snort 2.1 intrusion detection second edition phần 2 ppt

76 427 1
snort 2.1 intrusion detection second edition phần 2 ppt

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

Thông tin tài liệu

295_Snort_2e_01.qxd 5/4/04 4:50 PM Page 46 46 Chapter 1 • Intrusion Detection Systems For maximum stealth, the attacker could even spoof the source; that doesn’t matter in connectionless UDP.There is some likelihood that the attack packets would get dropped if the network links were too oversaturated with the Stick/Snot output, but it is likely that the actual attack packets would not be picked up by the IDS, either because it’s only listening to established TCP ses- sions and our attack is UDP or ICMP, or because the IDS is still listening to all connections but is mobbed with false positives. Notes from the Underground… Stick, Snot, and Snort Stick, Snot, and Snort are tools billed as “IDS Killers,” designed to over- load your IDS to the point it becomes unusable. ■ Stick gram based on an old version of the Snort ruleset, designed to spew out so many alert-triggering packets per second that it would force IDSs to come to a grinding halt. It was very effec- tive for its time, but Snort now has measures in place to adjust to and compensate for this style of attack. ■ Snot index.html) that takes a Snort ruleset as argument and gener- ates a series of packets that will trigger that ruleset. Cross- platform and flexible, Snot allows script kiddies all over the world to annoy to their IDS administrators. If your Snort installation is being harried by these tools or similar ones, you can limit your Snort alerts to noticing established TCP sessions only with the snort –z est stream4 preprocessor must be configured. Also keep in mind that this will limit you from seeing all other nonstateful TCP alerts, so you will be “Installing Snort.” (www.eurocompton.net/stick/projects8.html) is a C pro- is another similar tool (www.stolenshoes.net/sniph/ arguments. For this to work, however, the missing UDP, ICMP, and ARP-based alerts. However, your IDS will still be up and running. We go into depth on configuring snort in Chapter 3, www.syngress.com Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort_2e_01.qxd 5/4/04 4:50 PM Page 47 47 Intrusion Detection Systems • Chapter 1 Nmap offers a noisy scan that generates a whole bunch of fake packets as alternate “sources,” using the –D “decoy” option.To the target, it looks like they are being scanned by all the decoy machines at once, and your real scan is masked among the fake ones. Now, the quiet way.These are the attackers you really need to worry about. We have already described fragroute and Dug Song’s evasive techniques as laid out in the original Newsham-Ptacek paper, but Nmap also offers options for stealth.There is the idle scan, the FTP bounce attack, timing-based attacks like a very slow scan stretched out over days, fragmentation and reassembly based attacks,TCP flag combination attacks, and even an idle scan off an unwitting zombie host.To read details about the packet construction behind all these attacks, refer to the Nmap man page at www.insecure.org/nmap/data/ nmap_manpage.html. Return on Investment—Is It Worth It? At the end of the day, the deciding factor for many businesses is what the expected return on investment is. Is there truly going to be enough enhance- ment to your network security that it’s worth installing, configuring, and main- taining an IDS? Security is often referred to as an economic sinkhole for businesses; they spend money on it, but if all goes well, they rarely see returns. Instead, the returns are in costs saved rather than in products made. Because of this, many CEOs are reluctant to spend the money necessary for expensive sys- tems or solutions, more so if they’ve already spent money on an IDS and have seen few positive results from it but many false positives. If you are considering adding an IDS to your network, consider it as a busi- ness case. How much money does your company lose if there is an intrusion? What are the odds of that intrusion happening? How much will it cost to install and maintain an IDS? How much will the IDS offset or mitigate the risks of that intrusion? How will an IDS affect your organization legally? Earlier in the chapter, we discussed the possible implications of wiretap and privacy laws on a company’s use of an IDS. However, an IDS can also assist in compliance with corporate accounting laws such as the Sarbanes-Oxley requirements, and in establishing an audit trail in the event of a compromise. Sections 302 and 304 of the Sarbanes-Oxley requirements place the responsibility on a corporation to establish internal controls within their network. An IDS can be a demonstrable part of these controls. When combined with a third-party penetration test of your network security, this can go a long way toward validating your own data www.syngress.com Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort_2e_01.qxd 5/4/04 4:50 PM Page 48 48 Chapter 1 • Intrusion Detection Systems with an external audit, complete with trail. Some locations now require compa- nies to notify customers when their data has been compromised; the State of California is one such place. Having an IDS can allow you to detect compromise attempts more reliably. Being able to go to your CEO with strong numbers, legal backing, and business precedent will be far more impressive than “uh, I guess we need one of those, everyone else seems to have one.” Defining IDS Terminology Being able to understand the differences between different types of IDSs and their features is crucial when trying to design a security architecture. Let’s