Managing Security with Snort and IDS Tools pptx

Managing Security with Snort and IDS Tools Table of Contents Copyright Preface Audience About This Book Assumptions This Book Makes Chapter Synopsis Conventions Used in This Book C

Managing Security with Snort and IDS Tools

Table of Contents

Copyright

Preface

Audience

About This Book

Assumptions This Book Makes Chapter Synopsis

Conventions Used in This Book Comments and Questions

Acknowledgments

Chapter 1 Introduction

1.1 Disappearing Perimeters 1.2 Defense-in-Depth

Chapter 4 Know Your Enemy 4.1 The Bad Guys

4.2 Anatomy of an Attack: The Five Ps

5.2 Snort Decoder and

Detection Engine Configuration 5.3 Preprocessor Configurations 5.4 Output Configurations

5.5 File Inclusions

Chapter 6 Deploying Snort 6.1 Deploy NIDS with Your Eyes Open

Chapter 7 Creating and

Managing Snort Rules

7.1 Downloading the Rules 7.2 The Rule Sets

7.3 Creating Your Own Rules 7.4 Rule Execution

7.5 Keeping Things Up-to-Date 7.6 Sites of Interest

Chapter 8 Intrusion Prevention 8.1 Intrusion Prevention

Strategies

8.2 IPS Deployment Risks

8.3 Flexible Response with

Snort

8.4 The Snort Inline Patch

8.5 Controlling Your Border 8.6 Sites of Interest

Chapter 9 Tuning and

Chapter 11 Using SnortCenter

as a Snort IDS Management Console

11.1 SnortCenter Console

Installation

11.2 SnortCenter Agent

Installation

11.3 SnortCenter Management Console

11.4 Logging In and Surveying the Layout

11.5 Adding Sensors to the

Console

11.6 Managing Tasks

Chapter 12 Additional Tools for Snort IDS Management 12.1 Open Source Solutions 12.2 Commercial Solutions Chapter 13 Strategies for High- Bandwidth Implementations of Snort

13.1 Barnyard (and Sguil) 13.2 Commericial IDS Load Balancers

13.3 The IDS Distribution System (I(DS)2)

Appendix A Snort and ACID Database Schema

index_H index_I index_J index_K index_L index_M index_N index_O index_P index_Q index_R index_S index_T index_U

index_V index_W index_X index_Y index_Z

Managing Security with Snort and IDS Tools

By Kerry J Cox, Christopher Gerg

Publisher : O'Reilly

Pub Date : August 2004

ISBN : 0-596-00661-6

Pages : 288

This practical guide to

managing network security covers reliable methods for detecting network intruders, from using simple packet

sniffers to more sophisticated IDS (Intrusion Detection

Systems) applications and the GUI interfaces for managing

them A comprehensive

resource for monitoring illegal

entry attempts, Managing

Security with Snort and IDS Tools provides step-by-step

instructions on getting up and running with Snort 2.1, and how to shut down and secure workstations, servers, firewalls, routers, sensors and other

network devices.

Managing Security with Snort and IDS Tools

By Kerry J Cox, Christopher Gerg

Publisher : O'Reilly

Pub Date : August 2004

ISBN : 0-596-00661-6

Pages : 288

Copyright

Preface

Audience

About This Book

Assumptions This Book Makes

Chapter Synopsis

Conventions Used in This Book

Comments and Questions

Chapter 2 Network Traffic Analysis

Section 2.1 The TCP/IP Suite of Protocols Section 2.2 Dissecting a Network Packet Section 2.3 Packet Sniffing

