the best damn firewall book period phần 10 doc

Clients Behind NAT Servers/ISA Servers If the Outlook client is behind a NAT server or an ISA server, it will not be able to receive newmail notification requests.The reason is that thes

Configuring the Authentication Method

When Outlook logs on to the Exchange server, the Exchange server instructs the Outlook client

to authenticate with an Active Directory domain controller.The problem is you do not want toopen the ports responsible for authentication through the ISA server.To get around this problem,you can configure the Exchange server to perform authentication on the behalf of the Outlookclient

To configure the Exchange server to proxy authentication requests for the Outlook client,navigate to the following Registry key:

Note that the value does have spaces in it At first we thought that this might have been a

typo, but we confirmed that the spaces should be included After adding the value, restart theExchange server Note that you do not need to add this value if the Exchange server is also adomain controller

Clients Behind NAT Servers/ISA Servers

If the Outlook client is behind a NAT server or an ISA server, it will not be able to receive newmail notification requests.The reason is that these new mail notification requests are not part ofthe existing RPC connection between Outlook and the Exchange server.The NAT server andISA server drop the packet because the new mail notification message is seen as an unsolicitedinbound request

This doesn’t mean that you won’t ever get any new mail If you send mail to the Exchangeserver, a new mail notification message is sent through the active RPC channel between theOutlook client and the Exchange server when the message is sent However, RPC wasn’tdesigned for use over the Internet If there is an error in any of the RPC packets carrying thenew mail notification, the notification message will not go through.You can get around this byforcing synchronization with the F9 key in Outlook 2000, or set up the Exchange account tocarry out an automatic send/receive every few minutes in Outlook 2002.The exception to this iswhen you encrypt the data connection between Outlook and the Exchange server In that case,e-mail notification never works, and you have to click on a folder to initiate the connection

The good news is that everything else works fine when Outlook is behind the NAT server Ifyou use the Windows 2000 RRAS NAT, no further configuration is required for the NATrouting protocol If there is an ISA server in front of the Outlook client, you will need to con-figure an RPC protocol definition and configure the client as a Firewall client.You must use theFirewall client configuration because SecureNAT clients do not support secondary connections

You need to create the following protocol definition (Figure 28.17):

■ Primary connection TCP 135 Outbound

■ Secondary connections TCP 1025-65534 OutboundThe initial connection takes place on TCP 135.The remote ISA server (the one publishing theExchange server) sends back to the local ISA server (the one in front of the Outlook client) theport number on which the Outlook client needs for subsequent requests Since this new outgoingconnection is part of the original RPC conversation, a secondary connection to an ephemeral (highnumber) port is required outbound from the local ISA server to the remote ISA server Once youcreate the RPC protocol definition, create a protocol rule using this protocol definition

Creating the Exchange RPC Server Publishing Rule

The Exchange RPC server publishing rule uses a protocol definition provided by the RPCapplication filter If you disable the application filter, you lose the protocol definition Perform thefollowing steps to create the server publishing rule:

1 In the ISA Management Console, expand the server or array name and the Publishingnode

2 Right-click the Server Publishing Rules node and select New | Rule.

3 On the page, enter a name for the rule and click Next.

4 On the Address Mapping page, enter the IP address of the internal Exchange server andthe IP address on the external interface you want external network clients to use to

access the Exchange server Click Next.

5 On the Protocol Settings page, select the Exchange RPC Server rule and click Next.

6 On the Client Type page, select Any Request and click Next (it’s unlikely you’ll be

able to identify a client address set to assign the external Outlook clients)

7 On the final page of the wizard, click Finish.

The rule will take effect soon after you click Finish If you want the rule to apply right away,

restart the Firewall service

Figure 28.17 Outbound RPC Protocol Definition

Configuring the Outlook client is beyond the scope of this book, and the procedures vary depending on the version of Outlook you’re configuring Both Outlook 2000 and Outlook 2002 (XP) can use the Exchange RPC publishing rule to access the Exchange server on the internal network It is important to note that you can force the client to use an encrypted RPC connection when connecting to the ISA server

There is one drawback to using an encrypted channel: you will never receive tions of new e-mail In fact, you won’t receive notification of new e-mail even if you schedule an automatic Send/Receive or press F9, depending on the version of Outlook.

notifica-To receive new e-mail notification messages, you must click on an existing message or folder to initiate a connection with the Exchange server

If you are using Outlook 2000, do not install Office Service Pack 2 There appears to

be an undocumented issue preventing Outlook 2000 SP2 clients from connecting to an Exchange 2000 server published using the RPC server publishing rule This problem appears to be specific to the server publishing rule, because if you bring the client onto the internal network, you can log on to the Exchange server without problems.

Publishing Outlook Web Access

on the Internal Network Exchange Server

The same procedures used to publish OWA on the ISA server are used when you publish OWA

on the internal network Exchange server.The only difference is that you don’t need to worryabout disabling socket pooling on the ISA server because you’ll choose to disable the IISW3SVC on the ISA server for security purposes

As a review, here are the basic procedures required to publish the OWA site on the internalnetwork Exchange server:

■ Configure the OWA Web site on the Exchange server Configure folder sions, obtain and assigning a certificate for the Web site, configure a port for SSL con-nections on the default Web site, and configure the sites to require an SSL connection

permis-■ Configure the Incoming Web Requests listener on the ISA server Create theindividual listener, export the OWA Web site certificate and import it into the ISAServer’s machine certificate store, and bind the certificate to the Incoming WebRequests listener

■ Create the Web publishing rule Create the destination set used for the OWA Webpublishing rule, create the Web publishing rule, and configure the rule to bridge SSLconnections as SSL

■ Configure the OWA client Web browser Improve performance for the OWA client

by installing a client certificate on all browser clients

For details of this configuration, check the relevant sections on how to publish OWA on theISA server.The only difference is that you use the internal IP address of the Exchange serverrather than the IP address of the internal interface of the ISA server for the redirect.

NOTE

There is a good chance that by the time you read this book, Microsoft will have released the ISA Server Feature Pack One of the features included in the major update to ISA Server is an Outlook Web Access Publishing Wizard The wizard will greatly simplify pub- lishing of OWA sites However, like all wizards, it will have its limitations Check

www.isaserver.org/shinder for updates on this feature of the ISA Server Feature Pack and other important ISA Server news and articles.

