snort ids & ips toolkit

KEY SERIAL NUMBER Snort Intrusion Detection and Prevention Toolkit Copyright © 2007 by Syngress Publishing, Inc.. His work experience includes the development anduse of intrusion detecti

w w w s y n g r e s s c o m

Syngress is committed to publishing high-quality books for IT Professionals and delivering those books in media and formats that fit the demands of our cus- tomers We are also committed to extending the utility of the book you pur- chase via additional materials available from our Web site

SOLUTIONS WEB SITE

To register your book, visit www.syngress.com/solutions Once registered, you can access our solutions@syngress.com Web pages There you may find an assort- ment of value-added features such as free e-books related to the topic of this book, URLs of related Web sites, FAQs from the book, corrections, and any updates from the author(s).

ULTIMATE CDs

Our Ultimate CD product line offers our readers budget-conscious compilations

of some of our best-selling backlist titles in Adobe PDF form These CDs are the perfect way to extend your reference library on key topics pertaining to your area of expertise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few.

DOWNLOADABLE E-BOOKS

For readers who can’t wait for hard copy, we offer most of our titles in loadable Adobe PDF form These e-books are often available weeks before hard copies, and are priced affordably.

Visit us at

Foreword by Stephen Northcutt,

President, The SANS Technology Institute

Toby Kohlenberg Technical Editor

Raven Alder • Dr Everett F (Skip) Carter, Jr •

James C Foster • Matt Jonkman •

Raffael Marty • Eric Seagren

IDS and IPS Toolkit

Featuring Jay Beale and Members of the Snort Team

Andrew R Baker Joel Esler

NETWORK ATTACK

(collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS

IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other dental or consequential damages arising out from the Work or its contents Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you.

inci-You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files.

Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author

UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc “Syngress:The Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Elsevier, Inc Brands and product names mentioned in this book are trade- marks or service marks of their respective companies.

Snort and the Snort logo are registered trademarks of Sourcefire, Inc.

KEY SERIAL NUMBER

Snort Intrusion Detection and Prevention Toolkit

Copyright © 2007 by Syngress Publishing, Inc All rights reserved Except as permitted under the Copyright Act

of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in

a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication.

1 2 3 4 5 6 7 8 9 0

ISBN-10: 1-59749-099-7

ISBN-13: 978-1-59749-099-3

Sourcefire is a registered trademark of Sourcefire, Inc.

Publisher: Andrew Williams Page Layout and Art: Patricia Lupien

Acquisitions Editor: Erin Heffernan Copy Editor: Audrey Doyle

Technical Editor:Toby Kohlenburg Indexer: Julie Kawabata

Cover Designer: Michael Kavish

v

A special thanks to Marty Roesch and the rest of the Snort developers for alltheir efforts to maintain Snort: Erek Adams, Andrew R Baker, Brian Caswell,Roman D., Chris Green, Jed Haile, Jeremy Hewlett, Jeff Nathan, Marc Norton,Chris Reid, Daniel Roelker, Marty Roesch, Dragos Ruiu, JP Vossen DanielWittenberg, and Fyodor Yarochkin

Thank you to Mike Guiterman, Michele Perry, and Joseph Boyle at Sourcefirefor making this book possible

Technical Editor

Toby Kohlenbergis a Senior Information Security Specialist forIntel Corporation He does penetration testing, incident response,malware analysis, architecture design and review, intrusion analysis,and various other things that paranoid geeks are likely to spend timedealing with In the last two years he has been responsible for devel-oping security architectures for world-wide deployments of IDStechnologies, secure WLANs, Windows 2000/Active Directory, aswell as implementing and training a security operations center He isalso a handler for the Internet Storm Center, which provides plenty

of opportunity to practice his analysis skills He holds the CISSP,GCFW, GCIH, and GCIA certifications He currently resides inOregon with his wife and daughters, where he enjoys the 9 months

of the year that it rains much more than the 3 months where it’s toohot

Raven Alderis a Senior Security Engineer for IOActive, a sulting firm specializing in network security design and implemen-tation She specializes in scalable enterprise-level security, with anemphasis on defense in depth She designs large-scale firewall andIDS systems, and then performs vulnerability assessments and pene-tration tests to make sure they are performing optimally In hercopious spare time, she teaches network security for LinuxChix.organd checks cryptographic vulnerabilities for the Open SourceVulnerability Database Raven lives in Seattle, WA Raven was a

con-contributor to Nessus Network Auditing (Syngress Publishing, ISBN:

1931836086)

Raven Alder is the author of Chapters 1 and 2.

Contributing Authors

Andrew R Bakeris the Product Maintenance Manager forSourcefire, Inc His work experience includes the development anduse of intrusion detection systems, security event correlation, as well

as the use of vulnerability scanning software, network intrusion ysis, and network infrastructure management Andrew has beeninvolved in the Snort project since 2000 He is the primary devel-oper for Barnyard, which he started working on in 2001 to addressperformance problems with the existing output plugins

anal-Andrew has instructed and developed material for the SANSInstitute, which is known for providing information securitytraining and GIAC certifications He has an MBA from the R.H.Smith School of Business at the University of Maryland and aBachelors of Science in Computer Science from the University ofAlabama at Birmingham

Andrew R Baker is the author of Chapters 5 and 13.

