book

Managing Security with Snort & IDS Tools

by Kerry J. Cox, Christopher Gerg

August 2004

Intermediate to advanced

288 pages

8h 30m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
AudienceAbout This BookAssumptions This Book MakesChapter SynopsisConventions Used in This BookComments and QuestionsAcknowledgmentsKerry CoxChristopher Gerg
1. Introduction
1.1. Disappearing Perimeters1.2. Defense-in-Depth1.3. Detecting Intrusions (a Hierarchy of Approaches)1.4. What Is NIDS (and What Is an Intrusion)?1.5. The Challenges of Network Intrusion Detection1.5.1. Prerequisites1.5.2. False Positives1.5.3. Missing Prerequisites1.5.4. Unrealistic Expectations1.6. Why Snort as an NIDS?1.7. Sites of Interest
2. Network Traffic Analysis
2.1. The TCP/IP Suite of Protocols2.1.1. TCP2.1.1.1. The three-way handshake2.1.2. UDP2.1.3. IP2.1.4. ICMP2.1.5. ARP2.2. Dissecting a Network Packet2.2.1. The IP Header2.2.2. The TCP Header2.3. Packet Sniffing2.4. Installing tcpdump2.5. tcpdump Basics2.6. Examining tcpdump Output2.7. Running tcpdump2.7.1. Syntax Options2.7.2. tcpdump Filters2.7.3. tcpdump Capture of the TCP Three-Way Handshake2.8. ethereal2.8.1. Installing from Source2.8.2. Available Options2.8.3. ethereal Capture of TCP Three-Way Handshake2.8.4. Tethereal2.9. Sites of Interest
3. Installing Snort
3.1. About Snort3.1.1. Snort’s Commercial Counterpart3.2. Installing Snort3.2.1. Source Code Installation3.2.1.1. Build-time options3.2.2. Windows Installations3.2.3. Staying Current3.3. Command-Line Options3.4. Modes of Operation3.4.1. Snort as a Sniffer3.4.2. Snort as a Packet Logger3.4.3. Snort as an NIDS: Quick and Dirty3.4.3.1. Get the latest rule sets3.4.3.2. Initial configuration of the snort.conf file
4. Know Your Enemy
4.1. The Bad Guys4.1.1. Opportunists, Thieves, and Vandals4.1.2. Professionals4.1.3. Disgruntled Current and Former Employees and Contractors4.1.4. Robots and Worms4.2. Anatomy of an Attack: The Five Ps4.2.1. Probe4.2.1.1. Mining the Web4.2.1.2. Portscans and software version-mapping4.2.1.3. Automated vulnerability scanners4.2.1.4. Web page scanners4.2.1.5. Other probe tools4.2.2. Penetrate4.2.2.1. Authentication grinding4.2.2.2. Buffer overflows4.2.2.3. Application behavior boundary flaws4.2.2.4. System configuration errors4.2.2.5. User input validation problems4.2.3. Persist4.2.4. Propagate4.2.5. Paralyze4.3. Denial-of-Service4.4. IDS Evasion4.5. Sites of Interest
5. The snort.conf File
5.1. Network and Configuration Variables5.1.1. Default Variables from snort.conf5.2. Snort Decoder and Detection Engine Configuration5.3. Preprocessor Configurations5.3.1. flow5.3.2. frag25.3.3. stream45.3.4. stream4_reassemble5.3.5. HTTP Inspect Preprocessor5.3.5.1. http_inspect (global)5.3.5.2. http_inspect_server5.3.6. rpc_decode5.3.7. bo5.3.8. telnet_decode5.3.9. flow-portscan5.3.10. arpspoof5.3.11. perfmonitor5.4. Output Configurations5.4.1. alert_syslog5.4.2. log_tcpdump5.4.3. Database5.4.3.1. MySQL5.4.3.2. PostgreSQL5.4.3.3. ODBC5.4.3.4. MsSQL5.4.3.5. Oracle5.4.4. unified5.5. File Inclusions
6. Deploying Snort
6.1. Deploy NIDS with Your Eyes Open6.2. Initial Configuration6.2.1. Targeted IDS6.3. Sensor Placement6.3.1. Systems and Networks to Watch6.3.2. Creating Connection Points6.3.3. Encrypted Traffic6.4. Securing the Sensor Itself6.4.1. Choose an Operating System6.4.2. Configure Interfaces6.4.3. Disable Unnecessary Services6.4.4. Apply Patches and Updates6.4.5. Utilize Robust Authentication6.4.6. Monitor System Logs6.5. Using Snort More Effectively6.6. Sites of Interest
7. Creating and Managing Snort Rules
7.1. Downloading the Rules7.2. The Rule Sets7.3. Creating Your Own Rules7.3.1. Snort Rule Headers7.3.2. Rule Options7.3.3. Common Rule Options7.4. Rule Execution7.5. Keeping Things Up-to-Date7.6. Sites of Interest
8. Intrusion Prevention
8.1. Intrusion Prevention Strategies8.2. IPS Deployment Risks8.3. Flexible Response with Snort8.3.1. The react Response8.4. The Snort Inline Patch8.4.1. Configuring Snort8.4.2. Creating Rules for the Snort Inline Patch8.5. Controlling Your Border8.5.1. Installing SnortSAM8.5.2. Patching Snort to Enable Support for SnortSAM8.5.3. Starting SnortSAM8.5.4. Supporting the SnortSAM Output Plug-in8.5.5. Modifying Rules That Trigger Block Requests8.6. Sites of Interest
9. Tuning and Thresholding
9.1. False Positives (False Alarms)9.2. False Negatives (Missed Alerts)9.2.1. Common Causes of False Negatives9.3. Initial Configuration and Tuning9.3.1. Tailoring the Decoder and Preprocessors9.3.1.1. The Snort decoder configuration9.3.1.2. The flow preprocessor9.3.1.3. The frag2 preprocessor9.3.1.4. The stream4_reassemble preprocessor9.3.1.5. The http_inspect preprocessor9.3.1.6. The flow-portscan preprocessor9.3.2. Tailoring the Rule Set9.3.2.1. General rule set pruning (trimming high noise rule sets)9.3.2.2. Tuning individual rules9.4. Pass Rules9.5. Thresholding and Suppression9.5.1. Simple Thresholds9.5.2. Global Thresholds9.5.3. Suppression Rules