look at some of the most common terminology in the IDS field, and make sure we understand all the options available. Intrusion Prevention Systems (HIPS and NIPS) An IDS that not only detects possible attack, but also responds to prevent the attack from being successful.This response can be anything from creating firewall rules to black-hole the attacker, to killing the offending process (when dealing with a Host IPS), to dropping the offending traffic (when dealing with a Network IPS). Gateway IDS An IDS that sits at the bottleneck between your network and the Internet (or whatever peering upstream you may be connected to). Also known as an inline IDS, all traffic must pass through this gateway to leave your local network.This may also function as an IPS if it includes the capability to make decisions about whether traffic should be allowed. Network Node IDS The method of intrusion detection where one establishes a baseline of “normal” network traffic, and then looks for deviations from that norm and flags them as possible attack traffic. www.syngress.com Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort_2e_01.qxd 5/4/04 4:50 PM Page 49 49 Intrusion Detection Systems • Chapter 1 Protocol Analysis The method of intrusion detection where one looks at the flow of data within the specifications of each protocol, looking for anomalies and possible malicious traffic based on the expected protocol behavior. Target-Based IDS A new flavor of IDSs specifically aimed at what is actually on the network.They are designed to have fewer false positives and only alert on attacks that are rele- vant to your network and the specific services running on your network. www.syngress.com Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort_2e_01.qxd 5/4/04 4:50 PM Page 50 50 Chapter 1 • Intrusion Detection Systems Summary IDSs can serve many purposes in a defense-in-depth architecture. In addition to identifying attacks and suspicious activity, you can use IDS data to identify secu- rity vulnerabilities and weaknesses. IDSs can audit and enforce security policy. For example, if your security policy prohibits the use of file-sharing applications such as Kazaa, Gnutella, or messaging services such as Internet Relay Chat (IRC) or Instant Messenger, you could configure your IDS to detect and report this breach of policy. IDSs are an invaluable source of evidence. Logs from an IDS can become an important part of computer forensics and incident-handling efforts. Detection systems are used to detect insider attacks by monitoring traffic from Trojans or malicious code and can be used as incident management tools to track an attack. Correlation of data, whether from a HIDS or NIDS or DIDS, is probably the best way to approach intrusion detection data. While an IDS can be a valuable contributor to a security architecture, it is by no means enough in and of itself to protect a network. A NIDS can be used to record and correlate malicious network activities. The NIDS is stealthy and can be implemented to passively monitor or to react to an intrusion.The HIDS plays a vital role in a defense-in-depth posture; it repre- sents the last bastion of hope in an attack. If the attacker has bypassed all of the perimeter defenses, the HIDS might be the only thing preventing total compro- mise.The HIDS resides on the host machine and is responsible for packet inspec- tion to and from that host only. It can monitor encrypted traffic at the host level, and is useful for correlating attacks that are detected by different network sensors. Used in this manner it can determine whether the attack was successful.The logs from a HIDS can be a vital resource in reconstructing an attack or determining the severity of an incident. Solutions Fast Track Introducing Intrusion Detection Systems � An intrusion is an unauthorized access, use, or attack on your network or computers. � IDSs work by watching network and system activity, and comparing that to known signatures or against algorithms to separate legitimate activity from suspicious activity. www.syngress.com Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort_2e_01.qxd 5/4/04 4:50 PM Page 51 51 Intrusion Detection Systems • Chapter 1 � IDSs can then log the attack and respond in a number of ways.The most common response is to alert the system administrators through SNMP traps, text messages, phone calls, or pages. Answering Common IDS Questions � Attackers are interested in everyone connected to the Internet these days; it’s not necessarily personal. � An IDS can alert you to network traffic and system activity of which you may not have been aware. It can increase the effectiveness of a good system administrator, and provide him with additional data. � An IDS will not replace your existing security staff, or make people stop attacking you. Fitting Snort into Your Security Policy � Snort is a network IDS with sophisticated pattern-matching capabilities that are used to uniquely describe attack traffic. � Snort signatures for the latest viruses, worms, and other new vulnerabilities are usually written and released within hours or days of the new attacks’ debut. � You can write your own Snort signatures to match company policy vio- lation, new or unique traffic, or anything else. Analyzing IDS Design and Architecture � IDSs can be configured to just detect and alert, or to respond as well. � Possible responses include dropping the traffic, spoofing ICMP or TCP Reset packets, or identifying and tracing back toward the attack source. � IDSs are not perfect or foolproof—they can be tricked or eluded.They are valuable contributors to a security policy, but not enough all