Dr Everett F (Skip) Carter, Jr.is President of Taygeta NetworkSecurity Services (a division of Taygeta Scientific Inc.).TaygetaScientific Inc provides contract and consulting services in the areas

of scientific computing, smart instrumentation, and specialized dataanalysis.Taygeta Network Security Services provides security ser-vices for real-time firewall and IDS management and monitoring,passive network traffic analysis audits, external security reviews,forensics, and incident investigation

Skip holds a Ph.D and an M.S in Applied Physics from HarvardUniversity In addition he holds two Bachelor of Science degrees(Physics and Geophysics) from the Massachusetts Institute ofTechnology Skip is a member of the American Society forIndustrial Security (ASIS) He was contributing author of Syngress

Publishing’s book, Hack Proofing XML (ISBN: 1931836507) He has authored several articles for Dr Dobbs Journal and Computer Language

as well as numerous scientific papers and is a former columnist for

Forth Dimensions magazine Skip resides in Monterey, CA, with his

wife,Trace, and his son, Rhett

Dr Everett F (Skip) Carter, Jr is the author of Chapter 12.

Joel Esler(GCIA, SnortCP, SFCP, SFCE) is a Senior SecurityConsultant at Sourcefire He began his post-school career in theArmy and was honorably discharged in 2003 After 6 years of ser-vice, Joel continued to work for the Department of Defense as aSecurity Analyst for the Regional Computer Emergency ResponseTeam — South, contracted through Lockheed Martin ProfessionalServices Starting out as a Network Security Analyst, Joel developedand deployed his own IDS system, based on Snort, tcpdump, p0f,and pads throughout the Army’s networks With successful results, hequickly advanced to be the Director of Computer Defense andInformation Assurance Branch of the RCERT-S, which held himresponsible for many aspects of Vulnerability Scanning, IDSDeployment, and Snort Rule creation for the Army In August of

2005, Joel left the RCERT-S to work for Sourcefire, Inc His dutiescurrently include installing and configuring Sourcefire and Snortdeployments for customers nation wide, in addition to teachingthree different Sourcefire and Snort classes On occasion, you mighteven see him speaking at various user groups and conventions In aneffort to continue his growth and development, Joel recently

became an Incident Handler for SANS at the Internet StormCenter, as well as a GIAC Gold Advisor responsible for assistingpeople through the SANS Gold certification process

Joel would like to thank the professionals who wrote much ofthe Snort documentation on which a significant part of this chapter

is based

Joel Esler is the author of Chapter 6.

James C Fostercurrently heads the secure development practicefor a large firm near Washington D.C Prior to this, James was theDeputy Director of Global Security Solution Development forComputer Sciences Corporation where he was responsible for theglobal service architecture and operations for CSC managed infor-mation security services and solutions Additionally, he is a Fellow atthe Wharton School of Business, a contributing Editor at

Information Security Magazine and SearchSecurity.com He also sits

on the Mitre OVAL Board of Directors Preceding CSC, James wasthe Director of Research and Development for Foundstone Inc.(acquired by McAfee) and was responsible for all aspects of product,consulting, and corporate R&D initiatives Prior to joining

Foundstone, James was the Chief Scientist and Executive Advisorwith Guardent Inc (acquired by Verisign) and an adjunct author atInformation Security Magazine (acquired by TechTarget).This wasall subsequent to working as Security Research Specialist for theDepartment of Defense With his core competencies residing inhigh-tech remote management, international expansion, and productprototype development, James has helped three security companiessuccessfully launch new commercial product offerings and reachtheir go-to-market strategy James has experience in applicationsecurity testing, protocol analysis, and search algorithm technology;

he has conducted numerous code reviews for commercial OS ponents, Win32 application assessments, and reviews on commer-cial-grade cryptography implementations

com-James is a seasoned speaker and has presented throughout NorthAmerica at conferences, technology forums, security summits, andresearch symposiums with highlights at the Microsoft SecuritySummit, BlackHat USA, BlackHat Windows, MIT WirelessResearch Forum, SANS, MilCon,TechGov, InfoSec World 2001,and the Thomson Security Conference He also is commonly asked

to comment on pertinent security issues and has been cited inUSAToday, Information Security Magazine, Baseline, ComputerWorld, Secure Computing, and the M IT Technologist He holds anA.S., B.S., MBA and numerous technology and management certifi-cations

James C Foster is the author of Chapters 8 and 10.

Matt Jonkmanhas been involved in Information Technology sincethe late 1980s He has a strong background in banking and networksecurity, network engineering, incident response, and IntrusionDetection Matt is founder of Bleeding Edge Threats

(www.bleedingedgethreats.net), formerly Bleeding Snort

Bleeding Edge Threats is an open-source research community forIntrusion Detection Signatures and much more Matt spent 5 yearsserving abroad in the Army before attending Indiana State

University and the Rose-Hulman Institute After several years as ageneral consultant he became Lead Technician for Sprint’s Internaland Managed Security division Matt then moved to the financialsector as Senior Security Engineer for a major bank and financialservices corporation.Then, he worked to build Infotex, a securityfirm focused on Managed IPS and Vulnerability Assessment Mattcurrently is the Director of Intelligence Gathering for GNTC, theGlobal Network Threat Center GNTC focuses on Open Researchand collaboration of many open-source projects to mitigate and dis-cover the complex threats facing today’s information systems andorganizations

Matt Jonkman is the author of Chapter 7.