10. Using ACID as a Snort IDS Management Console
10.1. Software Installation and Configuration10.1.1. MySQL Installation and Configuration10.1.1.1. MySQL RPM install10.1.1.2. Performing a MySQL source install10.1.1.3. Adding tables and permissions10.1.1.4. Cleaning house or reinstalling10.1.2. Installing the Web Server10.1.3. Installing Apache210.1.3.1. Installing from RPMs10.1.3.2. Compiling the latest Apache code from source10.1.3.3. Testing Apache and PHP10.1.3.4. Managing dependencies10.1.3.5. Running a secure web site10.1.4. Final Apache Configurations10.2. ACID Console Installation10.2.1. Confirming GD Support10.2.2. Customizing the ACID Configuration Files10.2.3. The ACID Console10.2.4. Initializing the ACID Web Page10.3. Accessing the ACID Console10.3.1. Using ACID10.3.1.1. Main ACID page10.3.1.2. Alert information10.3.1.3. Searching and graphing10.3.1.4. Data snapshots10.4. Analyzing the Captured Data10.4.1. Tracking the Alerts10.4.1.1. Viewing the packet10.4.1.2. Identifying known attacks10.4.1.3. Notifying the offender10.4.1.4. Searching the database10.4.1.5. Graphing data for viewing10.4.2. The Ongoing Use of the ACID Console10.5. Sites of Interest
11. Using SnortCenter as a Snort IDS Management Console
11.1. SnortCenter Console Installation11.1.1. Prerequisites11.1.1.1. Installing curl Binary11.1.2. Installing the Console Software11.2. SnortCenter Agent Installation11.2.1. Prerequisites11.2.2. Installing the Agent11.3. SnortCenter Management Console11.4. Logging In and Surveying the Layout11.4.1. Sensor Console11.4.2. Sensor Configuration11.4.3. Resources11.4.3.1. Creating a new rule11.4.4. Additional Resources11.4.5. Admin11.5. Adding Sensors to the Console11.5.1. Configuring Sensors Within the SnortCenter Console11.6. Managing Tasks11.6.1. Updating Rules and Signatures11.6.1.1. Automatic update feature11.6.2. Managing False Positives and Negatives11.6.3. Editing Custom Rules
12. Additional Tools for Snort IDS Management
12.1. Open Source Solutions12.1.1. SnortReport12.1.2. SnortSnarf12.1.3. Cerebus12.1.4. IDS Policy Manager12.1.5. Oinkmaster12.2. Commercial Solutions12.2.1. Applied Watch Console12.2.2. PureSecure Console12.2.3. Sourcefire Management Console
13. Strategies for High-Bandwidth Implementations of Snort
13.1. Barnyard (and Sguil)13.1.1. Configuring Snort’s Unified Binary Output13.1.2. Installing Barnyard13.1.3. The barnyard.conf File13.1.4. Barnyard Command-Line Options13.1.5. Sguil: An Alternative Management Console13.2. Commericial IDS Load Balancers13.2.1. F5 Network’s VLAN Mirroring with Big Iron Switches13.2.2. Radware’s Fireproof Appliance13.2.3. Top Layer Network’s IDS Balancer13.3. The IDS Distribution System (I(DS)2)13.3.1. A Little Background13.3.2. The Solution13.3.3. Installation13.3.3.1. Layer 2 cross-connect13.3.3.2. Policy router
A. Snort and ACID Database Schema
A.1. acid_agA.1.1. acid_ag_alertA.1.1.1. acid_eventA.1.1.2. acid_ip_cacheA.1.1.3. dataA.1.1.4. detailA.1.1.5. encodingA.1.1.6. eventA.1.1.7. icmphdrA.1.1.8. iphdrA.1.1.9. optA.1.1.10. referenceA.1.1.11. reference_systemA.1.1.12. schemaA.1.1.13. sensorA.1.1.14. sig_classA.1.1.15. sig_referenceA.1.1.16. signatureA.1.1.17. tcphdrA.1.1.18. udphdr
B. The Default snort.conf File
C. Resources
C.1. From Chapter 1: IntroductionC.2. From Chapter 2: Network Traffic AnalysisC.3. From Chapter 4: Know Your EnemyC.4. From Chapter 6: Deploying SnortC.5. From Chapter 7: Creating and Managing Snort RulesC.6. From Chapter 8: Intrusion PreventionC.7. From Chapter 10: Using ACID as a Snort IDS Management ConsoleC.8. From Chapter 12: Additional Tools for Snort IDS ManagementC.9. From Chapter 13: Strategies for High-Bandwidth Implementations of Snort
About the Authors
Colophon
Copyright