Section 2.4 Installing tcpdump

Section 2.5 tcpdump Basics

Section 2.6 Examining tcpdump Output Section 2.7 Running tcpdump

Section 2.8 ethereal

Section 2.9 Sites of Interest

Chapter 3 Installing Snort

Section 3.1 About Snort

Section 3.2 Installing Snort

Section 3.3 Command-Line Options Section 3.4 Modes of Operation

Chapter 4 Know Your Enemy

Section 4.1 The Bad Guys

Section 4.2 Anatomy of an Attack: The Five

Ps

Section 4.3 Denial-of-Service

Section 4.4 IDS Evasion

Section 4.5 Sites of Interest

Chapter 5 The snort.conf File

Section 5.1 Network and Configuration

Section 5.5 File Inclusions

Chapter 6 Deploying Snort

Section 6.1 Deploy NIDS with Your Eyes

Open

Section 6.2 Initial Configuration

Section 6.3 Sensor Placement

Section 6.4 Securing the Sensor Itself

Section 6.5 Using Snort More Effectively Section 6.6 Sites of Interest

Chapter 7 Creating and Managing Snort Rules Section 7.1 Downloading the Rules

Section 7.2 The Rule Sets

Section 7.3 Creating Your Own Rules Section 7.4 Rule Execution

Section 7.5 Keeping Things Up-to-Date Section 7.6 Sites of Interest

Chapter 8 Intrusion Prevention

Section 8.1 Intrusion Prevention Strategies Section 8.2 IPS Deployment Risks

Section 8.3 Flexible Response with Snort Section 8.4 The Snort Inline Patch

Section 8.5 Controlling Your Border

Section 8.6 Sites of Interest

Chapter 9 Tuning and Thresholding

Section 9.1 False Positives (False Alarms) Section 9.2 False Negatives (Missed Alerts)

Section 9.3 Initial Configuration and Tuning Section 9.4 Pass Rules

Section 9.5 Thresholding and Suppression Chapter 10 Using ACID as a Snort IDS

Chapter 11 Using SnortCenter as a Snort IDSManagement Console

Section 11.1 SnortCenter Console

Section 11.6 Managing Tasks

Chapter 12 Additional Tools for Snort IDSManagement

Section 12.1 Open Source Solutions Section 12.2 Commercial Solutions Chapter 13 Strategies for High-Bandwidth

Implementations of Snort

Section 13.1 Barnyard (and Sguil)

Section 13.2 Commericial IDS Load

Section A.1 acid_ag

Appendix B The Default snort.conf File Appendix C Resources

Section C.1 From Chapter 1: Introduction

Section C.2 From Chapter 2: Network

Traffic Analysis

Section C.3 From Chapter 4: Know Your

Section C.4 From Chapter 6: Deploying

Snort

Section C.5 From Chapter 7: Creating and

Managing Snort Rules

Section C.6 From Chapter 8: Intrusion

Prevention

Section C.7 From Chapter 10: Using ACID

as a Snort IDS Management Console

Section C.8 From Chapter 12: Additional

Tools for Snort IDS Management

Section C.9 From Chapter 13: Strategies for

High-Bandwidth Implementations of Snort Colophon

Index

Copyright © 2004 O'Reilly Media, Inc.

Printed in the United States of America

Published by O'Reilly Media, Inc., 1005Gravenstein Highway North, Sebastopol,

Handbook logo, and the O'Reilly logo areregistered trademarks of O'Reilly Media,

Inc Managing Security with Snort and

IDS Tools, the image of a man on a rope

with an ax, and related trade dress aretrademarks of O'Reilly Media, Inc

Many of the designations used by

manufacturers and sellers to distinguishtheir products are claimed as trademarks.Where those designations appear in thisbook, and O'Reilly Media, Inc was aware

of a trademark claim, the designationshave been printed in caps or initial caps

While every precaution has been taken inthe preparation of this book, the publisherand authors assume no responsibility for

errors or omissions, or for damagesresulting from the use of the informationcontained herein.

This book explains how to manage yournetwork's security using the open sourcetool Snort The examples in this book aredesigned for use primarily on a Red HatLinux machine They should be fully

functional on the latest Red Hat EnterpriseLinux version as well as the latest Fedorarelease by Red Hat All instructions weredocumented using the most recent Red Hatreleases, patches, and software The

applications were configured using defaultpackages needed for a standard

installation, and each machine was

secured according to the latest errata

The instructions in this book apply to

other Linux flavors, such as SuSE,

Gentoo, Debian, and most Unix variants,including FreeBSD, OpenBSD, and

Solaris Many of the applications areavailable for download as source or asprecompiled binaries Since performance

is often a consideration when deploying

an IDS solution, you will probably findthat building the applications from sourceyields the best results If you do not havethe time, desire, or need to build fromsource, the prebuilt packages should workjust fine and install without trouble onmost systems Consult your Linux

distribution or Unix-based operatingsystem for further information regardingsource compilation and installation Snortbinaries are also available for the

Microsoft Windows platform, and

instructions for running Snort on a

Windows platform are included

Links to the applications and their

respective web sites are provided

throughout and at the end of the chapters

Appendix C also contains a compendium

of all software programs and applicationsreferenced Check all software sites

regularly for the latest updates and

information regarding their use Many ofthe programs are under active

development and new versions are postedfrequently Some applications require anupdate with the release of new Linuxversions Stay current with the most recentrelease in order to avoid any

vulnerabilities or security issues thatappear over time.

Topics covered include:

Packet capture and analysis using avariety of command-line and GUIutilities

An introduction to the interpretation

of packet headers and content within

an IDS environment

The threats to your organization'stechnology assets

Instructions for installing,

configuring, tuning, and customizing

an open source, enterprise-levelnetwork intrusion detection system(NIDS) for use in corporate and/orhome office environments.

