Intrusion Detection with Snort

The authoritative guide to the Snort intrusion detection system

Snort is the most popular open-source intrusion detection system. With more than 100.000 installations worldwide, it has become one of the hottest security applications available. By meeting and beating the majority of the features and the raw performance of multimillion dollar commercial intrusion detection systems, and by strictly adhering to the open-source model of public distribution free of cost, Snort has gained rapid acceptance in both enterprise and small office/home environments.

Intrusion Detection with Snort is a hands-on guide to designing, installing, and maintaining a Snort deployment in networks of all sizes. Real-world examples that get you through such critical tasks as sensor-placement, real-time alerting, and tuning are presented in an easy-to-follow manner that allows you to develop a rapid understanding of how to use Snort.

Intrusion Detection with Snort includes a comprehensive walk-through that covers the installation and configuration of Snort on many different platforms, the selection and deployment of a Snort management GUI, and a detailed examination of Snort's internals, including the Snort preprocessors. Advanced topics, such as Snort rule writing, upgrading, and using Snort as an intrusion prevention device are covered as well.

1. Intrusion Detection Primer
• IDSs Come in Different Flavors
• Host-Based IDS
• Network-Based IDS
• A Mixed Approach
• Methods of Detecting Intrusions
• Signature Detection
• Anomaly Detection
• Integrity Verification
• Origins of Attacks
• External Threats
• Internal Threats
• Orchestrating an Attack
• Planning Phase
• The Reconnaissance Phase
• The Attack Phase
• Post-Attack Phase
• The IDS Reality
• IDSs Cannot Detect Every Attack
• Intrusion Detection is Reactive
• Deploying and Maintaining Is Difficult
• Summary
2. Intrusion Detection with Snort
• Snort's Specification
• Requirements
• Bandwidth Considerations
• Snort Is an Open Source Application
• Detecting Suspicious Traffic via Signatures
• Out of Spec Traffic
• Detecting Suspicious Payloads
• Detecting Specific Protocol Elements
• Extending Coverage with Custom Rules
• Detecting Suspicious Traffic via Heuristics
• Gathering Intrusion Data
• Assessing Threats
• Preprocessors
• Non-Signature-Matching Detection
• Alerting via Output Plug-ins
• Aggregating Data
• Logging with the Unified Format and Barnyard
• Alerting
• Prioritizing Alerts
• No Prioritization
• Hard-coded Prioritization
• Customizable Prioritization
• Distributed Snort Architecture
• First Tier — The Sensor Tier
• Second Tier — The Server Tier
• The Third Tier — The Analyst's Console
• Securing Snort
• Shortcomings
• Flexibility Breeds Complexity
• Problems with False Positives
• Marketplace Factors
• Summary
3. Dissecting Snort
• Feeding Snort Packets with Libpcap
• Packet Decoder
• Preprocessors
• frag2
• stream4
• stream4-reassemble
• HTTP_decode
• RPC_decode
• BO
• telnet_decode
• ARPspoof
• ASN1_decode
• fnord
• conversation
• portscan2
• SPADE
• The Detection Engine
• Output Plugins
• Alert_fast
• Alert_full
• Alert_smb
• Alert_unixsock
• Log_tcpdump
• CSV
• XML
• Alert_syslog
• Database
• Unified
• Summary
4. Planning for the Snort Installation
• Defining an IDS Policy
• Malicious Activity
• Suspicious Activity
• Abnormal Activity
• Inappropriate Activity
• Deciding What to Monitor
• External Network Connections
• Internal Network Chokepoints
• Critical Computing Resources
• Designing Your Snort Architecture
• Three-Tier
• Singe Tier
• Monitoring Segment
• Planning for Maintenance
• Incident Response Plan
• The Objective
• Establishing a Notification Chain
• Responding to an Incident
• Identifying an Incident
• Classifying the Incident
• Gathering Evidence
• Restoring to a Normal State
• Testing the Plan
• Summary
5. The Foundation — Hardware and Operating Systems
• Hardware Performance Metrics
• Ruleset and Configuration Settings
• Picking a Platform
• The Monitoring Segment
• Inline Hub
• SPAN Ports
• Taps
• Distributing Traffic to Multiple Sensors
• Summary
6. Building the Server
• Installation Guide Notes
• Red Hat Linux 7.3
• Partitioning Strategy
• Network Configuration
• Firewall Configuration
• Time Zone Selection
• Account Configuration
• Package Group Selection
• Post-Installation Tasks
• Bastille Linux
• Installing the Snort Server Components
• Installing OpenSSL
• Installing Stunnel
• Installation OpenSSH
• Downloading Apache
• Installing MySQL
• Configuration mod_ssl
• Installing gd
• PHP
• Installing Apache
• Installing ADODB
• Installing ACID
• Summary
7. Building the Sensor
• Installation Guide Notes
• Red Hat Linux 7.3
• Post-Installation Tasks
• Installing the Snort Sensor Components
• Installing libpcap
• Installing tcpdump
• Installing OpenSSL
• Installing Stunnel
• Installing OpenSSH
• Installing the MySQL Client
• Installing NTP
• Installing Snort
• Configuring snort.conf
• Running Snort
• Implementing Barnyard
• Configuring barnyard.conf
• Running Barnyard
• Automating with barnyard.server
• Summary
8. Building the Analysis's Console
• Windows
• Installing SSH
• Web Browser
• Linux
• Installing OpenSSH
• Web Browser
• Testing the Console
• Working with ACID
• Searching
• Alert Groups
• Summary
9. Additional Installation Methods
• The Hybrid Server/Sensor
• Snort on OpenBSD
• SnortSnarf
• Snort on Windows
• Setting Up the Windows Installation
• Installing the Underlying Programs
• Installing the Snort Application
• Installing IDScenter
• Summary
10. Tuning and reducing False Positives
• Pre-Tuning Activities
• Tuning the Network for Snort
• Filtering Traffic with Snort
• Network Variables
• BPFs
• Tuning the Preprocessors
• bo
• arpspoof, asn1_decode, and fnord
• frag2
• stream4
• stream4_reassemble
• http_decode, rpc_decode, and telnet_decode
• portscan2 and conversion
• Refining the Ruleset
• chat.rules
• ddoc.rules
• ftp.rules
• icmp-info.rules
• icmp-info.rules
• info.rules
• misc.rules
• multimedia.rules
• other-ids.rules
• p2p.rules
• policy.rules
• porn.rules
• shellcode.rules
• virus.rules
• Organize Your Rules
• Designing a Targeted Ruleset
• Limitations in the Targeted Ruleset
• Tuning MySQL
• Tuning ACID
• Archiving Alerts
• Deleting Alerts
• Tuning the Caching Features
• Summary
11. Real-Time Alerting
• An Overview of Real-Time Alerting with Snort
• Prioritization of Alerts
• Incidents
• Targeted Attacks
• Custom Rules
• Prioritizing with classification.config
• The priority Option
• Alerting with the Hybrid
• Installing Swatch
• Configuring Swatch
• -c
• --input-record-separator
• -p
• -t
• --daemon
• Alerting with Distributed Snort
• Configuration Snort and Installing Sendmail
• Installing syslog-ng on a Sensor
• Configuring syslog-ng for the Sensor
• Installing Syslog-ng for the Server
• Configuring Syslog-ng for Real-Time Alerting
• Encrypting Syslog-ng Sessions with Stunnel
• Summary
12. Basic Rule Writing
• Fundamental Rule Writing Concepts
• Rule Syntax
• The Rule Header
• The Rule Option
• Writing Rules
• Modifying an Existing Rule
• Creating a New Rule by Using Network Knowledge
• Creating a New Rule by Using Traffic Analysis
• Summary
13. Upgrading and Maintaining Snort
• Choosing a Snort Management Application
• IDS Policy Manager
• Installing
• Configuring
• SnortCenter
• Installing SnortCenter
• The SnortCenter Sensor Agent
• Configuring
• Upgrading Snort
• Summary
14. Advanced Topics in Intrusion Prevention
• A Warning Concerning Intrusion Prevention
• Planning an Intrusion Prevention Strategy
• Unpatched Servers
• New Vulnerabilities
• Publicly Accessible High-Priority Hosts
• Rules That Never Create a False Positive
• Snort Inline Patch
• Installing Snort Inline Patch
• Configuring
• Writing Rules for Inline Snort
• Building the Ruleset
• SnortSam
• Installing SnortSam
• Configuring
• Inserting Blocking Responses into Rules
• Summary