Chad Keeferis the founder of Solirix, a computer network rity company specializing in Information Assurance Chad is aformer developer of Sourcefire’s RNA product team Chad has over

secu-13 years of industry experience in security, networking, and softwareengineering He has worked extensively with the federal govern-ment and in a wide range of commercial industries to redefine andsharpen the current perception of security He has also been a leadarchitect in this space, overseeing initiatives to redesign and buildmany security infrastructures Chad holds a B.S in ComputerScience from the University of Maryland He currently lives inAnnapolis, MD with his wife and daughter

Chad Keefer is the author of Chapter 3.

Raffael Marty(GCIA, CISSP) is the manager of ArcSight’sStrategic Application Solution Team, where he is responsible fordelivering industry solutions that address the security needs ofFortune 500 companies, ranging from regulatory compliance toinsider threat Raffael initiated ArcSight’s Content Team, which

holds responsibility for all of the product’s content, ranging fromcorrelation rules, dashboards and visualizations, to vulnerability map-pings and categorization of security events Before joining ArcSight,Raffael worked as an IT security consultant for PriceWaterhouseCoopers and previously was a member of the Global SecurityAnalysis Lab at IBM Research.There, he participated in variousintrusion detection related projects His main project,Thor, was thefirst approach to testing intrusion detection systems by means ofcorrelation tables

Raffael is a log analysis and correlation expert He has a passionfor visualization of security event data and is the author of an opensource visualization tool He has been presenting on a number ofsecurity topics at various conferences and occasions Raffael alsoserves on the MITRE OVAL (Open Vulnerability and AssessmentLanguage) advisory board, is involved in the Common VulnerabilityScoring System (CVSS) standard, and participates in various othersecurity standards and organizations

Raffael Marty is the author of Chapter 9.

Eric S Seagren(CISA, CISSP-ISSAP, SCNP, CCNA, CNE-4,MCP+I, MCSE-NT) has 10 years of experience in the computerindustry, with the last eight years spent in the financial servicesindustry working for a Fortune 100 company Eric started his com-puter career working on Novell servers and performing general net-work troubleshooting for a small Houston-based company Since hehas been working in the financial services industry, his position andresponsibilities have advanced steadily His duties have includedserver administration, disaster recovery responsibilities, business con-tinuity coordinator,Y2K remediation, network vulnerability assess-ment, and risk management responsibilities He has spent the last

few years as an IT architect and risk analyst, designing and ating secure, scalable, and redundant networks

evalu-Eric has worked on several books as a contributing author or

technical editor.These include Hardening Network Security Hill), Hardening Network Infrastructure (McGraw-Hill), Hacking

(McGraw-Exposed: Cisco Networks (McGraw-Hill), Configuring Check Point NGX VPN-1/FireWall-1 (Syngress), Firewall Fundamentals (Cisco Press), and Designing and Building Enterprise DMZs (Syngress) He has

also received a CTM from Toastmasters of America

Eric is the author of Chapter 4.

Stephen Northcutt,SANS Institute (Fellow), founded the GIACcertification and currently serves as President of the SANS

Technology Institute, a post graduate level IT Security College,

www.sans.edu Stephen is author/coauthor of Incident Handling by-Step, Intrusion Signatures and Analysis, Inside Network Perimeter Security, Second Edition, IT Ethics Handbook, SANS Security Essentials, SANS Security Leadership Essentials and Network Intrusion Detection, Third Edition He was the original author of the Shadow Intrusion

Step-Detection system before accepting the position of Chief forInformation Warfare at the Ballistic Missile Defense Organization.Stephen is a graduate of Mary Washington College Before enteringthe field of computer security, he worked as a Navy helicoptersearch and rescue crewman, white water raft guide, chef, martial artsinstructor, cartographer, and network designer

Foreword

Jay Bealeis an information security specialist, well known for hiswork on mitigation technology, specifically in the form of operatingsystem and application hardening He’s written two of the mostpopular tools in this space: Bastille Linux, a lockdown tool thatintroduced a vital security-training component, and the Center forInternet Security’s Unix Scoring Tool Both are used worldwidethroughout private industry and government.Through Bastille andhis work with CIS, Jay has provided leadership in the Linux systemhardening space, participating in efforts to set, audit, and implementstandards for Linux/Unix security within industry and government.

He also focuses his energies on the OVAL project, where he workswith government and industry to standardize and improve the field

of vulnerability assessment Jay is also a member of the HoneynetProject, working on tool development

Jay has served as an invited speaker at a variety of conferencesworldwide, as well as government symposia He’s written for

Information Security Magazine, SecurityFocus, and the now-defunct

SecurityPortal.com He has worked on four books in the

informa-tion security space.Three of these, including the best-selling Snort 2.1 Intrusion Detection (Syngress, ISBN: 1931836043) make up his

Open Source Security Series, while one is a technical work of

fic-tion entitled Stealing the Network: How to Own a Continent (Syngress,

ISBN: 1931836051)

