book

Snort Cookbook

by Angela Orebaugh, Simon Biles, Jacob Babbin

March 2005

Intermediate to advanced

288 pages

7h 30m

English

O'Reilly Media, Inc.

Read now

Unlock full access

AudienceContents of This BookConventions Used in This BookUsing Code ExamplesSafari EnabledHow to Contact UsAcknowledgments
Introduction1.1. Installing Snort from Source on Unix1.2. Installing Snort Binaries on Linux1.3. Installing Snort on Solaris1.4. Installing Snort on Windows1.5. Uninstalling Snort from Windows1.6. Installing Snort on Mac OS X1.7. Uninstalling Snort from Linux1.8. Upgrading Snort on Linux1.9. Monitoring Multiple Network Interfaces1.10. Invisibly Tapping a Hub1.11. Invisibly Sniffing Between Two Network Points1.12. Invisibly Sniffing 100 MB Ethernet1.13. Sniffing Gigabit Ethernet1.14. Tapping a Wireless Network1.15. Positioning Your IDS Sensors1.16. Capturing and Viewing Packets1.17. Logging Packets That Snort Captures1.18. Running Snort to Detect Intrusions1.19. Reading a Saved Capture File1.20. Running Snort as a Linux Daemon1.21. Running Snort as a Windows Service1.22. Capturing Without Putting the Interface into Promiscuous Mode1.23. Reloading Snort Settings1.24. Debugging Snort Rules1.25. Building a Distributed IDS (Plain Text)1.26. Building a Distributed IDS (Encrypted)
Introduction2.1. Logging to a File Quickly2.2. Logging Only Alerts2.3. Logging to a CSV File2.4. Logging to a Specific File2.5. Logging to Multiple Locations2.6. Logging in Binary2.7. Viewing Traffic While Logging2.8. Logging Application Data2.9. Logging to the Windows Event Viewer2.10. Logging Alerts to a Database2.11. Installing and Configuring MySQL2.12. Configuring MySQL for Snort2.13. Using PostgreSQL with Snort and ACID2.14. Logging in PCAP Format (TCPDump)2.15. Logging to Email2.16. Logging to a Pager or Cell Phone2.17. Optimizing Logging2.18. Reading Unified Logged Data2.19. Generating Real-Time Alerts2.20. Ignoring Some Alerts2.21. Logging to System Logfiles2.22. Fast Logging2.23. Logging to a Unix Socket2.24. Not Logging2.25. Prioritizing Alerts2.26. Capturing Traffic from a Specific TCP Session2.27. Killing a Specific Session
Introduction3.1. How to Build Rules3.2. Keeping the Rules Up to Date3.3. Basic Rules You Shouldn’t Leave Home Without3.4. Dynamic Rules3.5. Detecting Binary Content3.6. Detecting Malware3.7. Detecting Viruses3.8. Detecting IM3.9. Detecting P2P3.10. Detecting IDS Evasion3.11. Countermeasures from Rules3.12. Testing Rules3.13. Optimizing Rules3.14. Blocking Attacks in Real Time3.15. Suppressing Rules3.16. Thresholding Alerts3.17. Excluding from Logging3.18. Carrying Out Statistical Analysis
Introduction4.1. Detecting Stateless Attacks and Stream Reassembly4.2. Detecting Fragmentation Attacks and Fragment Reassembly with Frag24.3. Detecting and Normalizing HTTP Traffic4.4. Decoding Application Traffic4.5. Detecting Port Scans and Talkative Hosts4.6. Getting Performance Metrics4.7. Experimental Preprocessors4.8. Writing Your Own Preprocessor
Introduction5.1. Managing Snort Sensors5.2. Installing and Configuring IDScenter5.3. Installing and Configuring SnortCenter5.4. Installing and Configuring Snortsnarf5.5. Running Snortsnarf Automatically5.6. Installing and Configuring ACID5.7. Securing ACID5.8. Installing and Configuring Swatch5.9. Installing and Configuring Barnyard5.10. Administering Snort with IDS Policy Manager5.11. Integrating Snort with Webmin5.12. Administering Snort with HenWen5.13. Newbies Playing with Snort Using EagleX
Introduction6.1. Generating Statistical Output from Snort Logs6.2. Generating Statistical Output from Snort Databases6.3. Performing Real-Time Data Analysis6.4. Generating Text-Based Log Analysis6.5. Creating HTML Log Analysis Output6.6. Tools for Testing Signatures6.7. Analyzing and Graphing Logs6.8. Analyzing Sniffed (Pcap) Traffic6.9. Writing Output Plug-ins
Introduction7.1. Monitoring Network Performance7.2. Logging Application Traffic7.3. Recognizing HTTP Traffic on Unusual Ports7.4. Creating a Reactive IDS7.5. Monitoring a Network Using Policy-Based IDS7.6. Port Knocking7.7. Obfuscating IP Addresses7.8. Passive OS Fingerprinting7.9. Working with Honeypots and Honeynets7.10. Performing Forensics Using Snort7.11. Snort and Investigations7.12. Snort as Legal Evidence in the U.S.7.13. Snort as Evidence in the U.K.7.14. Snort as a Virus Detection Tool7.15. Staying Legal

Content preview from Snort Cookbook

Chapter 4. Preprocessing: An Introduction

Introduction

Snort has several components other than the rules engine. For example, some packets and applications have to be decoded into plain text for Snort rules to trigger. The component that handles the packets before they get to the rules engine is called the preprocessor. The available preprocessors and their functions as of Snort 2.2.0 are listed in Table 4-1.

Table 4-1. Snort 2.2.0 preprocessors

Preprocessor name	Function
Flow	This preprocessor helps keep a state flow log of packets passing through the Snort engine. The only preprocessor to use this engine so far is the new flow-portscan.
Frag2	This preprocessor detects and reassembles fragmented packets attempting to bypass detection. This preprocessor also detects a denial of service (DoS) attack using fragmented packets at a high rate of speed. There is a patch to this preprocessor that detects the Rose Attack. The patch file and instructions are found later in this chapter.
stream4	This preprocessor reassembles TCP packets and inspects them to detect attempted IDS evasion attacks from tools such as snot or stick using stateless attacks. This preprocessor also detects port scans, state problems with a session, and records session information.
stream4_reassemble	This is the second part of the stream4 engine. It reassembles packets into meaningful sessions for the Snort rules engine and for the preprocessors loaded after Snort. It can also specify reassembly of the client side, server side, ...