Message Screener on the

Internal Network Exchange Server

You can install the Message Screener on the internal network Exchange server.The differencebetween the installations is that when the Message Screener is on the ISA server, the entire ISAServer software package is installed on the ISA/Exchange Server computer In contrast to the “allbut the kitchen sink” approach we covered earlier, when the Exchange server is on a dedicatedserver, all you need to install is the SMTP Message Screener.You don’t need to install any othercomponent of the ISA Server software

Run the ISA Server installation program as you usually would to install only the Message

Screener component on the internal network Exchange server Select the Custom installation option and then deselect the ISA Services and Administration tools options in the Custom

Installation dialog box (Figure 28.18)

Select the Add-in services option and click Change Option Remove the Install H.323 Figure 28.18 The Custom Installation Dialog Box

Screener Make sure that the Message Screener option is selected and complete the installation

on the Exchange server computer.You won’t see any new configuration interfaces or Start menuitems related to the Message Screener on the Exchange server Configuration of the MessageScreener is done via the SMTP filter on the ISA server

The next step is to configure credentials that the Message Screener software will use to municate with the SMTP application filter on the ISA server Credentials are configured usingthe SMTPCRED tool, which is installed in the Program Files\Microsoft ISA Server folder onthe Exchange server’s hard disk after running the Message Screener installation

com-Open the SMTPCRED tool by double-clicking it In the Message Screener Credentialsdialog box (Figure 28.20), enter your ISA server name, the Username of the person who installedthe ISA server, the Domain to which that user account belongs, and the Password of that user

Note that you do not need to use the credentials of the user who installed the ISA server, but itdoes streamline the process and reduces troubleshooting issues encountered with the Message

Screener by an order of magnitude Click OK after entering the information.

Figure 28.19 Selecting the Message Screener

Figure 28.20 The SMTPCRED Tool

The last thing is to configure DCOM permissions.The Message Screener communicates withthe SMTP application filter via DCOM While this isn’t an issue when the ISA server and theExchange server are on the same machine, it does become an issue when they are on differentmachines.

Perform the following steps to configure the DCOM permissions:

1 Select Start | Run and type dcomcnfg.exe in the Open text box Click OK.

2 Click the Applications tab and select VendorData class | Properties (Figure 28.21).

3 On the VendorData Class Properties dialog box, click the Security tab (Figure 28.22)

Select the Use custom access permissions and click Edit Figure 28.22 The

VendorData Class Properties Dialog Box

4 Add the Everyone group by clicking Add and selecting the Everyone group (Figure 28.23) Click OK.

5 Repeat steps #3 and #4 to edit the Use custom launch permissions and Use custom configuration permissionsoptions

6 Click OK.

7 Restart both the ISA server and the Exchange server We suggest restarting the ISA

Figure 28.21 The DCOM Configuration Properties Dialog Box

Figure 28.23 Adding the Everyone Group

The remainder of the configuration is the same as when you run the Message Screener onthe ISA/Exchange server computer.You will be able to screen for incoming and outgoing mes-sages, but you will have the same limitations regarding Outlook MAPI clients sending SMTPmessages to the Internet.The solution is the same: create a second virtual SMTP server and havethe default SMTP virtual server forward mail to the second SMTP virtual server.The Internet-bound messages sent by Outlook clients will be exposed to the SMTP Message Screener whenthey are forwarded to the second SMTP virtual server.

GFI’s Mail Security and Mail Essentials for SMTP Servers

It’s estimated that spam makes up as much as 20 percent of the total traffic moving through theInternet Spam clogs e-mail boxes, and contains viruses, worms, and offensive language Spam fillsthe massive disks on today’s mail servers and is a public nuisance Spam can negatively impactyour personal and professional life: just think about how many times you’ve accidentally ignored

an important message because it got lost in a sea of spam in your inbox

We don’t have to convince you that something needs to be done about spam Many networkadministrators use Real-time Black Hole Lists to automate spam blocking on their networks.Theproblem with RBLs is they are maintained by third parties If there is one thing we learned duringthe dot com bomb, it’s that inappropriate trust in third parties can put your business in jeopardy

There are several types of RBLs Legitimate RBLs look for open mail relays on the Internetand blacklist the IP addresses of the open relays.The blacklisting is based on the assumption thateventually, a spammer will find the open relay and use it to send spam.The problem with thisapproach is that the open relay will be blacklisted even if no spam has ever been sent through it

It’s sort of like the police taking you into custody for a shooting because you have two hands,

one of which might have held a gun.

The other type of RBL is based on user reports One user of the service reports that hereceived mail that he thinks is spam.That user tells three of his friends to make the same report

BANG! The domain from which the alleged spam is sent is blocked by the RBL Suppose yousend someone an e-mail message inviting him to your birthday party He didn’t ask for that mes-sage, so he reports you as a spammer, and he gets three of his antisocial friends to send in thesame report A couple of days later, you find that some people aren’t getting mail from you Why?Your domain or account has been blocked by the RBLs that blindly trust user reports

This type of spam blocking has to be the most egregious form of censorship we’ve seen indecades Everyone hates spam, we really hate spam, but we hate the idea of a third party cen-

soring what should be sent to our network.That’s our job, our responsibility, and our mail It’s not

the job of some anonymous RBL to decide what’s legitimate

The SMTP Message Screener goes a long way to resolving the spam problem.You can blockmail based on text strings.The problem is that you don’t have much flexibility with the SMTPMessage Screener For example, you can’t:

■ Easily save the keyword entries in the Message Screener

■ Check for e-mail viruses using the Message Screener

■ Check for viruses in e-mail attachments using the Message Screener

■ Import a list of keywords from a text file into the Message Screener

■ Check for non-virus-related e-mail exploits with the Message Screener

■ Check for whole words in the Message Screener (you can only check for text strings)

■ Creating conditional content checking rules for e-mail

It’s our opinion that the only valid way to control spam is by using a keyword method We’ve

found that the most effective way to prevent spam from getting to user mailboxes is to create alist of keywords that don’t apply to the legitimate business or personal communications Usingthis method, you can control over 99 percent of the spam entering your network