by themselves to enforce it. www.syngress.com Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort_2e_01.qxd 5/4/04 4:50 PM Page 52 52 Chapter 1 • Intrusion Detection Systems Frequently Asked Questions The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the concepts presented in this chapter and to assist you with real-life implementation of these concepts. To have your questions about this chapter answered by the author, browse to www.syngress.com/solutions and click on the “Ask the Author” form. You will also gain access to thousands of other FAQs at ITFAQnet.com. Q: Why doesn’t my firewall serve as an IDS? A: Firewalls are designed primarily to pass, drop, or reject traffic, not to alert on suspicious traffic. IDSs are designed to let you know when suspicious activity is occurring.The two functions are different and conflict in key issues. We discuss this further in Chapter 12. Q: Can IDSs gather data from anywhere besides sniffing on a network? A: Yes, some IDSs can also gather data from log parsing, watching system calls, or monitoring a filesystem. Q: What can an IDS do for me that my system administrator can’t? A: Parse a few hundred million packets or log entries (or more) a day in binary. Most administrators get tired after a while. Q: What can my system administrator do for me that my IDS can’t? A: Bring creative thinking and an understanding of the significance of this net- work activity to the analysis. Q: Will I have to spend time tuning my IDS? A: Yes. If you don’t want to be drowning in false positives, it really is best to tune your IDS to fit its environment. Q: Does physical security still matter if I have the best network security in the world? A: Absolutely. If we can walk in to your office and walk out with your server, you’ve still been rooted. Q: Why should I bother writing my own signatures, when Snort has so many already? A: You certainly don’t have to, but you might want to add functionality that’s not present in the extant ruleset, like rules tailored to your enterprise policy or to detect attacks targeting specific proprietary applications. www.syngress.com Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort2e_02.qxd 5/4/04 4:55 PM Page 53 Chapter 2 Introducing Snort 2.1 Solutions in this Chapter: ■ What Is Snort? ■ Understanding Snort’s System Requirements ■ Exploring Snort’s Features ■ Using Snort on Your Network ■ Considering System Security While Using Snort � Summary � Solutions Fast Track � Frequently Asked Questions 53 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort2e_02.qxd 5/4/04 4:55 PM Page 54 54 Chapter 2 • Introducing Snort 2.1 Introduction It’s 9:30 A.M ., and Bob Sysadmin has just walked out of his boss’s office, shaking his head ruefully. When he arrived at work that morning, it was to face an angry Web development team whose beautiful and elegantly designed index page had been replaced with the crude legend, “Y0U H4\/3 B33N 0WN3D BY AG3NT D3L3T3! l@m3 security, d00d. greetz to m4g3, p1><1e, and the V0R!” Bob was initially shocked, and then profusely apologetic. Dialing up his boss on the cell phone, he ran for the server room to yank out the Ethernet cable of the compro- mised machine and get the computer emergency response team involved. Perhaps now, he thought grimly, his budget request for an Intrusion Detection System (IDS) wouldn’t seem so “unnecessary.” Bob’s meeting with his boss was somewhat rocky. Fortunately, Bob was able to calmly counter the angry management “How did this happen? Someone’s head is going to roll!” bluster with a clear explanation of the weaknesses in their network defenses, and the budgetary and managerial reasons why they hadn’t been strengthened. He pointed out their staffing shortages, the lack of defense in depth, and the critical lack of information about ongoing attacks. Although the meeting started badly, by the end of it, Bob’s boss was asking thoughtful ques- tions and framing a productive response to the compromise. Bob began to hope that, with management support, he might be able to make a real difference in his company’s network security. It’s 9:30 A.M., and across town, Jennifer Sysadmin has just finished briefing her boss about the intrusions that occurred the night before. Although she was dismayed by the initial compromise, she was able to respond almost immediately thanks to the IDS alert sent to her pager. After determining that the attacks were successful against one of her boxes, she immediately yanked the compromised system off the network, took disk images and live data for forensics, and analyzed the extent of the compromise. By the time the developers and management showed up to work in the morning, she had the last-known good backup restored to the system, locked down the hole that the attacker had used to com- promise the server, and tasked her junior system administrators with making sure that all their systems were up to date on their security patches, just to be safe. She prepared a report for her managers about which vulnerabilities in the Web server’s code were exploited, and what the response of her security team was. She’s also scheduling a vulnerability scan of her network for that weekend, when normal network usage will be light, to make sure that she and her team have not www.syngress.com Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort2e_02.qxd 5/4/04 4:55 PM Page 55 55 Introducing Snort 2.1 • Chapter 2 missed any potentially damaging holes in their defense. Logging in to her work- station, she downloads the latest Snort ruleset and applies it to her sensors, making sure that they are using the very latest definitions of network attack