Jay makes his living as a security consultant with the firmIntelguardians, which he co-founded with industry leaders EdSkoudis, Eric Cole, Mike Poor, Bob Hillery and Jim Alderson,where his work in penetration testing allows him to focus on attack

as well as defense

xv

Series Editor

Prior to consulting, Jay served as the Security Team Director forMandrakeSoft, helping set company strategy, design security prod-ucts, and pushing security into the third largest retail Linux distribution.

xvi

Contents

Foreword xxxiii

Chapter 1 Intrusion Detection Systems 1

Introduction 2

What Is Intrusion Detection? 2

Network IDS 5

Host-Based IDS 6

Distributed IDS 7

How an IDS Works 8

Where Snort Fits 10

Intrusion Detection and Network Vulnerabilities 11

Identifying Worm Infections with IDS 11

Identifying Server Exploit Attempts with IDS 12

Decisions and Cautions with IDS 13

Why Are Intrusion Detection Systems Important? 15

Why Are Attackers Interested in Me? 16

What Will an IDS Do for Me? 17

What Won’t an IDS Do for Me? 18

Where Does an IDS Fit with the Rest of My Security Plan? 20

Doesn’t My Firewall Serve As an IDS? 20

Where Else Should I Be Looking for Intrusions? 21

Backdoors and Trojans .21

Physical Security 22

Application and Data Integrity 22

What Else Can You Do with Intrusion Detection Systems? 23 Monitoring Database Access 24

Monitoring DNS Functions 24

E-Mail Server Protection 25

Using an IDS to Monitor My Company Policy 25

What About Intrusion Prevention? 25

Summary 27

Solutions Fast Track 27

Frequently Asked Questions 30

Chapter 2 Introducing Snort 2.6 31

Introduction 32

What Is Snort? 33

What’s New in Snort 2.6 35

Engine Improvements 35

Preprocessor Improvements 36

Rules Improvements 36

Snort System Requirements 37

Hardware 37

Operating System 38

Other Software 38

Exploring Snort’s Features .39

Packet Sniffer 41

Preprocessor 41

Detection Engine 42

Alerting/Logging Component 44

Using Snort on Your Network 47

Snort’s Uses 49

Using Snort as a Packet Sniffer and Logger 50

Using Snort as an NIDS 55

Snort and Your Network Architecture 55

Snort and Switched Networks 59

Pitfalls When Running Snort 60

False Alerts 61

Upgrading Snort 61

Security Considerations with Snort 62

Snort Is Susceptible to Attacks 62

Securing Your Snort System 63

Summary 65

Solutions Fast Track 65

Frequently Asked Questions 67

Chapter 3 Installing Snort 2.6 69

Introduction 70

Choosing the Right OS 70

Performance 71

The Operating System and the CPU 71

The Operating System and the NIC 75

Stability 76

Security 77

Support 77

Cost 77

Stripping It Down 78

Removing Nonessential Items 80

Debian Linux 81

CentOS 82

Gentoo 82

The BSDs 84

OpenBSD 84

Windows 88

Bootable Snort Distros 88

The Network Security Toolkit As a Snort Sensor 89

Hardware Platform Considerations 90

The CPU 91

Memory 91

Memory’s Influence on System Performance 93

Virtual Memory 93

The System Bus 93

PCI 94

PCI-X 95

PCI-Express 95

Theoretical Peak Bandwidth 96

Dual vs Single Bus 96

The NIC 96

Disk Drives 98

Installing Snort 98

Prework 99

Installing pcap 99

Installing/Preparing Databases 99

Time Synchronization (NTP) 101

Installing from Source 102

Benefits and Costs 102

Compile-Time Options 103

Installing Binaries 104

Apt-get 104RPM 105Windows 106Hardening 106General Principles 106Configuring Snort 108The snort.conf File 108Variables 109Using Variables in snort.conf and in Rules 110Command-Line Switches 110Configuration Directives 114Snort.conf –dynamic-* Options 114Ruletype 114Plug-In Configuration 115Preprocessors 115Output Plug-Ins 117Included Files 118Rules Files 118sid-msg.map 119threshold.conf 119gen-msg.map 120classification.config 120Thresholding and Suppression 121Testing Snort 121Testing within Organizations .123Small Organizations 123Large Organizations 125Maintaining Snort 126Updating Rules 126How Can Updating Be Easy? 127Updating Snort .127Upgrading Snort 128Monitoring Your Snort Sensor 128Summary 129Solutions Fast Track 129Frequently Asked Questions 131

Chapter 4 Configuring Snort and Add-Ons 133

Placing Your NIDS 134Configuring Snort on a Windows System 136Installing Snort 137Configuring Snort Options 140Using a Snort GUI Front End 146Configuring IDS Policy Manager 146Configuring Snort on a Linux System 153Configuring Snort Options 153Using a GUI Front-End for Snort 158Basic Analysis and Security Engine 159Other Snort Add-Ons 166Using Oinkmaster 166Additional Research 168Demonstrating Effectiveness 169Summary 171Solutions Fast Track 171Frequently Asked Questions 173

Chapter 5 Inner Workings 175

Introduction 176Snort Initialization 176The Command Line 176Parsing the Config File 177Parsing Rules 177Housekeeping (i.e., Signal Handling) 178Snort Packet Processing 179Packet Acquisition 180Decoding 183Analyzing in the Preprocessors 185Evaluating against the Detection Engine 185Logging and Alerting 186The Event Queue 186Thresholds 187Suppression 188Tagging 188Inside the Detection Engine 189