While the ISA Server SMTP Message Screener is better than nothing, we’ve found that thebest tool for this job is GFI Software’s MailSecurity, which can be used to block spam in bothsmall and large organizations MailSecurity is easy to set up, and you can import your spam filterlist easily from a text file It also detects e-mail viruses and attachments, and auto-updates its virusdefinition list on a daily basis

or both inbound and outbound e-mail

We typically install an SMTP relay on all networks that have an Exchange 2000 server Forthat reason we consider the SMTP gateway version the best choice Note that you can use bothversions.You can install the SMTP gateway version on your SMTP relay, and you can install theExchange Server 2000 version on your Exchange server and you don’t have to buy any morelicenses for filtering based on keyword, user, or domain.You do need to pay extra for a mainte-nance contract and automatic anti-virus updates

Installing MailSecurity for SMTP Gateways

Installing MailSecurity for SMTP gateways is straightforward:

1 Download the installation file from www.gfi.com/mailsecurity/index.html and run the

mailsecurity.exeinstallation package.The Welcome to the GFI MailSecurity for

Exchange/SMTP Installation Wizard page will be displayed (Figure 28.24) Click Next

to continue

2 The License Agreement page appears Select the I accept the license agreement option and click Next.

3 On the User Information page, enter your name, company name, and serial number (if

you have one; otherwise, use Evaluation as your key) Click Next.

4 On the Administrator Email page (Figure 28.25), enter the MailSecurity

adminis-trator e-mail address Notification messages can be sent to the adminisadminis-trator e-mailaccount you enter here.You can add more administrators or change the one you enter

here later Click Next.

5 On the Destination Folder page, select the location of the program files and click Next.

6 This brings you to the Mail Server page shown in Figure 28.26 If your SMTP relay is on

a DMZ segment, enter the IP address on the external interface of the ISA server used bythe SMTP server publishing rule that’s publishing the internal network Exchange server

7 If the SMTP relay is on your internal network, enter the IP address of your Exchangeserver.The default port TCP 25 will work in the majority of cases However, if you want

MailSecurity to send to an alternate port, just type the alternate port number in the on port text box.The setup program will create a remote domain in the IIS SMTP service

for the domain you enter in the Local domain text box If you are managing multiple Figure 28.24 The Welcome Page

Figure 28.25 The Administrator Email Dialog Box

mail domains, you should manually create those remote domains after the installation iscomplete.

7 Click Next to continue.

8 Identify the type of mail server that is running MailSecurity (see Figure 28.27) In this

example, we’re installing MailSecurity on an SMTP relay, so the second option is correct Click Next to continue, and click Next one more time to start installing the application.

9 Click Finish when you get notification that the application has been installed successfully.

10 Open the Internet Information Services console after you’re finished installing

MailSecurity Expand the Default SMTP Virtual Server node and click the Domains

node.You’ll see that a new remote domain was created and configured to use yourinternal mail server as a smart host If you configure MailSecurity on a DMZ SMTPrelay, you’ll see the IP address used on the external interface of the ISA server in yourSMTP server publishing rule If you host multiple mail domains, create a remote domainfor each domain you host and have them use your mail server as a smart host Makesure that your server is not configured as an open relay by setting the appropriate relaysettings on the Default SMTP Virtual Server (Figure 28.28)

Figure 28.26 The Mail Server Information Page

Figure 28.27 Choosing the Mail Server Type

Configuring MailSecurity

1 Select Start | Programs | GFI MailSecurity | MailSecurity Configuration.

Figure 28.29 shows all the features in an MMC console

2 Click the Content Checking node in the left pane, then double-click the DefaultContent Checking Rule.This is where you create your e-mail content checking rules

You can create rules that look for a particular keyword, or you can create rules based onkeywords with conditions In Figure 28.30, you’ll see some keyword rules that haveconditions For example, we want to block all mail that has the keywords “special offer.”However, we don’t want to block special offers from GFI

3 Notice that you have the option to check inbound and outbound mails.You can alsoblock PGP encrypted mail.This will prevent mail encrypted with PGP from bypassingyour content checking rules.This is a valuable feature, as users might try to use PGP tosend out proprietary information about corporate projects For example, you might beworking on a project and use an internal code name for that project No one on theoutside should know the project or its code name If users sent mail encrypted by PGP,

Figure 28.28 Remote Domain Configuration

Figure 28.29 MailSecurity Configuration

they would get around your keyword filters.You can also check the attachment content.This prevents attachments with forbidden content from reaching users’ mailboxes.

4 You can monitor incoming mail in real time and see what mail was allowed and which

ones where caught by the content checking rules.The GFI Monitor (Figure 28.31)

shows you mail as it’s being processed

5 The Moderator Client (Figure 28.32) allows you to see the actual messages caught by

the content checking rules When you double-click the blocked message, you’ll see thereason why the message was caught, some details about the message, and files associated

with the message.You can right-click the content file and open the message Plain text

messages are saved as text files, and HTML messages are saved as HTML files.TheHTML files are safe to open because dangerous scripts and viruses are removed

Figure 28.30 Configuring Keywords

Figure 28.31 GFI Monitor Displaying Actions in Real Time

6 Click the Attachment Checking node in the left pane, and then double-click on theDefault Attachment Checking Rule (Figure 28.33) in the right pane.This option allowsyou to block attachments for inbound or outbound mail (or both).There’s a built-in list ofattachments that can be blocked, and you can easily add your own custom attachments.

7 Now for the best feature of MailSecurity: the virus scanning engines MailSecurityallows you to scan mail for viruses using multiple scanning engines If one of the virusscanning engines doesn’t catch a virus, it’ll try again with another scan engine.This pro-vides a high level of security for both incoming and outgoing e-mail.This redundantvirus scanning method unique to MailSecurity

8 Notice that you have the option to scan inbound mail, outbound mail, or both.You alsocan block Word documents that have macros Word macro viruses are a big problem, soblocking them can go a long way toward protecting your users from Word macroexploits In Figure 28.34, you see the options for automatically downloading andinstalling virus definition updates

9 The system automatically downloads virus definitions, and we’ve never had a problemgetting them to download from behind the ISA server.The system uses FTP to down-load the updates, so you need to create an FTP protocol rule to allow the mail server todownload the updates If you run MailSecurity on the ISA server, you’ll need to create

Figure 28.32 The Moderator Client

Figure 28.33 Attachment Checking Options

packet filters to allow for PORT mode FTP communications between the ISA serverand the GFI FTP server (Figure 28.35).