sig- natures. Running a few quick probes from her pen-testing box to make sure the new signatures are alerting on the sensors properly, she grins, stretches, and gets up. It’s definitely time for a morning cup of coffee. It’s 9:30 A.M., and Andy Attacker is sound asleep. After his successful evening breaking in to other peoples’ systems, he has a few dozen new zombie machines for his botnet, just waiting for his command to launch a distributed denial-of- service (DDoS) attack against anyone he decides he doesn’t like. He’s defaced a few Web pages, garnered a few new root accounts with his new Solaris exploit, and is planning to spend tomorrow night trading movies and media files from “his” brand new servers. Happy dreams of exploits that never fail, servers that never go down, and sysadmins who never catch on, fill his head. Had Andy been a somewhat more sophisticated attacker, it’s entirely possible that Bob Sysadmin and his team of Web developers wouldn’t have had any idea that their server had been compromised. Often, it’s only attackers out to promote a cause or gain a reputation in their community who bother with defacing a site. There are also attackers who are much more subtle about their assault, hiding their success rather than advertising it, and quietly using your resources for their own purposes. Without the capability to look in depth at system and network activity, you may be blind to these sorts of attempts.This is the very reason why many system administrators, security engineers, and Chief Information Officers (CIOs) are interested in IDSs like Snort. What Is Snort? Snort is a modern security application with three main functions: it can serve as a packet sniffer, a packet logger, or a Network-based Intrusion Detection System (NIDS).There are also many add-on programs to Snort to provide different ways of recording and managing Snort logfiles, fetching and maintaining current Snort rulesets, and alerting to let your admins know when potentially malicious traffic has been seen. Although not part of the core Snort suite, the add-ons provide a rich variety of features to the security administrator. As you will see, there are many ways to use Snort as part of your company’s security design. Normally, Snort only speaks TCP/IP. Although, with custom extensions, Snort can be made to support other network protocol suites, such as Novell’s www.syngress.com Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com [...]... that: 03/11- 12: 44:45. 424 551 0:A0:CC :29 :1D:13 -> 0 :20 :6F:3:7:CC type:0x800 len:0x7A 66.80.146.8 :22 00 -> 69.138 .22 5.137: 128 9 TCP TTL:64 TOS:0x10 ID:5 528 IpLen :20 DgmLen:108 DF ***AP*** Seq: 0xF3315F 42 Ack: 0x5FAFDF2 Win: 0xE4B4 TcpLen: 20 E9 A2 19 CE 3A 0A C7 AA 75 EA 13 1D 02 6D 3C 12 : u m< AA 96 1D F8 8E 73 C5 D1 B2 33 41 D4 88 DC A2 53 .s 3A S CB 93 79 5E 1B FC 3A 5B 82 1E 92 3F 60 EA 22 31 y^ :[ ?`."1... Complete ==— -*> Snort! 0 :20 :6F:3:7:CC type:0x800 len:0x8A 66.80.146.8 :22 00 -> 69.138 .22 5.137: 128 9 TCP TTL:64 TOS:0x10 ID:5 527 IpLen :20 DgmLen: 124 DF ***AP*** Seq: 0xF3315EEE Ack: 0x5FAFDF2 Win: 0xE4B4 TcpLen: 20 E9 A2 19 CE 3A 0A C7 AA 75 EA 13 1D 02 6D 3C 12 : u m< AA 96 1D... len:0x7A 66.80.146.8 :22 00 -> 69.138 .22 5.137: 128 9 TCP TTL:64 TOS:0x10 ID:5 528 IpLen :20 DgmLen:108 DF ***AP*** Seq: 0xF3315F 42 Ack: 0x5FAFDF2 Win: 0xE4B4 TcpLen: 20 6B 7F 8A 73 1A AA 5F 93 11 30 E9 EF 54 EF 97 3E k s _ 0 T > F0 95 88 D8 00 E1 84 54 33 D8 43 57 B2 B5 4B B0 T3.CW K E8 BE CC 20 43 CF 24 CC 0B E4 A9 70 03 3A C3 5F C.$ p.:._ 3E D7 80 A0 16 28 2A 41 D3 40 26 7C 13 8D 95 87 > (*A.@&| 4C 86... C5 D1 B2 33 41 D4 88 DC A2 53 .s 3A S CB 93 79 5E 1B FC 3A 5B 82 1E 92 3F 60 EA 22 31 y^ :[ ?`."1 19 1B 8C 25 1A 88 00 0C 14 55 E8 F0 DD E0 08 4D .% U M DA 61 D5 47 71 55 30 47 8E BA 7B 75 5C E4 AA 98 a.GqU0G {u\ EB 1C C5 6B .k =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 03/11- 12: 44:45. 424 551 0:A0:CC :29 :1D:13 -> 0 :20 :6F:3:7:CC type:0x800 len:0x7A 66.80.146.8 :22 00 ->... Initializing Snort ==— Initializing Output Plugins! Decoding Ethernet on interface dc0 —== Initialization Complete ==— -*> Snort! 20 8.54.141.106:1116 TCP TTL:64 TOS:0x10 ID:59410 IpLen :20 DgmLen:716 DF ***AP*** Seq: 0x79D6D6E3 Ack: 0x280D58B4 Win: 0xE 420 TcpLen: 20 Trying to invoke Snort. .. one sample configuration—you can find much more detail online in the Snort manual at www.syngress.com Introducing Snort 2. 1 • Chapter 2 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com www .snort. org/docs /snort_ manual/node17.html#SECTION00386000000000000000: preprocessor flow-portscan: server-watchnet [1 92. 16 8.1.0 /24 ] \ unique-memcap 5000000 \ unique-rows 50000 \ tcp-penalties on... don’t specify the –v option, Snort will assume that you are trying to invoke it to read previously collected logs instead, and will look in its default locations ~/.snortrc and /root/.snortrc for a rules file If it doesn’t find one, it will exit with an error (“Uh, you need to tell me to do some­ thing…” in Snort 2. 1) , as shown here: root@djinni ~$ snort -de -*> Snort! . http://www.simpopdf.com 29 5 _Snort2 e_ 02. qxd 5/4/04 4:55 PM Page 53 Chapter 2 Introducing Snort 2. 1 Solutions in this Chapter: ■ What Is Snort? ■ Understanding Snort s System Requirements ■ Exploring Snort s. http://www.simpopdf.com 29 5 _Snort2 e_ 02. qxd 5/4/04 4:55 PM Page 62 62 Chapter 2 • Introducing Snort 2. 1 Additionally, you will probably want some method of remote management of your Snort sensor—requiring. http://www.simpopdf.com 29 5 _Snort2 e_ 02. qxd 5/4/04 4:55 PM Page 63 63 Introducing Snort 2. 1 • Chapter 2 have enabled in your snort. conf file.That data is passed to the detection engine, which