Rule Options 189The Content Option 190The bytejump and bytetest Options 190The PCRE Option 191The flowbits Option 191The Pattern-Matching Engine 192Building the Pattern Matcher 192Performance of the Different Algorithms 193The Dynamic Detection Engine 196Using the Engine 196Configuring the Engine .197Stub Rules 198The Dynamic Detection API 198The Rule Structure 198The Rule Options 200Dynamic Detection Functions 209Writing a Shared Object Rule 210Creating the Module Framework 211

A Simple Shared Object Rule 214The Rule Evaluation Function 219Summary 221Solutions Fast Track 221Frequently Asked Questions 223

Chapter 6 Preprocessors 225

Introduction 226What Is a Preprocessor? 226Preprocessor Options for Reassembling Packets 227The frag2 Preprocessor 228Configuring frag2 229frag2 Output 230The frag3 Preprocessor 231Configuring frag3 233frag3 Output 236The flow Preprocessor 236Configuring flow 236The stream4 Preprocessor 237

TCP Statefulness 238Configuring stream4 for Stateful Inspection 241Session Reassembly 247

A Summary of the State Preprocessors 251Preprocessor Options for Decoding

and Normalizing Protocols 251The Application Preprocessors 251Telnet Negotiation 252Configuring the telnet_decode Preprocessor 252telnet_decode Output 252HTTP Inspect 253Hex Encoding (IIS and Apache) 254Double Percent Hex Encoding 254First Nibble Hex Encoding .254Second Nibble Hex Encoding .254Double Nibble Hex Encoding .254UTF-8 Encoding .255UTF-8 Barebyte Encoding .255Microsoft %U Encoding 255Mismatch Encoding 255Request Pipelining .255Parameter Evasion Using

POST and Content-Encoding .256Base 36 Encoding 256Multislash Obfuscation 256IIS Backslash Obfuscation 256Directory Traversal 256Tab Obfuscation 257Invalid RFC Delimiters 257Non-RFC Characters 257Webroot Directory Transversal 257HTTP-Specific IDS Evasion Tools .258Using the http_inspect Preprocessor 259Configuring the http_inspect Preprocessor 259http_ Inspect Output 264rpc_decode 265Configuring rpc_decode 265

rpc_decode Output 267Preprocessor Options for Nonrule

or Anomaly-Based Detection 267sfPortscan 267sfPortscan Configuration 267sfPortscan Tuning 269Back Orifice 271Configuring the Back Orifice Preprocessor 272Performance Monitoring 272Configuring the Performance

Monitoring Preprocessor 272Configuring the Rule Performance Monitor 274Rule Profiling 274Preprocessor profiling 276Dynamic Preprocessors 277SMTP Dynamic Preprocessor 277Examples 280SMTP Output 281FTP_Telnet Dynamic Preprocessor 282DNS Preprocessor Configuration 287Experimental Preprocessors 288arpspoof 288Summary 290Solutions Fast Track 291Frequently Asked Questions 292

Chapter 7 Playing by the Rules 295

Introduction 296What Is a Rule? 296Where Can I Get Rules? 297What Can I Do with Rules? 299What Can’t I Do with Rules? 300Understanding Rules 302Parts of a Rule: Headers 302Actions .302Protocols 303Variables .304Ports 304

Parts of a Rule: Options 305Rule Title 306Flow 306Content 307Parts of a Rule: Metadata 310Reference 311Classtype 312Sid 312Rev 313Other Advanced Options 314Flowbits 314Bytetest and Bytejump 315PCRE 315Ordering for Performance 317Anchors 317Thresholding 318Suppression 320Packet Analysis 321Rules for Vulnerabilities, Not Exploits 321

A Rule: Start to Finish 322Rules of Note 326Stupid Rule Tricks 329Keeping Rules Up to Date 332Updating Rules 333Managing Rules the ‘Hard’ Way 335Why Do I Need to Keep My Rules up to Date? 335Summary 340Solutions Fast Track 340Frequently Asked Questions 341

Chapter 8 Snort Output Plug-Ins 343

Introduction 344What Is an Output Plug-In? 345Key Components of an Output Plug-In 346Exploring Snort’s Output Plug-In Options 347Default Logging 348SNMP Traps 352

XML Logging 353Syslog 354SMB Alerting 358pcap Logging 358Snortdb 360Unified Logs 367Why Should I Use Unified Logs? 368What Do I Do with These Unified Files? 369Writing Your Own Output Plug-In 370Why Should I Write an Output Plug-In? 370Setting Up Your Output Plug-In 372Creating Snort’s W3C Output Plug-In 375Minimum Functions Required 376Creating the Plug-In 377Running and Testing the Snort W3C Output Plug-In 392Dealing with Snort Output 393Troubleshooting Output Plug-In Problems 396Add-On Tools 398Barnyard 399Cerebus 400Mudpit 401Summary 406Solutions Fast Track 407Frequently Asked Questions 408

Chapter 9 Exploring IDS Event Analysis, Snort Style 411

Introduction 412What Is Data Analysis? 412Data Sources 415Events of Interest 419Evidence Gathering 421Data Analysis Tools 423Database Front Ends 423BASE 423SGUIL 443Installing SGUIL 444Step 1: Create the SGUIL Database 444