10 Click the E-mail Exploit Engine node in the left pane of the console In the right pane(Figure 28.36), you’ll see an impressive list of e-mail exploits MailSecurity checks for.The e-mail exploit engine is disabled by default, so you have to right-click the node in

the left pane of the console and click Enable We don’t see any reason not to run the

e-mail exploit engine, so we recommend that you always enable it and allow MailSecurity

to check for all of the included exploits If for some reason you need to disable

checking for a particular exploit, you can right-click it and click Disable.

Figure 28.34 The Virus Checking Engines

Figure 28.35 Configuring FTP Virus Definitions Download Options

11 Some e-mails are so obviously spam that you don’t need to ever look at them.This type

of blatant spam can be deleted without you ever needing to review it in the Moderator

Client console.The Anti-spam feature allows you to enter keywords that are never

included in legitimate e-mails As with the content checking feature mentioned earlier,you can have MailSecurity check the mail body or subject line for these uniquely inap-propriate or offensive keywords When a message matches the keywords in the Anti-Spam dialog box, the mail can be deleted immediately or put in a folder for laterchecking (Figure 28.37)

For both content checking and anti-spam rules, you can choose what action to take on thee-mail (See Figure 28.38) For the content checking option, you can quarantine the mail, delete

it, or move it to a particular folder for evidence collection.You also have the option to notifyusers that they sent or received a forbidden mail.You can also inform the user’s manager.Themanager is defined in the user account properties in the Active Directory

Figure 28.36 Checking for E-Mail Exploits

Figure 28.37 Whacking Spam with the Anti-Spam Feature

We have found the performance of MailSecurity acceptable If you have a large number of rulesand enable all the virus engines and exploit checking, it might take a few seconds to evaluate asingle e-mail If you have a busy mail server, you’ll want to make sure to load it up with RAM and

a fast processor However, if you don’t require instantaneous delivery of e-mail from the relay to themain mail server, you’re in good shape.The engine doesn’t choke or die when it’s busy, it just slows.However, all the mail gets checked and cleaned before making its way to your server

You need to put together a list of keywords that are specific for your organization in order tosee the best results with your e-mail checking rules.This can take a week or two One thing that

we find useful is to create a Hotmail account and then subscribe that Hotmail account to anumber of different Web sites.You can also post messages to USENET message boards and putthat account in the return address.This will get the account quickly subscribed to a large number

of spammer lists.You can use the spam sent to your Hotmail inbox for ideas on what keywords toput into the MailSecurity keyword database If you want to get a head start on your list, checkout our list of keywords, which we update weekly, at ftp.tacteam.net/isaserver/spamlist.tx_

Figure 28.38 Deciding What Action to Take with Filtered Mail

In this chapter, we reviewed the techniques used to publish SMTP and Exchange mail services

In the first part, you learned how to publish SMTP and Exchange mail services on the ISAserver Publishing Exchange 2000 services on the ISA server has been a long misunderstood sub-ject that has never, until the publication of this book, been adequately explained to the public

There are a number of procedures you must go through in order to prevent conflict so you’ll beable to get all the services to work together and publish the Exchange services among theExchange services, the ISA server, and the Internet Information server

We also covered how to publish Exchange mail services on the internal network.The dures are very similar and in many ways much easier because you don’t need to run IIS services

proce-on the ISA server.You can also leverage the automatiproce-on provided by the Secure Mail ServicesWizard to make your server publishing rules and protocol rules Publishing mail services on theinternal network is the preferred configuration because you don’t have to worry about weak-nesses in any of the Exchange services compromising your firewall

Intrusion Detection

Part VI

Introducing Snort

Best Damn Topics in this Chapter:

■ What Is Snort?

■ Snort System Requirements

■ Exploring Snort’s Features

■ Using Snort on Your Network

■ Security Considerations with Snort

Chapter 29

1183

Snort is a full-fledged open-source Network-based Intrusion Detection System (NIDS) that hasmany capabilities.These capabilities include packet sniffing and packet logging in addition tointrusion detection In addition to all of the basic Snort Features, you can set up Snort to sendreal-time alerts.This provides you with the ability to receive alerts in real time, rather than having

to continuously monitor your Snort system

An Intrusion Detection System (IDS) is used as a “burglar alarm” for your network or host Ifthere is an anomaly detected (in the case of Snort, by using signatures), the system administrator

is notified in various ways.Those ways include e-mail, network messages (like Windows pop-ups

or UNIX write), or the syslog facility

Snort is like a vacuum that takes particular items (in this case, packets) and allows you to form different tasks, such as watching the items as they get sucked up (packet sniffer), putting theitems into a container (packet logger), or sorting them and determining when a particular itemhas gone through your NIDS

per-So why is Snort so popular? Providing packet sniffing and logging functions is an elementarypart of Snort, but Snort’s beefiness comes from its intrusion detection capabilities—which

matches packet contents to an intrusion rule Snort might be considered a lightweight NIDS A

lightweight IDS is one that has a small footprint and can run on various operating systems (OSs).Additionally, Snort provides functionality only before found in commercial-grade network IDSssuch as Network Flight Recorder (NFR) and ISS RealSecure

Snort’s popularity runs parallel to the increasing popularity of Linux and other free OSs such

as the BSD-based OSs, NetBSD, OpenBSD, and FreeBSD Just because Snort’s roots are in opensource does not mean that it’s not available for other commercial OSs On the contrary, you canfind ports of Snort available for Solaris, HP-UX, IRIX, and even Windows

Snort is a signature-based IDS, and uses rules to check for errant packets in your network Arule is a set of requirements that would trigger an alert For example, one snort rule to check forpeer-to-peer file sharing services checks for the string “GET” not connecting to a service run-ning on port 80 If a packet matches that rule, that packet creates an alert Once an alert is trig-gered, the alert can go a number of places, such as a log file, a database, or to an SNMP trap

NOTE

Snort’s logo is a pig, and many references are piggish in nature.

In this chapter, you’ll get an understanding of what Snort is, what its features are, and how touse it on your network Additionally, you’ll learn about the history of Snort, and how it came to

be such a popular IDS.You’ll also learn the importance of securing your Snort system, and some

of the pitfalls of Snort However, as you will see, Snort’s advantages far exceed its pitfalls

There are commercial solutions for Snort as well, but they are out of scope for this chapter Although Snort is available for free under the GNU Public License (GPL), there are commercial solutions available for Snort through Sourcefire

What Is Snort?