Ngày đăng: 13/08/2014, 12:21

Từ khóa liên quan

Mục lục

  • Snort 2 1 Intrusion Detection, Second Edition

    • Cover

  • Contents

  • Foreword

  • Chapter 1 Intrusion Detection Systems

    • Introducing Intrusion Detection Systems

      • What Is an Intrusion?

        • Legal Definitions

        • Scanning vs Compromise

        • Viruses and Worms-SQL Slammer

        • Live Attacks-Sendmail Buffer Overflow

      • How an IDS Works

        • What the IDS Is Watching

        • How the IDS Watches Your Network

        • How the IDS Takes the Data It Gathers and Finds Intrusion Attempts

        • What the IDS Does When It Finds an Attack Attempt

    • Answering Common IDS Questions

      • Why Are Intrusion Detection Systems Important?

      • Why Doesn't My Firewall Serve as an IDS?

      • Why Are Attackers Interested in Me?

        • Automated Scanning/Attacking Doesn't Care Who You Are

        • Desirable Resources Make You a Target

        • Political or Emotional Motivations

      • Where Does an IDS Fit with the Rest of My Security Plan?

      • Where Should I Be Looking for Intrusions?

        • Operating System Security-Backdoors and Trojans

        • Physical Security

        • Application Security and Data Integrity

        • Correlation of All These Sources

      • What Will an IDS Do for Me?

        • Continuously Watch Packets on Your Network and Understand Them

        • Read Hundreds of Megs of Logs Daily and Look for Specific Issues

        • Create Tremendous Amounts of Data No Matter How Well You Tune It

        • Create So Much Data that If You Don't Tune It, You Might as Well Not Have It

        • Find Subtle Trends in Large Amounts of Data that Might Not Otherwise Be Noticed

        • Supplement Your Other Protection Mechanisms

        • Act as a Force Multiplier Competent System/ Network Administrator

        • Let You Know When It Looks Like You Are Under Attack

      • What Won't an IDS Do for Me?

        • Replace the Need for Someone Who Is Knowledgeable about Security

        • Catch Every Attack that Occurs

        • Prevent Attacks from Occurring

        • Prevent Attacks from Succeeding Automatically (in Most Cases)

        • Replace Your Other Protection Mechanisms

        • What Else Can Be Done with Intrusion Detection?

    • Fitting Snort into Your Security Architecture

      • Viruses, Worms, and Snort

      • Known Exploit Tools and Snort

      • Writing Your Own Signatures with Snort

      • Using an IDS to Monitor Your Company Policy

    • Analyzing Your IDS Design and Investment

      • False Positives versus False Negatives

      • Fooling an IDS

        • IDS Evasion Techniques

      • Return on Investment-Is It Worth It?

    • Defining IDS Terminology

      • Intrusion Prevention Systems (HIPS and NIPS)

      • Gateway IDS

      • Network Node IDS

      • Protocol Analysis

      • Target-Based IDS

    • Summary

    • Solutions Fast Track

    • Frequently Asked Questions

  • Chapter 2 Introducing Snort 2 1

    • Introduction

    • What Is Snort?