Step 2: Installing Sguild, the Server 446Step 3: Install a SGUIL Client 448Step 4: Install SANCP 448Step 5: Install the Sensor Scripts 449Using SGUIL 450Data Processing Scripts 453Snort_stat.pl 453SnortSnarf 456SnortALog 461Visualization Tools 462EtherApe 463Shoki–Packet Hustler 464AfterGlow 466Real-Time Monitoring Tools 470Swatch 470Tenshi 473Pig Sentry 476Analyzing Snort Events 476Finding Events of Interest 476Visualization 479Correlating Snort Events 480Web Server Correlation 484Simple Event Correlator 485Free Security Information Management Tools 487Commercial Correlation Solutions 489Reporting Snort Events 490Summary 493Solutions Fast Track 494Frequently Asked Questions 496

Chapter 10 Optimizing Snort 499

Introduction 500How Do I Choose the Hardware to Use? 500What Constitutes “Good” Hardware? 502Processors 502RAM Requirements 503Storage Medium 504

The Network Interface Card 505Location:Tap vs Span Ports 506How Do I Test My Hardware? 507How Do I Choose the Operating System to Use? 509What Makes a “Good” OS for an NIDS? 509What OS Should I Use? 514How Do I Test My OS Choice? 514Speeding Up Snort .516The Initial Decision 516Deciding Which Rules to Enable 517Notes on Pattern Matching 520Configuring Preprocessors for Speed 520Choosing an Output Plug-In 522Cranking Up the Database 523MySQL vs PostgreSQL 524Benchmarking and Testing the Deployment 526Benchmark Characteristics 527Attributes of a Good Benchmark 527Attributes of a Poor Benchmark 528What Options Are Available for Benchmarking? 528IDS Informer 529IDS Wakeup 533Sneeze 535TCPReplay 536Binary Code 541THC’s Netdude 541Other Packet-Generation Tools .545Additional Options 547Stress Testing the Pig! 548Stress Tests 548Individual Snort Rule Tests 549Berkeley Packet Filter Tests 550Tuning Your Rules 550Summary 551Solutions Fast Track 552Frequently Asked Questions 554

Chapter 11 Active Response 557

Introduction 558Active Response versus Intrusion Prevention 558Response Methods Based on Layers 559Attack Response Based on IDS Alerts 561SnortSam 562Fwsnort 562snort_inline 563Attack and Response 563SnortSam 570Installation 571Architecture 572Snort Output Plug-In 572Blocking Agent 573SnortSam Configuration Options 574SnortSam in Action 575WWWBoard passwd.txt Access Attack 578NFS mountd Overflow Attack 583Fwsnort 586Installation 587Configuration 588Execution 591WWWBoard passwd.txt Access Attack (Revisited) 593NFS mountd Overflow Attack (Revisited) 602snort_Inline 604Installation 606Compilation Steps for Bridging Linux Kernel 606Configuration 608Architecture 610Web Server Attack 611NFS mountd Overflow Attack 614Summary 617Solutions Fast Track 617Frequently Asked Questions 619

Chapter 12 Advanced Snort 621

Introduction 622Monitoring the Network 622VLAN 622Configuring Channel Bonding for Linux 623Snort Rulesets 624Plug-Ins 628Preprocessor Plug-Ins 629Detection Plug-Ins 636Output Plug-Ins 637Snort Inline 638Solving Specific Security Requirements 638Policy Enforcement 638Catching Internal Policy Violators 639Banned IP Address Watchlists 639Network Operations Support 639Forensics and Incident Handling 639Summary 642Solutions Fast Track 642Frequently Asked Questions 644

Chapter 13 Mucking Around with Barnyard 645

Introduction 646What Is Barnyard? 647Understanding the Snort Unified Files 647Unified Alert Records 648Unified Log Records 651Unified Stream-Stat Records .652Installing Barnyard 653Downloading 654Building and Installing 654Configuring Barnyard 656The Barnyard Command-Line Options 657The Configuration File 661Configuration Directives 662Output Plug-In Directives 664Understanding the Output Plug-Ins 664alert_fast 665

alert_syslog 669alert_syslog2 671log_dump 675log_pcap 678acid_db 679sguil 681Running Barnyard in Batch-Processing Mode 681Processing a Single File 682Using the Dry Run Option 683Processing Multiple Files 685Using the Continual-Processing Mode 686The Basics of Continual-Processing Mode 686Running in the Background 687Enabling Bookmark Support 688Only Processing New Events 689Archiving Processed Files 689Running Multiple Barnyard Processes 690Signal Handling 690Deploying Barnyard 691Remote Syslog Alerting 691Database Logging 693Extracting Data 695Real-Time Console Alerting 696Writing a New Output Plug-In 697Implementing the Plug-In 698Setting Up the Source Files 698Writing the Functions 700Adding the Plug-In to op_plugbase.c 706Finishing Up 707Updating Makefile.am 707Building Barnyard 708Real-Time Console Alerting Redux 708Secret Capabilities of Barnyard 709Summary 710Solutions Fast Track 710Frequently Asked Questions 714