In short, Snort is a packet sniffer/packet logger/network IDS Snort has an interesting history thatbegan with a man named Marty Roesch In November 1998, Roesch wrote a Linux-only packetsniffer called APE Despite the great features of APE, Roesch also wanted a sniffer that would dothe following:

■ Work on multiple OSs

■ Use a hexdump payload dump (TCPDump later had this functionality)

■ Display all the different network packets the same way (TCPDump did not have this)

With these goals in mind, Roesch developed Snort Snort was written as a libcap application

to provide system administrators with an alternative to TCPDump (the only other sniffer usinglibcap at the time—Libcap allows Snort to be portable from a network filtering and sniffingstandpoint)

Snort became available at Packet Storm (www.packetstormsecurity.com) on December 22,

1998 At that time, Snort was only about 1,600 lines of code and had a total of two files Roesch’sfirst uses of Snort included monitoring his cable modem connection and debugging networkapplications that he coded

NOTE

The name Snort came from the fact that the application is a “sniffer and more.” In tion, Roesch said that he has too many programs called a.out, and all the popular names for sniffers called “TCP-something” were already taken.

addi-Snort’s first signature-based analysis (also known as rules-based within the Snort community)became a feature in late January 1999.This was Snort’s initial foray down the path of intrusiondetection, and Snort could be used as a lightweight IDS at the time

By the time Snort version 1.5 came out in December 1999, Roesch had decided on theSnort architecture that is currently employed in versions up to 2.0 After version 1.5 was released,Snort was able to use all the different plug-ins that are available today Because of Snort’s

increasing popularity, Roesch worked to make it easier to configure and get it working in anenterprise environment so that it would be useful to a greater number of people

What started as a pastime for Roesch quickly became a full-time job In an attempt to devote

a full effort to the development of Snort, Roesch started a company named Sourcefire and hired

most of the core team who developed Snort However, Snort is still open source and will always

be open source Sourcefire has put a lot of work into Snort, but it’s not Sourcefire’s 2.0—it’sSnort 2.0.The current version of Snort is 2.0.1, which is a rework of the architecture and at presstime contains approximately 75,000 lines of code

Even though Snort 2.0 is a complete rewrite and an improvement over the current Snortimplementation, Snort has gone though a more in-depth evolution Snort did not start out withpreprocessing ability, nor did it start out with plug-ins Over time, Snort grew to have improvednetwork flow, plug-ins for databases such as MySQL and Postgres, and preprocessor plug-ins that

check RPC calls and port scanning before the packets are sent to the rules to check for alerts.

NOTE

By supporting only the latest rules of the latest application, Snort ensures that users are using only the most recent version As of press time, the latest revision is 2.0.1, so the rules only work with that version.

Speaking of rules, as time progressed, so did the number of rules.The size of the latest rules isincreasing with the number of exploits available.To keep the rules organized, they have been cat-egorized into several types including P2P, backdoor, distributed denial of service (DDoS) attacks,Web attacks, viruses, and many others.These rules are mapped to a number that is recognized as atype of attack or exploit known as a Sensor ID (SID) For example, the SID for the SSH bannerattack is 1838

Because of Snort’s increasing popularity, other IDS vendors are adopting a Snort rule format.TCPDump adopted the hex encoding for packets, and community support is ever increasing.There are at least two mailing lists for Snort:

■ One on Snort’s usage and application http://lists.sourceforge.net/lists/listinfo/

snort-users

■ One dedicated entirely to the Snort rules http://lists.sourceforge.net/lists/

listinfo/snort-sigs

Snort System Requirements

Before getting a system together, you need to know a few things First, Snort data can take up alot of disk space, and second, you may need to be able to monitor the system remotely For Linuxand UNIX, this means including Secure Shell (SSH) and Apache with Secure Sockets Layer(SSL) For Windows, this would mean Terminal Services (with limitation on which users andmachines can connect, and Internet Information Servers [IIS])

Hardware

One of the most important things you’ll need, especially if you’re running Snort in based Intrusion Detection System (NIDS) mode, is a really big hard drive If you’re storing the

Network-data as either syslog files or in a Network-database, you’ll need a lot of space to store all the Network-data that theSnort’s detection engine uses to check for rule violations.

Another highly recommended hardware component for Snort is a second Ethernet interface

One of the interfaces is necessary for typical network connectivity (SSH, Web services, and soforth), and the other interface is for Snorting.This sensing interface that does the “snorting” isyour “Snort sensor.”

Snort does not have any particular hardware requirements that your OS doesn’t alreadyrequire to run Running any application with a faster processor usually makes the applicationwork faster However, you will be limited in the amount of data you collect by your networkconnection and by your hard drive

To run Snort, you will need to have a reasonable-sized network interface card (NIC) to lect the correct amount of network packets For example, if you are on a 100MB network, youwill need a 100MB NIC to collect the correct amount of packets Otherwise, you will misspackets and be unable to accurately collect alerts

col-In addition, you will need a good-sized hard drive to store your data If your hard drive is toosmall, there is a good chance that you will be unable to write alerts to either your database or logfiles A good setup for a single Snort sensor may be a 9GB partition for /var

Operating System

As stated earlier, Snort was designed to be a lightweight NIS Currently, Snort can run on x86systems Linux, FreeBSD, NetBSD, OpenBSD, and Windows Other supported systems includeSparc Solaris, PowerPC MacOS X and MkLinux, and PA-RISC HP-UX Snort will run on justabout any modern OS today

NOTE

People can get into heated debates as to which OS is best, but you have to be the one

to administer the system, so you pick the OS.

There is an ongoing argument regarding the best OS on which to run Snort A while back,the *BSDs had the better IP stack, but since Linux has gone to the 2.4 kernel, the IP stacks arecomparable Our favorite is NetBSD, but your mileage might vary

■ lex and yacc (or the GNU implementations flex and bison, respectively)

■ The latest libcap from tcpdump.org

Thepackage in this section are only necessary if you are compiling Snort using source code If you are using Linux RPMs or Debian packages, you do not need these.

