      • Using SnortSnarf

        • Installing SnortSnarf

        • Configuring Snort to Work with SnortSnarf

        • Basic Usage of SnortSnarf

        • Swatch

    • Analyzing Snort IDS Events

      • Begin the Analysis by Examining the Alert message

      • Validate the Traffic

      • Identify the Attack Mechanism

      • Correlations

    • Conclusions

    • Summary

    • Solutions Fast Track

    • Frequently Asked Questions

  • Chapter 9 Keeping Everything Up to Date

    • Introduction

    • Updating Snort

      • Production Choices

        • Compiled Builds vs Source Builds 2

        • Patching Snort 3

    • Updating Rules

      • How Can Updating Be Easy?

        • Using Variables

        • Using the Local Rules File

        • Removing Rules from the Ruleset

        • Using Oinkmaster

        • Using IDSCenter to Merge with Your Existing Rules

      • The Importance of Documentation

        • Why a Security Team Should Be Concerned with Rule Documentation

    • Testing Snort and the Rules

      • Testing within Organizations

        • Small Organizations

        • Large Organizations

    • Watching for Updates

      • The Importance of Security Mailing Lists and Web Sites

      • Chain-of-Command and Outside Management for CIRT Organizations

      • Use in Events-of-Interest, 0-Day, and Other Short-Term Use

        • Short-Term Rules

        • Policy Enforcement Rules

        • Forensics Rules

    • Summary

    • Solutions Fast Track

    • Frequently Asked Questions

  • Chapter 10 Optimizing Snort

    • Introduction

    • How Do I Choose the Hardware to Use?

      • What Constitutes "Good" Hardware?

        • Processors

        • RAM Requirements

        • Storage Medium

        • Network Interface Card

      • How Do I Test My Hardware?

    • How Do I Choose the Operating System to Use?

      • What Makes a "Good" OS for an NIDS?

      • What OS Should I Use?

      • How Do I Test My OS Choice?

    • Speeding Up Snort

      • The Initial Decision

      • Deciding Which Rules to Enable

      • Notes on Pattern Matching

      • Configuring Preprocessors for Speed

      • Using Generic Variables

      • Choosing an Output Plug-In

    • Benchmarking Your Deployment

      • Benchmark Characteristics

        • Attributes of a Good Benchmark

        • Attributes of a Poor Benchmark

      • What Options Are Available for Benchmarking?

        • IDS Informer

        • IDS Wakeup

        • Sneeze

        • TCPReplay

        • THC's Netdude

        • Other Packet-Generation Tools

        • Additional Options

      • Stress Testing the Pig!

      • Stress Tests

      • Individual Snort Rule Tests

      • Berkeley Packet Filter Tests

    • Tuning Your Rules

    • Summary

    • Solutions Fast Track

    • Frequently Asked Questions

  • Chapter 11 Mucking Around with Barnyard

    • Introduction

    • What Is Barnyard?

    • Understanding the Snort Unified Files

      • Unified Alert Records

      • Unified Log Records

      • Unified Stream-Stat Records

    • Installing Barnyard

      • Downloading

      • Building and Installing

    • Configuring Barnyard

      • The Barnyard Command-Line Options

      • The Configuration File

        • Configuration Directives

        • Output Plug-In Directives

    • Understanding the Output Plug-Ins

      • alert_fast

      • alert_csv

      • alert_syslog

      • alert_syslog2

      • log_dump

      • log_pcap

      • acid_db

      • sguil

    • Running Barnyard in Batch-Processing Mode

      • Processing a Single File

      • Using the Dry Run Option

      • Processing Multiple Files

    • Using the Continual-Processing Mode

      • The Basics of Continual-Processing Mode

      • Running in the Background

      • Enabling Bookmark Support

      • Only Processing New Events

      • Archiving Processed Files

      • Running Multiple Barnyard Processes

      • Signal Handling

    • Deploying Barnyard

      • Remote Syslog Alerting

      • Database Logging

      • Extracting Data

      • Real-Time Console Alerting

    • Writing a New Output Plug-In

      • Implementing the Plug-In

        • Setting Up the Source Files

        • Writing the Functions

        • Adding the Plug-In to op_plugbase c

      • Finishing Up

        • Updating Makefile am

        • Building Barnyard

      • Real-Time Console Alerting Redux

    • Secret Capabilities of Barnyard

    • Summary

    • Solutions Fast Track

    • Frequently Asked Questions

  • Chapter 12 Active Response

    • Introduction

    • Active Response vs Intrusion Prevention

      • Active Response Based on Layers

      • Altering Network Traffic Based on IDS Alerts

        • Snortsam

        • Fwsnort

        • Snort_inline

        • Attack and Response

    • Snortsam

      • Installation

      • Architecture

        • Snort Output Plug-In

        • Blocking Agent

      • Snortsam in Action

        • WWWBoard passwd txt Access Attack

        • NFS mountd Overflow Attack

    • Fwsnort

      • Installation

      • Configuration

      • Execution

      • WWWBoard passwd txt Access Attack (Revisited)

      • NFS mountd Overflow Attack (Revisited)

    • Snort_inline

      • Installation

      • Configuration

      • Architecture

      • Web Server Attack

      • NFS mountd Overflow Attack

    • Summary

    • Solutions Fast Track

    • Frequently Asked Questions

  • Chapter 13 Advanced Snort

    • Introduction

    • Network Operations

      • Flow Preprocessor Family

      • Perfmon Preprocessor

      • Unusual Network Traffic

    • Forensics/Incident Handling

      • Logging and Filtering

      • Traffic Reconstruction

      • Interacting with Law Enforcement

    • Snort and Honeynets

      • Snort-Inline

        • Countermeasures and Logging

    • Really Cool Stuff

      • Behavioral Tracking

        • Patch/IAVA Verifications

        • Policy Enforcement

    • Summary

    • Solutions Fast Track

    • Frequently Asked Questions

  • Index

  • Team DDU

Tài liệu cùng người dùng

  • Đang cập nhật ...

Tài liệu liên quan