Index 717

Snort Intrusion Detection and Prevention Toolkit is one of the most important

books on information security; that is, if you not only read the book, but alsoput the knowledge into practice There is an increasing and troubling gapbetween the people who manage by security policy frameworks and thepeople who actually know how to create security The pragmatics of informa-

tion security are becoming lost There are books about things and books on how to do things This is a book on how to do things If you are reading thisforeword, this may be your moment to decide whether you want to hidebehind policy and 10 domains or actually learn security? If you decide to trythe policy route, expect to become increasingly irrelevant as the years go by.Information security is like everything else in life; you will receive in propor-tion to what you give

There are two basic skills a professional must have to avoid being impotent

as a security practitioner: understanding the network traffic entering, leaving,and within your network; and understanding how a system must be configured

so that it can operate safely while attached to a network.Whether you are inthe trenches as a technical worker, or even if you are a manager, if you lackeither of those skills at the appropriate level, you are faking it and hoping youaren’t held accountable I teach a successful security course for managers for theSANS Institute, and we have a section of the course called “Packet Reading forManagers.”We are teaching managers up to the Vice President level to read andunderstand critical fields in a packet that any good network analyst shouldunderstand.They aren’t learning this so that they can run around readingpackets; they are becoming equipped to hire employees who can actually do

the work Snort Intrusion Detection and Prevention Toolkit is a great book, and it

can teach you the core network traffic acquisition and analysis skills; this is atested and proven guide to operate Snort At one point, the creator of Snort,

xxxiii

Foreword

Marty Roesch, referred to Snort as a lightweight intrusion detection system;however, times change In addition to being a powerful sniffer and rule-basedIDS Snort also has a large family of supporting tools Snort and friends willgive you the capability to understand the traffic entering and leaving your net-work if you are willing to master the skills needed.

The book teaches the fundamentals of the network-analysis craft, how toinstall Snort, configuration of the machine to get maximum value, the architec-tural issues to consider when deploying this capability, and tuning the rules toget the results you need, and how to test to make sure it is operating in themanner you need it to operate Guess what! You have made it through onlyChapter 4 Now that you have an operational Snort box, you are ready to beginChapter 5: “Inner Workings.”There are probably fewer than 2,000 truly skilledanalysts on the planet If you can master this chapter, you can become one ofthem So plan some quiet time.Work with a buddy, join a mailing list, and don’tgive up if you hit a hard spot.Truly own this knowledge

There is no point covering the rest of the material in the book in depth;you have a table of contents for that.What I want you to know is that you arenot in for fluff.You will learn to write rules and to configure preprocessors andplugins.Then, you will begin your analysis journey in Chapter 9 I look for-ward to reading about your novel detects on the internet storm center

I applaud the author team of Toby Kohlenberg, Jay Beale, Raven Alder,Chad Keefer, Andrew Baker, Matt Jonkman, Joel Esler, James Foster, RaffyMarty, Eric Seagren, and Skip Carter.Writing a book is hard work, and I knowthey have a sense of mission to relay the importance of passing on the craft.You are coming to the end of this foreword.What have you decided? If youplan to devote yourself to the craft, please allow the authors and me to wel-come you to the community I love the years that I have worked with the net-work analysis community as a practitioner and now a bit more as a leader thatmakes opportunities for others.The willingness to give and share in this fairly

small group has always impressed me.Take Snort Intrusion Detection and

Prevention Toolkit home with you; don’t let it languish on the shelf Let it be

your friend and guide; you will be glad you did

—Stephen Northcutt

President The SANS Technology Institute,

a postgraduate information security college

Intrusion Detection Systems

Solutions in this chapter

■ What Is Intrusion Detection?

■ How an IDS Works

■ Why Are Intrusion Detection Systems Important?

■ What Else Can You Do with Intrusion Detection Systems?

■ What About Intrusion Protection?

Chapter 1

1

Summary

Solutions Fast Track

Frequently Asked Questions

The principle of intrusion detection isn’t new Whether it’s car alarms or cuit televisions, motion detectors or log analyzers, many folks with assets to protecthave a vested interest in knowing when unauthorized persons are probing theirdefenses, sizing up their assets, or running off with crucial data In this book, we’lldiscuss how the principles of intrusion detection are implemented with respect tocomputer networks, and how using Snort can help overworked security administra-tors know when someone is running off with their digital assets

closed-cir-All right, this might be a bit dramatic for a prelude to a discussion of intrusiondetection, but most security administrators experience a moment of anxiety when abeeper goes off Is this the big one? Did they get in? How many systems could havebeen compromised? What data was stored on or accessible by those systems? Whatsort of liability does this open us up to? Are more systems similarly vulnerable? Is thepress going to have a field day with a data leak?

These and many other questions flood the mind of the well-prepared securityadministrator On the other hand, the ill-prepared security administrator, beingtotally unaware of the intrusion, experiences little anxiety For him, the anxietycomes later

Okay, so how can a security-minded administrator protect his network fromintrusions? The answer to that question is quite simple An intrusion detectionsystem (IDS) can help to detect intrusions and intrusion attempts within your net-work, allowing a savvy admin to take appropriate mitigation and remediation steps

A pure IDS will not prevent these attacks, but it will let you know when they occur

What Is Intrusion Detection?