Optional software that you can install includes:

■ MySQL, Postgres, or Oracle (SQL databases)

■ smbclient if using WinPopup messages

■ Apache or another Web server

■ PHP or Perl, if you have plug-ins that require them

■ SSH for remote access (or Terminal Server with Windows)

■ Apache with SSL capabilities for monitoring (or IIS for Windows)

Exploring Snort’s Features

Snort has several features that make it very powerful: packet sniffing, packet logging, and intrusiondetection Before getting into Snort’s features, you should understand Snort’s architecture Snorthas several important components, most of which are enabled through the use of plug-ins to cus-tomize your Snort implementation.These components include preprocessors, alert plug-ins(which enable Snort to manipulate a packet to make the contents more manageable by the detec-tion engine), and the alert system, which can send its output to different destinations

Snort consists of four basic components:

1 It collects all the coins (packets from the network backbone)

2 The coins are sent through a chute to determine if they are coins, and how they should

roll (the preprocessor performs this function on the IDS)

3 Next, the coins are sorted according to the coin type.This is for storage of quarters,nickels, dimes, and pennies (the detection engine performs this function on the IDS)

4 Finally, it is the administrator’s task to decide what to do with the coins—usually you’llroll them and store them (logging and database storage)

The preprocessor, the detection engine, and the alert components of Snort are all plug-ins.

Plug-ins are programs that are written to conform to Snort’s plug-in API.These programs used to

be part of the core Snort code, but were separated out to make modifications to the core sourcecode easier and more reliable

as IPX and AppleTalk network protocols

Because IP traffic consists of many different types of network traffic, including TCP, UDP,ICMP, routing protocols and IPSec, many sniffers analyze the various network protocols to inter-pret the packets into something human-readable

Packet sniffers have various uses:

■ Network analysis and troubleshooting

■ Performance analysis and benchmarking

■ Eavesdropping for clear-text passwords and other interesting tidbits of dataEncrypting your network traffic can prevent people from being able to sniff your packets intosomething readable Like any network tool, packet sniffers can be used for good and evil

As Marty Roesch said, he named the application because it does more than sniffing—itsnorts.The sniffer needs to be set up to obtain as many packets as possible As a sniffer, Snort cansave the packets to be processed and viewed later as a packet logger Figure 29.2 illustrates Snort’spacket sniffing ability

Figure 29.1 Snort Architecture

Preprocessor Sniffer Detection

Engine

Alerts/

Logging Rulesets

Network Backbone

Packets DatabaseLog Files/

At this point, our coin sorter has obtained all the coins it can (packets from the network), and isready to send the packets through the chute Before rolling the coins (the detection engine), thecoin sorter needs to determine if they are coins

This is done through the preprocessor.The preprocessor takes the raw packets and checksthem against certain plug-ins (like an RPC plug-in and a port scanner plug-in).These plug-inscheck for a certain type of behavior from the packet Once the packet is determined to have aparticular type of behavior, it is then sent to the detection engine From Figure 29.3, you can seehow the preprocessor uses its plug-ins to check a packet

This is such a great feature for an IDS because other plug-ins can be enabled and disabled asthey are needed at the preprocessor level For example, if you are not interested in the RPCtraffic coming into your network, you can disable this plug-in and use the others

Figure 29.2 Snort’s Packet Sniffing Functionality

Network Backbone

Packets

Sniffer

Permiscuous Interface ( eth1)

Visible Interface ( eth0)

SSH HTTPS SQL SMB SNMP

Figure 29.3 Snort’s Preprocessor

Preprocessor Detection Engine

Packets

HHTP Encoding Plug-in

Port Scanning Plug-in

Detection Engine

The detection engine is the meat of the IDS in Snort.The detection engine takes the data thatcomes from the preprocessor and its plug-ins, and that data is checked through a set of rules Ifthe rules match the data in the packet, then they are sent to the alert processor

Earlier in this chapter, we described Snort as a signature-based IDS.The signature-based IDSfunction is accomplished by using various rule sets.The rule sets are grouped by category (Trojanhorses, buffer overflows, access to various applications), and are updated regularly

The rules themselves consist of two parts:

■ The rule header The rule header is basically the action to take (log or alert), type of

network packet (TCP, UDP, ICMP, and so forth), source and destination IP addresses,and ports

■ The rule option The option is the content in the packet that should make the packetmatch the rule

The detection engine and its rules are the largest portion (and steepest learning curve) tolearn and understand with Snort Snort employs a specific syntax with its rules Rule syntax caninvolve the type of protocol, the content, the length, the header, and other various elements,including garbage characters for defining buffer overflow rules

Once you learn how to write Snort rules, you can fine tune and customize Snort’s IDS tionality.You can define rules that are particular to your environment and customize however youwant

func-The detection engine is the part of the coin sorter that actually rolls the coins based on thetype.The most common American coins are the quarter, dime, nickel, and penny However, youmight get a coin that doesn’t match, like the Kennedy half-dollar, and discard it.This is illustrated

No

Discard

If Yes, Send to Logging/Alerting Logging/Alert

Do the

Alerting/Logging Component

After the Snort data goes through the detection engine, it must be output somewhere If the datamatches a rule in the detection engine, then an alert is triggered Alerts can be sent to a log file,through a network connection, through UNIX sockets or Windows pop-up (Server MessageBlock [SMB]), or SNMP traps.The alerts can also be stored in an SQL database such as MySQLand Postgres

Additionally, there are all sorts of other tools you can use with Snort, including various ins for Perl, PHP, and Web servers to display the logs through a Web interface Logs are stored ineither text files (by default in /var/log/snort) or in a database such as MySQL and Postgres.Like the detection engine and the preprocessor, the alert component uses plug-ins to sendthe alerts to databases and through networking protocols such as SNMP traps and WinPopupmessages See Figure 29.5 for an illustration of how this works

plug-Additionally, with syslog tools such as Swatch, Snort alert messages can be sent via e-mail tonotify a system administrator in real time so no one has to monitor the Snort output all day andnight.Table 29.1 lists a few examples of various useful third-party programs and tools

Table 29.1 Useful Snort Add-Ons

Output Viewer URL Description

SnortSnarf www.silicondefense.com/ A Snort analyzer by Silicon

software/snortsnarf Defense used for diagnostics The

output is in HTML.

Snortplot.php www.snort.org/dl/contrib/data_ A Perl script that will graphically

analysis/snortplot.pl plot your attacks.

Swatch http://swatch.sourceforge.net A real-time syslog monitor that

also provides real-time alerts via e-mail.

ACID http://acidlab.sourceforge.net The Analysis Console for

Intrusion Databases Provides logging analysis for Snort

Requires PHP, Apache, and the Snort database plug-in Since this information is usually sensitive, it

is strongly recommended that you encrypt this information by using mod_ssl with Apache or Apache-SSL.

provides an interface similar to ACID’s It also requires Perl, and

it is also strongly recommended that you encrypt the Demarc sessions as well.