    • Understanding Snort's System Requirements

      • Hardware

        • Operating System

        • Other Software

    • Exploring Snort's Features

      • Packet Decoder

      • The Preprocessors

        • Example: HTTPInspect

        • Example: flow-portscan

      • The Detection Engine

        • Flow-Portscan as Example Feature

        • Rules and Matching

        • Thresholding and Suppression

      • The Alerting and Logging Components

        • Output Plug-Ins

        • Unified Output

    • Using Snort on Your Network

      • Using Snort as a Packet Sniffer and Logger

      • Using Snort as a NIDS

      • Snort and Your Network Architecture

        • Snort and Switched Networks

      • Pitfalls When Running Snort

        • False Alerts

        • Upgrading Snort

    • Considering System Security While Using Snort

      • Snort Is Susceptible to Attacks

        • Detecting a Snort System on the Network

        • Attacking Snort

        • Attacking the Underlying System

      • Securing Your Snort System

    • Summary

    • Solutions Fast Track

    • Frequently Asked Questions

  • Chapter 3 Installing Snort

    • Introduction

    • Making the Right Choices

      • Linux over OpenBSD?

      • Stripping Linux

        • Stripping out the Candy

    • A Brief Word about Linux Distributions

      • Debian

      • Slackware

      • Gentoo

        • A Word about Hardened/Specialized Linux Distributions

    • Preparing for the Installation

      • Installing pcap

        • Installing libpcap from Source

        • Look Ma! No GUI!

        • Installing libpcap from RPM

        • Installing libpcre

        • Installing MySQL

        • Installing from RPM

        • Installing from Source

    • Installing Snort

      • A Brief Word about Sentinix GNU/Linux

      • Installing Snort from Source

        • Enabling Features via configure

      • Installing Snort from RPM

      • Installing Snort Using apt

      • Configuring Snort IDS

      • Customizing Your Installation: Editing the snort conf File

        • Installation on the MS Windows Platform

        • Command-Line Switches

      • Installing on OpenBSD

        • Option 1: Using OpenBSD Ports

        • Option 2: Using Prepackaged OpenBSD Ports

        • Option 3: Installing Snort from Source

      • Installing Bleeding-Edge Versions of Snort

    • Summary

    • Solutions Fast Track

    • Frequently Asked Questions

  • Chapter 4 Inner Workings

    • Introduction

      • The Life of a Packet Inside Snort

        • Decoders

      • The Detection Engine

        • The Old Detection Engine

        • The New Detection Engine

        • Tagging

        • Thresholding

        • Suppression

        • Logging

    • Adding New Functionality

      • What Is a Detection Plug-In?

      • Writing Your Own Detection Plug-In

        • Copyright and License

        • Includes

        • Data Structures

        • Functions

        • Setup

        • Initialization

        • Parser

        • Detection Function

        • What Do I Add to the Rest of the System?

        • Testing

    • Summary

    • Solutions Fast Track

    • Frequently Asked Questions

  • Chapter 5 Playing by the Rules

    • Introduction

    • Dissecting Rules

      • Matching Ports

      • Matching Simple Strings

      • Using Preprocessor Output

    • Using Variables

      • Snort Configuration

    • Understanding Rule Headers

      • Rule Actions

        • When Should You Use a Pass Rule?

        • Custom Rules Actions

        • Using Activate and Dynamic Rules

    • Rule Options

      • Rule Content

        • ASCII Content

        • Including Binary Content

        • The depth Option

        • The offset Option

        • The nocase Option

        • The session Option

        • Uniform Resource Identifier Content

        • The stateless Option

        • Regular Expressions

        • Flow Control

      • IP Options

        • Fragmentation Bits

        • Equivalent Source and Destination IP Option

        • IP Protocol Options

        • ID Option

        • Type of Service Option

        • Time-To-Live Option

      • TCP Options

        • Sequence Number Options

        • TCP Flags Option

        • TCP ACK Option

      • ICMP Options

        • ID

        • Sequence

        • The icode Option

        • The itype Option

      • Meta-Data Options

        • Snort ID Options

        • Rule Revision Number

        • Severity Identifier Option

        • Classification Identifier Option

        • External References

      • Miscellaneous Rule Options

        • Messages

        • Logging

        • TAG

        • dsize

        • RPC

        • Real-Time Countermeasures

    • Writing Good Rules

      • What Makes a Good Rule?

      • Action Events

      • Ensuring Proper Content

      • Merging Subnet Masks

      • What Makes a Bad Rule?

      • The Evolution of a Rule: From Start to Finish

    • Summary

    • Solutions Fast Track

    • Frequently Asked Questions

  • Chapter 6 Preprocessors

    • Introduction

    • What Is a Preprocessor?

