Snort Cookbook

Angela Orebaugh (CISSP, GCIA, GCFW, GCIH, GSEC, CCNA) has worked in information technology for 10 years. She is currently an associate at Booz Allen Hamilton in the Washington, DC metro area. Her focus is on perimeter defense, secure architecture design, vulnerability assessments, penetration testing, and intrusion-detection. Angela is an expert in many commercial and open source intrusion detection and analysis tools including Ethereal, Snort, Nessus, and Nmap. She is a graduate of James Madison University with a masters in computer science, and she is currently pursuing her PhD with a concentration in information security at George Mason University. Her GCFW practical received honors recognition and was used as a case study in the book Network Perimeter Security: The Definitive Guide to Firewalls, VPNs, Routers, and Network Intrusion Detection by Stephen Northcutt (ISBN: 0735712328). Angela is a researcher, writer, and speaker for SANS Institute, where she has helped to develop and revise SANS course material and also serves as the Senior Mentor Coach for the SANS Local Mentor Program.

Preface; 1. Installation and Optimization; 1.1 Installing Snort from Source on Unix; 1.2 Installing Snort Binaries on Linux; 1.3 Installing Snort on Solaris; 1.4 Installing Snort on Windows; 1.5 Uninstalling Snort from Windows; 1.6 Installing Snort on Mac OS X; 1.7 Uninstalling Snort from Linux; 1.8 Upgrading Snort on Linux; 1.9 Monitoring Multiple Network Interfaces; 1.10 Invisibly Tapping a Hub; 1.11 Invisibly Sniffing Between Two Network Points; 1.12 Invisibly Sniffing 100 MB Ethernet; 1.13 Sniffing Gigabit Ethernet; 1.14 Tapping a Wireless Network; 1.15 Positioning Your IDS Sensors; 1.16 Capturing and Viewing Packets; 1.17 Logging Packets That Snort Captures; 1.18 Running Snort to Detect Intrusions; 1.19 Reading a Saved Capture File; 1.20 Running Snort as a Linux Daemon; 1.21 Running Snort as a Windows Service; 1.22 Capturing Without Putting the Interface into Promiscuous Mode; 1.23 Reloading Snort Settings; 1.24 Debugging Snort Rules; 1.25 Building a Distributed IDS (Plain Text); 1.26 Building a Distributed IDS (Encrypted); 2. Logging, Alerts, and Output Plug-ins; 2.1 Logging to a File Quickly; ; 2.2 Logging Only Alerts; 2.3 Logging to a CSV File; ; 2.4 Logging to a Specific File; 2.5 Logging to Multiple Locations; ; 2.6 Logging in Binary; 2.7 Viewing Traffic While Logging; ; 2.8 Logging Application Data; 2.9 Logging to the Windows Event Viewer; 2.10 Logging Alerts to a Database; 2.11 Installing and Configuring MySQL; 2.12 Configuring MySQL for Snort; 2.13 Using PostgreSQL with Snort and ACID; 2.14 Logging in PCAP Format (TCPDump); 2.15 Logging to Email; 2.16 Logging to a Pager or Cell Phone; 2.17 Optimizing Logging; 2.18 Reading Unified Logged Data; 2.19 Generating Real-Time Alerts; 2.20 Ignoring Some Alerts; 2.21 Logging to System Logfiles; 2.22 Fast Logging; 2.23 Logging to a Unix Socket; 2.24 Not Logging; 2.25 Prioritizing Alerts; 2.26 Capturing Traffic from a Specific TCP Session; 2.27 Killing a Specific Session; 3. Rules and Signatures; 3.1 How to Build Rules; 3.2 Keeping the Rules Up to Date; 3.3 Basic Rules You Shouldn't Leave Home Without; 3.4 Dynamic Rules; 3.5 Detecting Binary Content; 3.6 Detecting Malware; 3.7 Detecting Viruses; 3.8 Detecting IM; 3.9 Detecting P2P; 3.10 Detecting IDS Evasion; 3.11 Countermeasures from Rules; 3.12 Testing Rules; 3.13 Optimizing Rules; 3.14 Blocking Attacks in Real Time; 3.15 Suppressing Rules; 3.16 Thresholding Alerts; 3.17 Excluding from Logging; 3.18 Carrying Out Statistical Analysis; 4. Preprocessing: An Introduction; 4.1 Detecting Stateless Attacks and Stream Reassembly; 4.2 Detecting Fragmentation Attacks and Fragment Reassemblywith Frag2; 4.3 Detecting and Normalizing HTTP Traffic; 4.4 Decoding Application Traffic; 4.5 Detecting Port Scans and Talkative Hosts; 4.6 Getting Performance Metrics; 4.7 Experimental Preprocessors; 4.8 Writing Your Own Preprocessor; 5. Administrative Tools; 5.1 Managing Snort Sensors; 5.2 Installing and Configuring IDScenter; 5.3 Installing and Configuring SnortCenter; 5.4 Installing and Configuring Snortsnarf; 5.5 Running Snortsnarf Automatically; 5.6 Installing and Configuring ACID; 5.7 Securing ACID; 5.8 Installing and Configuring Swatch; 5.9 Installing and Configuring Barnyard; 5.10 Administering Snort with IDS Policy Manager; 5.11 Integrating Snort with Webmin; 5.12 Administering Snort with HenWen; 5.13 Newbies Playing with Snort Using EagleX; 6. Log Analysis; 6.1 Generating Statistical Output from Snort Logs; 6.2 Generating Statistical Output from Snort Databases; 6.3 Performing Real-Time Data Analysis; 6.4 Generating Text-Based Log Analysis; 6.5 Creating HTML Log Analysis Output; 6.6 Tools for Testing Signatures; 6.7 Analyzing and Graphing Logs; 6.8 Analyzing Sniffed (Pcap) Traffic; 6.9 Writing Output Plug-ins; 7. Miscellaneous Other Uses; 7.1 Monitoring Network Performance; 7.2 Logging Application Traffic; 7.3 Recognizing HTTP Traffic on Unusual Ports; ; 7.4 Creating a Reactive IDS; 7.5 Monitoring a Network Using Policy-Based IDS; 7.6 Port Knocking; 7.7 Obfuscating IP Addresses; 7.8 Passive OS Fingerprinting; 7.9 Working with Honeypots and Honeynets; 7.10 Performing Forensics Using Snort; 7.11 Snort and Investigations; 7.12 Snort as Legal Evidence in the U.S.; 7.13 Snort as Evidence in the U.K.; 7.14 Snort as a Virus Detection Tool; 7.15 Staying Legal; Index