Razorback www.intersectalliance.com/ A GNOME/X11-based real-time

projects/RazorBack/index.html log analysis program for Linux.

Table 29.1 Useful Snort Add-Ons

Output Viewer URL Description

Incident.pl www.cse.fau.edu/~valankar/ A Perl script used for creating

file.

Loghog http://sourceforge.net/projects/ A proactive Snort log analyzer

e-mail alerts or block traffic by configuring IPTables rules.

Oinkmaster www.algonet.se/~nitzer/ A tool used to keep your rules up

SneakyMan http://sneak.sourceforge.net A GNOME-based Snort rules

configuration tool.

SnortReport www.circuitsmaximus.com/ An add-on module that

download.html generates real-time intrusion

Syslog Files Web Server/Frontend

Web Server/

Frontend

Using Snort on Your Network

Your IDS can use just one Snort system, or more than one if you need redundancy For example,

it is possible to divide the task of network monitoring across multiple hosts.The chief benefit ofredundancy is that if one element of the system goes down, the network can still be monitoredand protected

The previously outlined network structure can be used for passive monitoring or active

toring Passive monitoring is simply the ability to listen to network traffic and log it Active

moni-toring involves the ability to:

■ Monitor traffic and send alerts concerning the traffic that is discovered

■ Intercept and block trafficSnort is primarily used for active auditing and can perform signature-based and anomaly-based detection Signature-based detection means that you predefine what an attack looks like,and then configure your network monitoring software to look for that signature Anomaly-baseddetection requires the IDS to actually listen to the network and gather evidence about “normal”traffic.Then, if any traffic occurs that seems different, the IDS will respond by, for example,sending out an alert to the network administrator

After dealing with a post-mortem on a compromised system, it’s amazing how helpful a SnortNIDS can be On the flip side, it’s also frustrating when your Snort system does not log a possibleattack Let’s take a possible attack: the IMAP login overflow attack In this case, an attacker tries abuffer overflow to cause a remote root exploit

Snort can let you know that someone is sending an IMAP packet that contains the signature

of an IMAP login overflow Depending on how you have Snort set up, you can either monitorthe output or you can be notified by e-mail

The rule for detecting this attack is:

alert tcp $EXTERNAL_NET any -> $HOME_NET 143 (msg:"IMAP login buffer \

overflow attempt"; flow:established,to_server; content:"LOGIN"; \ content:"{"; distance:0; nocase; \ byte_test:5,>,256,0,string,dec,relative; reference:bugtraq,6298; \ classtype:misc-attack; sid:1993; rev:1;)

This rule checks for any packet originating from the external network (defined by

EXTERNAL_NET) to any system on the internal network (defined by HOME_NET) to port

143, which is the IMAP port.The msg variable defines what is sent to the Snort alert, and the rest

of the information of the packet is content based.There are definitions on the type of attack

(misc-attack), the SID number (1993), and the Bugtraq (www.securityfocus.com) reference on the attack 6298 (which you can find at www.securityfocus.com/bid/6298).

Then, there’s the flip side: Snort does not detect an attack on your system Suppose anotherUNIX system is running Apache with FrontPage extensions Someone finds a new overflow onFrontPage for which there is no Snort rule yet, and then he has your box Not to mention, yoursecurity solution did not provide any assistance with the attack

Using Snort as a Packet Sniffer and Logger

In its simplest form, Snort is a packet sniffer.That said, it’s the easiest way to start.The line interface for packet sniffing is very easy to remember:

command-# snort –d –e -v

Note that the -v option is required If you run Snort on a command line without any

options, it looks for the configuration file (.snortrc) in your home directory Table 29.2 listsSnort options and their function

Table 29.2 Basic Snort Options for Packet Sniffing and Logging

Option What It Does

-v Put Snort in packet sniffing mode (TCP headers only) -d Include all network layer headers (TCP, UDP, and ICMP) -e Include the data link layer headers

You cannot use options –d and –e together without also using the –v option If you do, you get the same output if you use snort without any options:

florida:/usr/share/doc/snort-doc# snort -de Log directory = /var/log/snort

Initializing Network Interface eth0 using config file /root/.snortrc Parsing Rules file /root/.snortrc

+++++++++++++++++++++++++++++++++++++++++++++++++++

Initializing rule chains

ERROR: Unable to open rules file: /root/.snortrc or /root//root/.snortrc Fatal Error, Quitting

Now, if you run snort with the –v option, you get this:

florida:/usr/share/doc/snort-doc# snort -v

Log directory = /var/log/snort

Initializing Network Interface eth0

sum-Snort analyzed 56 out of 56 packets, dropping 0(0.000%) packets

Breakdown by protocol: Action Stats:

TCP: 0 (0.000%) ALERTS: 0 UDP: 44 (78.571%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0

ARP: 1 (1.786%) EAPOL: 0 (0.000%)

IPv6: 0 (0.000%)

IPX: 0 (0.000%) OTHER: 11 (19.643%)

DISCARD: 0 (0.000%)

============================================================================

Wireless Stats:

Breakdown by type:

Management Packets: 0 (0.000%) Control Packets: 0 (0.000%) Data Packets: 0 (0.000%)

============================================================================

Fragmentation Stats:

Fragmented IP Packets: 0 (0.000%) Fragment Trackers: 0

Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 0 Frag2 memory faults: 0

============================================================================

TCP Stream Reassembly Stats:

TCP Packets Used: 0 (0.000%) Stream Trackers: 0

Stream flushes: 0 Segments used: 0 Stream4 Memory Faults: 0

============================================================================

Snort received signal 2, exiting

Since this isn’t very useful for checking the data of the packets, we’ll run snort with the –dev

option to give us the most information:

florida:/usr/share/doc/snort-doc# snort -dev Log directory = /var/log/snort

Initializing Network Interface eth0

—== Initializing Snort ==—

Decoding Ethernet on interface eth0

—== Initialization Complete ==—

-*> Snort! Verions 2.0.1 (Build 88)

<*-By Martin Roesch (roesch@sourcefire.com, www.snort.org) 01/22-20:28:16.732371 0:4:5A:F2:F7:84 -> 1:0:5E:7F:FF:FD type:0x800 len:0x5B

131.215.183.30:57535 -> 239.255.255.253:427 UDP TTL:254 TOS:0x0 ID:26121 IpLen:20 DgmLen:77