    • Preprocessor Options for Reassembling Packets

      • The stream4 Preprocessor

        • TCP Statefulness

        • Session Reassembly

        • Stream4's Output

      • Frag2-Fragment Reassembly and Attack Detection

        • Configuring Frag2

        • Frag2 Output

      • Flow

        • Configuring Flow

        • Frag2 Output

    • Preprocessor Options for Decoding and Normalizing Protocols

      • Telnet Negotiation

        • Telnet Negotiation Output

      • HTTP Normalization

        • Configuring the HTTP Normalization Preprocessor

        • HTTP Decode's Output

      • rpc_decode

        • Configuring rpc_decode

        • rpc_decode Output

    • Preprocessor Options for Nonrule or Anomaly-Based Detection

      • Portscan

        • Configuring the Portscan Preprocessor

      • Back Orifice

        • Configuring the Back Orifice Preprocessor

      • General Nonrule-Based Detection

    • Experimental Preprocessors

      • arpspoof

      • ASN1_decode

      • Fnord

      • preprocessor fnordPreprocessor fnordportscan2 and conversation

        • Configuring the portscan2 Preprocessor

        • Configuring the conversation Preprocessor

      • perfmonitor

    • Writing Your Own Preprocessor

      • Reassembling Packets

      • Decoding Protocols

      • Nonrule or Anomaly-Based Detection

      • Setting Up My Preprocessor

      • What Am I Given by Snort?

        • Examining the Argument Parsing Code

        • Getting the Preprocessor's Data Back into Snort

      • Adding the Preprocessor into Snort

    • Summary

    • Solutions Fast Track

    • Frequently Asked Questions

  • Chapter 7 Implementing Snort Output Plug-Ins

    • Introduction

    • What Is an Output Plug-In?

      • Key Components of an Output Plug-In

    • Exploring Output Plug-In Options

      • Default Logging

      • SNMP Traps

      • XML Logging

      • Syslog

      • SMB Alerting

      • PCAP Logging

      • Snortdb

      • MySQL versus PostgreSQL

      • Unified Logs

        • Why Should I Use Unified Logs?

        • What Do I Do with These Unified Files?

    • Writing Your Own Output Plug-In

      • Why Should I Write an Output Plug-In?

      • Setting Up Your Output Plug-In

      • Creating Snort's W3C Output Plug-In

        • myPluginSetup (AlertW3CSetup)

        • myPluginInit (AlertW3CInit)

        • myPluginAlert (AlertW3C)

        • myPluginCleanExit (AlertW3CCleanExit)

        • myPluginRestart (AlertW3CRestart)

        • Running and Testing the Snort W3C Output Plug-in

      • Dealing with Snort Output

    • Tackling Common Output Plug-In Problems

    • Summary

    • Solutions Fast Track

    • Frequently Asked Questions

  • Chapter 8 Dealing with the Data

    • Introduction

    • What Is Intrusion Analysis?

      • Snort Alerts

        • Snort Packet Data

        • Examine the Rule

        • Validate the Traffic

        • Attack Mechanism

        • Intrusion Data Correlation

        • Following Up on the Analysis Results

    • Intrusion Analysis Tools

      • Database Front Ends

        • ACID

      • Installing ACID

        • Prerequisites for Installing ACID

      • Configuring ACID

      • Using ACID

        • Querying the Database

        • Alert Groups

        • Graphical Features of ACID

        • Managing Alert Databases

      • SGUIL

        • Installing SGUIL

        • Step 1: Create the SGUIL Database

        • Step 2: Installing Sguild, the Server

        • Step 3: Install a SGUIL Client

        • Step 4: Install the Sensor Scripts

        • Step 5: Install Xscriptd

      • Using SGUIL

      • Summary Scripts

        • snort_stat pl

      • Using SnortSnarf

        • Installing SnortSnarf

        • Configuring Snort to Work with SnortSnarf

        • Basic Usage of SnortSnarf

        • Swatch

    • Analyzing Snort IDS Events

      • Begin the Analysis by Examining the Alert message

      • Validate the Traffic

      • Identify the Attack Mechanism

      • Correlations

    • Conclusions

    • Summary

    • Solutions Fast Track

    • Frequently Asked Questions

  • Chapter 9 Keeping Everything Up to Date

    • Introduction

    • Updating Snort

      • Production Choices

        • Compiled Builds vs Source Builds 2

        • Patching Snort 3

    • Updating Rules

      • How Can Updating Be Easy?

        • Using Variables

        • Using the Local Rules File

        • Removing Rules from the Ruleset

        • Using Oinkmaster

        • Using IDSCenter to Merge with Your Existing Rules

      • The Importance of Documentation

        • Why a Security Team Should Be Concerned with Rule Documentation

    • Testing Snort and the Rules

      • Testing within Organizations

        • Small Organizations

        • Large Organizations

    • Watching for Updates

      • The Importance of Security Mailing Lists and Web Sites

      • Chain-of-Command and Outside Management for CIRT Organizations

      • Use in Events-of-Interest, 0-Day, and Other Short-Term Use

        • Short-Term Rules

        • Policy Enforcement Rules

        • Forensics Rules

    • Summary

    • Solutions Fast Track

    • Frequently Asked Questions

  • Chapter 10 Optimizing Snort

    • Introduction

    • How Do I Choose the Hardware to Use?