1. Troubleshooting
• Snort Issues
• How Do I Run Snort on Multiple Interfaces?
• Snort Complains About Missing Reference During Compilation. What Causes This?
• Portscan Traffic Is Not Showing Up in ACID or the Intrusion Database. What Is Wrong?
• Why Isn't Snort Logging Packet Payloads?
• The Setup I Have Specified in the snort.conf File Is Not Being Used by Snort
• Why Am I Still Receiving Portscan Alerts from Hosts Specified in the portscan2-ignorehosts Directive?
• When I Start Snort, I Notice Errors Relating top My Rules Files. What Is Causing This?
• I Wrote A Pass Rule, but Snort Still Generates Alerts, What Is Wrong?
• Where Can I Turn for Additional Help?
• ACID Issues
• Why Are All the ACID Pages Displaying Raw HTML?
• I'm Receiving Errors Pertaining to ADODB. How Do I Check to Make Sure It Is Installed Correctly?
• I Get A Parse Errors in acid_conf.php on Line XXX When Attempting to Open ACID. How Can I Fix This?
• I Am Trying to Use an Email System Other Than Sendmail to Send Alerts, but Emails Never Arrive.
• IDS Strategy
• How Can I Detect "Slow" Scans?
• Is There Anything I Can Do to Prevent Portscanning Activity?
• I'm Noticing A Lot of ICMP Destination Unreachable Alerts. Is This Something I Should Be Concerned About?
2. Rule Documentation
• Not Suspicious Traffic
• Unknown Traffic
• Potentially Bad Traffic
• Attempted Information Leak
• Attempted Denial of Service
• Attempted User Privilege Gain
• Unsuccessful User Privilege Gain
• Attempted Administrator Privilege Gain
• Successful Administrator Privilege Gain

All the nitty-gritty about Snort that you wanted (or not wanted) to know. It is a bit talkative, but if you can live with that, it is a good book, especially as the author tries to explain how to DEPLOY Snort, not just use it.