A discussion of ways to utilize Snort

as a sniffer, a network gateway thatblocks malicious traffic, and a

passive IDS sensor

Details on how to configure and tuneyour Snort IDS installation to

maximize the effectiveness and

minimize the labor involved in

detecting and tracking down attacks

An in-depth look at a variety ofadministration tools that assist in the

management of the Snort IDSenvironment.

Strategies for deploying an IDS inswitched, high-security, and high-bandwidth environments

This book is designed for network,

system, and security administrators oflarge-scale enterprises as well as

managers of small businesses or homeoffices The instructions should be

readable for those with only a small

amount of network and Unix experience,but also useful for experienced

administrators with a varied background

in networking and system administration

To be sure, the more experienced you are,the easier it will be to interpret the resultsgenerated by the Snort IDS

About This Book

Snort can be used for a variety of

applications, from acting as a simplenetwork sniffer to an enterprise-classgateway intrusion detection system (IDS).This book discusses the various ways touse Snort, and methods of configuring,tuning, and customizing the application tobest suit your environment Implementing

an IDS solution can be a labor-intensiveand sometimes overwhelming project.This book helps streamline the processes

of the initial setup and ongoing care andfeeding of Snort

All the source code discussed here isfreely available for download off the

Internet I have avoided any software that

is closed source, requires a license, orcosts money Though links and sourcecode versions do change over time, everyeffort has been made to keep listings andrelease numbers for each application asup-to-date as possible If you find the URLdoes not work as listed, please check withsome of the major open source

repositories: http://freshmeat.net and

http://sourceforge.net If you are unable tolocate the applications, use a search

engine such as http://www.google.com tofind the program's new home or currentweb site

Links to required libraries or associatedapplications are usually found on the home

pages of most programs For example,links to SnortCenter and Barnyard arefound on the main Snort page at

http://www.snort.org

Now that you know what this book isabout, here is what it's not about Thisbook is not a beginner's guide to packetanalysis It is intended to help you

implement viable solutions to everydayintrusion detection problems This bookdoes not spend countless pages examiningthe nuances and vagaries of every type offragmented packet or possible bufferoverflow Instead, it explains how toquickly capture a sampling of networktraffic and look for the tell-tale signs thatindicate hostile activity

If you are searching for a theoretical

manual that provides detailed insight intoevery possible security application or thatexplains how to dissect new intrusivepackets, you won't find it here This bookdeals with strategies and speedy

implementations using a reasonable,

common-sense approach By the end ofthis book, the reader will understand that anetwork-based intrusion detection system

is one part of a larger strategy of in-depth The book is based on the

defense-experience of a Network Security

Engineer who has both attacked and

defended very large corporate networksand systems Whether you are looking forsomething to help secure your home

network, or looking for an

Enterprise-class solution that can watch 2 Gbps ofbandwidth in near-real-time, this bookwill help.

Assumptions This Book

Makes

This book does not make too many

demands on the average reader It is

written in an informal manner and is

intended for most security administrators,whether they are using Linux (or anotherUnix offshoot like BSD) or Windows Themain focus of the book will be runningSnort on a Linux platform Even beginningLinux users should have no trouble

grasping the concepts Most

applications​along with their installationand configuration​are clearly spelled out.While this book will provide the averageuser with the ability to get a Snort sensor

up and running, professional deployments

of any IDS solution benefit from a goodknowledge of networking and systemadministration Without this background,discrimination of what is naughty andwhat is nice will be more difficult

If any of the steps explained in later

chapters do not answer all your questions,please consult the application's home page

or subscribe to its mailing list, if one isavailable It will be helpful if you arefamiliar with Usenet newsgroups and canpost detailed questions regarding anyadditional use of the applications

presented here You will find that the opensource community surrounding Snort andthe related applications is active and

incredibly helpful.

This book assumes that you have access toone or more machines, can perform astandard operating system installation, andhave a relatively stable connection to theInternet It also operates on the assumptionthat a LAN or switched Ethernet network

is available for testing purposes Thoughthis is not required, it does help whenmonitoring packets flowing between

machines and in and out of networks Thisbook also presupposes that a secure

firewall is in place It is your

responsibility to ensure that your networkremains safe during the IDS installationand implementation phase Newly

installed systems do not survive long

when exposed to the Internet withoutprotection.

Chapter Synopsis

Chapter 1

Introduces the concepts behindnetwork security and intrusiondetection

Chapter 2

Goes into some depth on how thesystems on your network use thenetwork to accomplish their tasks.The structure of packets will beexamined, equipping you to