01/22-20:28:18.354830 0:4:5A:F2:F7:84 -> 1:0:5E:0:0:2 type:0x800 len:0x3E

131.215.184.253:1985 -> 224.0.0.2:1985 UDP TTL:2 TOS:0x0 ID:0 IpLen:20 DgmLen:48 Len: 28

{date}-{time} {source-hw-address} -> {dest-hw-address} {type}

{length} {source-ip-address:port} -> {destination-ip-address:port} {protocol} {TTL} {TOS} {ID} {IP-length} {datagram-length} {payload-length} {hex-dump} {ASCII-dump}

This is all great information you’re gathering, and Snort can collect it into a file as well asdisplay it to standard output Snort has built-in packet logging mechanisms that you can use tocollect the data as a file, sort it into directories, or store the data as a binary file

To use the packet logging features, the command format is simple:

# snort -dev -l {logging-directory} -h {home-subnet-slash-notation}

If you wanted to log the data into the directory /var/adm/snort/logs with the home subnet10.1.0.0/24, you would use the following:

# snort -dev -l /var/adm/snort/logs -h 10.1.0.0/24

However, if you log the data in binary format, you don’t need all the options.The binaryformat is also known as the TCPDump formatted data file Several packet sniffers use the

TCPDump data format, including Snort

The binary format for Snort makes the packet collection much faster because Snort doesn’thave to translate the data into a human readable format immediately.You only need two options:

the binary log file option -L and the binary option -b.

For binary packet logging, just run the following:

# snort -b -L {log-file}

For each log file, Snort appends a timestamp to the specified filename.

It’s great that you’re able to collect the data Now, how do you read it? You need to parse itback through Snort with filtering options.You also have the option to look at the data throughTCPDump and Ethereal, as they use the same type of format for the data

# snort [-d|e] -r {log-file} [tcp|udp|icmp]

The last item on the line is optional if you want to filter the packets based on packet type(for example,TCP).To take further advantage of Snort’s packet logging features, you can useSnort in conjunction with the Berkeley Packet Filter (BPF)

# snort –vd –r <file> <bpf_filter>

The BPF allows packets to be filtered at the kernel level.This can optimize performance ofnetwork sniffers and loggers by eliminating packets with the best performance because it happens

at such a low level in the operating system

The following are some examples of BPF filters.They are commonly used for ignoringpackets, and work with expressions (and, or, not)

If you want to ignore all traffic to one IP address:

# snort -vd -r <file> not host 10.1.1.254

If you want to ignore all traffic from the 10.1.1.0 network to destination port 80:

# snort -vd -r <file> src net 10.1.1 and dst port 80

If you want to ignore all traffic coming from host 10.1.1.20 on port 22:

# snort -vd -r <file> not host 10.1.1.20 and src port 22

Using Snort as an NIDS

Now that you understand the basic options of Snort, you can see where the IDS comes into play

To make Snort an IDS, just add one thing to the packet logging function: the configuration file

# snort -dev -l /var/adm/snort/logs -h 10.1.0.0/24 -c /root/mysnort.conf

Your rules are in the configuration file, and they are what trigger the alerts

Snort and Your Network Architecture

So, how do you make Snort as useful as possible? You put the Snort system(s) on your networkwhere it (they) will be most useful Where this is depends on factors such as the size of your net-work and how much money you have to spend on Snort systems

If you cannot afford to acquire enough Snort systems to achieve the optimal designs shown

in Figure 29.6, you’ll need to see what you can use from a practical sense If you need to limityour spending, forego the system inside the router and just make sure you have the Snort systemsinside the subnets you want to protect

Many network administrators set up a screening router.This enables the router to act as apoor-man’s firewall and stop packets at the network level, usually by their well-known ports.Theproblem with this is that many packets can be rerouted through other ports.

However, if a packet gets past your screening router, this might be a good place to put yourIDS.This enables you to detect what you deem as attacks while enabling some filtering to hope-fully catch some of the problems with the router Figure 29.6 shows the IDS network architec-ture with a screening router

In this case, you would want to put an IDS system on the inside of your firewall and another

in between your outside router and your firewall Here we’re also assuming that your router is tering some traffic through the access lists as well.You do not want your Snort system on theoutside of your network because it will increase your false positive rate, and it leaves your Snortsystem more vulnerable to attack.This is illustrated in Figure 29.7 Most important is the Snortsystem inside your firewall.This is the one you should monitor frequently for attacks.This systemshould only trigger alerts from possible legitimate attacks, and produce much fewer false alerts, or

fil-a ffil-alse positive However, the Snort system between your router fil-and your firewfil-all will fil-also vide you with useful information—especially for a postmortem on a compromised system

pro-Figure 29.6 An IDS Network Architecture with a Screening Router

Screening Router Firewall

Internal Network

IDS

Many network architectures have a Demilitarized Zone (DMZ) for providing public servicessuch as Web servers, FTP servers, and application servers DMZs can also be used for an extranet(which is a semi-trusted connection to another organization), but we’ll stick to the public serverDMZ architecture in this example.This is illustrated in Figure 29.8.

Figure 29.7 A Firewalled Network with Snort Systems

Screening Router Firewall

Internal Network

IDS IDS

Figure 29.8 A Firewalled Network with a DMZ

Internet

Screening Router Firewall

Internal Network

DMZ

FTP Server ServerWeb ApplicationServer

In this case, you would want three Snort systems: one inside the router, one inside the DMZ,and one inside the firewall.The reason for the additional IDS machine is that you have an addi-tional subnet to defend.Therefore, a good rule of thumb for an optimal situation for your Snortsystems is:

■ One inside the router

■ One inside each subnet you want to protect This is illustrated in Figure 29.9

Snort and Switched Networks

Snort can also be used on a switched network As switches become increasingly popular, toring them with Snort (or any other IDS) becomes more and more critical.Your switch caneither be inside your router or inside your firewall

moni-A switch provides you with Layer 2 (Data Link layer on the OSI seven layer model) urability, including virtual LANs (VLANs), which allows you to subnet directly at the switch.Switches have also been used as overpriced routers In this case, you’ll want to save your money ifyou’re not using your switch’s features

config-Figure 29.9 A Firewalled Network with a DMZ and Snort

Screening Router

Firewall

Internal Network

DMZ

FTP Server ServerWeb ApplicationServer

IDS IDS

IDS