Content preview from Managing Security with Snort & IDS Tools

Chapter 10. Using ACID as a Snort IDS Management Console

Running Snort from the command line and using tail -f to watch the alert log file is fine when testing or experimenting. But when you want to use Snort to protect your network, you need better analysis and monitoring tools. ACID (the Analysis Console for Intrusion Detection) is an open source project developed by Roman Danyliw at the CERT coordination center, as part of the AIRCERT project. It uses a PHP-based web application that can act as the frontend for several tools—we will only discuss using ACID with Snort in this chapter. ACID interfaces with the database that Snort uses to log alerts.

ACID should be considered beta software and may be vulnerable to user input validation problems. Care should be taken to secure access to the ACID console (discussed further below). The current version is 0.9.6b23; it has not been updated since January of 2003. It still does an outstanding job in acting as a Snort alert console, but the recent changes in Snort (namely the move from the portscan2 and conversation preprocessors to flow-portscan) have exposed some problems. I still prefer ACID over almost any other open source solution (there are some commercial products that can act as a management console for Snort, too).

ACID was designed to help a security administrator manage the alerts generated by multiple IDS sensors. ACID can generate trending information and allow searches based upon time, address, alert, priority, classification, ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Snort Intrusion Detection and Prevention Toolkit

Publisher Resources

ISBN: 0596006616Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Managing Security with Snort & IDS Tools

by Kerry J. Cox, Christopher Gerg

Chapter 10. Using ACID as a Snort IDS Management Console

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.