Webster’s defines an intrusion as “the act of thrusting in, or of entering into a place

or state without invitation, right, or welcome.” When we speak of intrusion

detec-tion, we are referring to the act of detecting an unauthorized intrusion by a computer

on a network.This unauthorized access, or intrusion, is an attempt to compromise, or

otherwise do harm, to other network devices

A body of American legislation surrounds what counts as a computer intrusion,

but although the term computer intrusion is used to label the relevant laws, there is no

single clear and useful definition of a computer intrusion.Title 18, Part I, Chapter

47, § 1030 of the United States Criminal Code for fraud and related activities inconnection with computers contains several definitions of what constitutes a fraudu-lent criminal computer intrusion “Knowingly accessed a computer without autho-rization or exceeding authorized access” is a common thread in several definitions

However, all the definitions go on to further require theft of government secrets,

financial records, government data, or other such things “Knowingly accessed

without authorization or exceeding authorized access” doesn’t appear to be enough

in and of itself.There is also a lack of legislative clarity regarding what “access” is

For example, a portscan gathers data about which ports on the target computer are

listening, but does not attempt to use any services Nevertheless, some people argue

that this constitutes accessing those services A security scanner such as Nessus or

Retina may check the versions of listening services and compare them against a

database of known security vulnerabilities.This is more intrusive than a simple

portscan, but merely reports the presence of vulnerabilities rather than actually

exploiting them Is this accessing the service? Should it count as an intrusion?

Finally, there are the blatant cases where the system is actually compromised Most

people would agree that this counts as an intrusion For our purposes, we can define

an intrusion as an unwanted and unauthorized intentional access of computerized

network resources

An IDS is the high-tech equivalent of a burglar alarm, one that is configured tomonitor information gateways, hostile activities, and known intruders An IDS is a

specialized tool that knows how to parse and interpret network traffic and/or host

activities.This data can range from network packet analysis to the contents of log

files from routers, firewalls, and servers, local system logs and access calls, network

flow data, and more Furthermore, an IDS often stores a database of known attack

signatures and can compare patterns of activity, traffic, or behavior it sees in the data

it’s monitoring against those signatures to recognize when a close match between a

signature and current or recent behavior occurs At that point, the IDS can issue

alarms or alerts, take various kinds of automated actions ranging from shutting down

Internet links or specific servers to launching back-traces, and make other active

attempts to identify attackers and collect evidence of their nefarious activities

By analogy, an IDS does for a network what an antivirus software package doesfor files that enter a system: it inspects the contents of network traffic to look for

and deflect possible attacks, just as an antivirus software package inspects the contents

of incoming files, e-mail attachments, active Web content, and so forth to look for

virus signatures (patterns that match known malware) or for possible malicious actions

(patterns of behavior that are at least suspicious, if not downright unacceptable)

To be more specific, intrusion detection means detecting unauthorized use of orattacks upon a system or network An IDS is designed and used to detect such

attacks or unauthorized use of systems, networks, and related resources, and then in

many cases to deflect or deter them if possible Like firewalls, IDSes can be

software-based or can combine hardware and software in the form of preinstalled and

precon-figured stand-alone IDS devices IDS software may run on the same devices or

servers where firewalls, proxies, or other boundary services operate, though separate

IDS sensors and managers are more popular Nevertheless, an IDS not running on

the same device or server where the firewall or other services are installed will itor those devices with particular closeness and care Although such devices tend to

mon-be deployed at network peripheries, IDSes can detect and deal with insider attacks aswell as external attacks, and are often very useful in detecting violations of corporatesecurity policy and other internal threats

You are likely to encounter several kinds of IDSes in the field First, it is possible

to distinguish IDSes by the kinds of activities, traffic, transactions, or systems theymonitor IDSes that monitor network links and backbones looking for attack signa-

tures are called network-based IDSes, whereas those that operate on hosts and defend and monitor the operating and file systems for signs of intrusion and are called host-

based IDSes Groups of IDSes functioning as remote sensors and reporting to a

cen-tral management station are known as distributed IDSes (DIDSes) A gateway IDS is a

network IDS deployed at the gateway between your network and another network,monitoring the traffic passing in and out of your network at the transit point IDSesthat focus on understanding and parsing application-specific traffic with regard tothe flow of application logic as well as the underlying protocols are often called

application IDSes.

In practice, most commercial environments use some combination of network-,host-, and/or application-based IDSes to observe what is happening on the networkwhile also monitoring key hosts and applications more closely IDSes can also be dis-tinguished by their differing approaches to event analysis Some IDSes primarily use

a technique called signature detection.This resembles the way many antivirus programs

use virus signatures to recognize and block infected files, programs, or active Webcontent from entering a computer system, except that it uses a database of traffic or

activity patterns related to known attacks, called attack signatures Indeed, signature

detection is the most widely used approach in commercial IDS technology today

Another approach is called anomaly detection It uses rules or predefined concepts about “normal” and “abnormal” system activity (called heuristics) to distinguish

anomalies from normal system behavior and to monitor, report, or block anomalies

as they occur Some anomaly detection IDSes implement user profiles.These profilesare baselines of normal activity and can be constructed using statistical sampling,rule-base approaches, or neural networks

Hundreds of vendors offer various forms of commercial IDS tions Most effective solutions combine network- and host-based IDS implementa-tions Likewise, the majority of implementations are primarily signature-based, withonly limited anomaly-based detection capabilities present in certain specific products

implementa-or solutions Finally, most modern IDSes include some limited automatic response