      • What Constitutes "Good" Hardware?

        • Processors

        • RAM Requirements

        • Storage Medium

        • Network Interface Card

      • How Do I Test My Hardware?

    • How Do I Choose the Operating System to Use?

      • What Makes a "Good" OS for an NIDS?

      • What OS Should I Use?

      • How Do I Test My OS Choice?

    • Speeding Up Snort

      • The Initial Decision

      • Deciding Which Rules to Enable

      • Notes on Pattern Matching

      • Configuring Preprocessors for Speed

      • Using Generic Variables

      • Choosing an Output Plug-In

    • Benchmarking Your Deployment

      • Benchmark Characteristics

        • Attributes of a Good Benchmark

        • Attributes of a Poor Benchmark

      • What Options Are Available for Benchmarking?

        • IDS Informer

        • IDS Wakeup

        • Sneeze

        • TCPReplay

        • THC's Netdude

        • Other Packet-Generation Tools

        • Additional Options

      • Stress Testing the Pig!

      • Stress Tests

      • Individual Snort Rule Tests

      • Berkeley Packet Filter Tests

    • Tuning Your Rules

    • Summary

    • Solutions Fast Track

    • Frequently Asked Questions

  • Chapter 11 Mucking Around with Barnyard

    • Introduction

    • What Is Barnyard?

    • Understanding the Snort Unified Files

      • Unified Alert Records

      • Unified Log Records

      • Unified Stream-Stat Records

    • Installing Barnyard

      • Downloading

      • Building and Installing

    • Configuring Barnyard

      • The Barnyard Command-Line Options

      • The Configuration File

        • Configuration Directives

        • Output Plug-In Directives

    • Understanding the Output Plug-Ins

      • alert_fast

      • alert_csv

      • alert_syslog

      • alert_syslog2

      • log_dump

      • log_pcap

      • acid_db

      • sguil

    • Running Barnyard in Batch-Processing Mode

      • Processing a Single File

      • Using the Dry Run Option

      • Processing Multiple Files

    • Using the Continual-Processing Mode

      • The Basics of Continual-Processing Mode

      • Running in the Background

      • Enabling Bookmark Support

      • Only Processing New Events

      • Archiving Processed Files

      • Running Multiple Barnyard Processes

      • Signal Handling

    • Deploying Barnyard

      • Remote Syslog Alerting

      • Database Logging

      • Extracting Data

      • Real-Time Console Alerting

    • Writing a New Output Plug-In

      • Implementing the Plug-In

        • Setting Up the Source Files

        • Writing the Functions

        • Adding the Plug-In to op_plugbase c

      • Finishing Up

        • Updating Makefile am

        • Building Barnyard

      • Real-Time Console Alerting Redux

    • Secret Capabilities of Barnyard

    • Summary

    • Solutions Fast Track

    • Frequently Asked Questions

  • Chapter 12 Active Response

    • Introduction

    • Active Response vs Intrusion Prevention

      • Active Response Based on Layers

      • Altering Network Traffic Based on IDS Alerts

        • Snortsam

        • Fwsnort

        • Snort_inline

        • Attack and Response

    • Snortsam

      • Installation

      • Architecture

        • Snort Output Plug-In

        • Blocking Agent

      • Snortsam in Action

        • WWWBoard passwd txt Access Attack

        • NFS mountd Overflow Attack

    • Fwsnort

      • Installation

      • Configuration

      • Execution

      • WWWBoard passwd txt Access Attack (Revisited)

      • NFS mountd Overflow Attack (Revisited)

    • Snort_inline

      • Installation

      • Configuration

      • Architecture

      • Web Server Attack

      • NFS mountd Overflow Attack

    • Summary

    • Solutions Fast Track

    • Frequently Asked Questions

  • Chapter 13 Advanced Snort

    • Introduction

    • Network Operations

      • Flow Preprocessor Family

      • Perfmon Preprocessor

      • Unusual Network Traffic

    • Forensics/Incident Handling

      • Logging and Filtering

      • Traffic Reconstruction

      • Interacting with Law Enforcement

    • Snort and Honeynets

      • Snort-Inline

        • Countermeasures and Logging

    • Really Cool Stuff

      • Behavioral Tracking

        • Patch/IAVA Verifications

        • Policy Enforcement

    • Summary

    • Solutions Fast Track

    • Frequently Asked Questions

  • Index

  • Team DDU

Tài liệu cùng người dùng

  • Đang cập nhật ...

Tài liệu liên quan