Slashdot Mirror
Intrusion Detection with Snort
What Koziol implies throughout Intrusion Detection with Snort, but never states outright, is that Snort holds an inherent advantage over closed source IDSs, in that the IDS itself can be tailored and customized for each individual deployment to a level not possible for closed source competitors. If you have had the displeasure of working with a rigid, uncustomizable, IDS you already know where this is going ...
In order for an IDS to be effective, or in some high-bandwidth cases, even usable, detailed network and business context must be applied to the IDS. In a nutshell, IDSs are not as plug-and-play as firewalls or other security applications. For example, if you know you are not running any HTTP traffic on the segment where the IDS is sniffing, you may not want your IDS to waste cycles looking for attacks on Apache. On the other hand, you may feel that the mere presence of HTTP traffic may indicate something innately suspicious, so it is of value to watch for any HTTP traffic. It all depends on what you feel are legitimate threats to the network you are attempting to protect. Snort gives you the power to "watch" for specific attacks, protocol anomalies, or other chatter that has no legitimate business running on your network. Other closed source IDSs don't, or can't, have the same flexibility. Only Snort can implement something as detailed as "Send a page to the CISO's phone if this particular subnet attacks these Apache servers with the chunked encoding exploit."
With Snort, novices can easily write attack signatures (called rules) enable or disable specific protocol decoders, and detect advanced attacks such as exploits utilizing polymorphic shellcode. Without this level of flexibility, you are likely to be flooded with alerts that are not relevant, or, even worse, miss an actual attack that causes irreparable data loss.
Like many open source applications, Snort's biggest downfall has been documentation. Who wants to write boring user manuals when he can write code, right? Well, that's all fine and dandy for Snort developers, but folks that want to actually use all of the neat features can't, unless you tell them they are there, and how to use them. Intrusion Detection with Snort bridges this gap, and offers a clear, concise, guideline that helps plan, implement and maintain Snort-based IDS.
Another oft-cited problem with Snort that Intrusion Detection with Snort addresses is the lack of Snort features that are not directly related to intrusion detection. In essence, Snort's developers have concentrated on creating the world's best application for detecting unauthorized activity, and left everything else to other applications. If you want to organize and manage the alerts generated by Snort you have to use another application (ACID). If you desire alerts via email or pager you need another tool (swatch or syslog-ng). If you want to centrally manage attack signatures for multiple Snort installations, guess what? You need another tool (IDS Policy Manager or SnortCenter). Finding, installing, and getting all of these tools to work right can be frustrating, so Koziol walks us through these issues, and in the end we have an IDS rivaling the expensive commercial solutions.
On to the nitty-gritty of the book. Essentially, this book is organized into logical three sections, even though the author did not choose to make these demarcations in print. The first section introduces us to intrusion detection in general and features of Snort. The second section is a detailed installation guide, which walks through setting up and installing the various components of a distributed Snort setup. The final section focuses on post-installation and maintenance tasks, as well as advanced topics.
In the first section, the different breeds of IDS (Host and Network) are honestly presented, Koziol acknowledging in great detail some of the major shortcomings of IDS technology. The book then moves to describing Snort in great detail in an unbiased fashion. Other books on this subject written by Snort contributors are less forthcoming with Snort's disadvantages. The inner workings of Snort (such as packet decoders and libpcap) and the largely undocumented preprocessors are described in detail, giving tons real world examples. The examples are somewhat current, and describe exploits commonly found 6-18 months ago. Although the actual exploits found in the wild may change over time, the strategies for discovering them with Snort should remain relatively constant. The book then moves into the activities required in planning for a Snort-based IDS installation. Some of this is common sense for experienced security practitioners, such as establishing an incident response plan (the "Oh shit, I've been hacked, what do I do now!?!?"), but is relevant for novices. Other topics introduced in this section are:
Sensor placement: where to place an IDS from a network design perspective for maximum benefit.
Inserting a sensor into an in place network: covers using taps, span ports, and dedicated hubs.
Specific hardware and OS considerations: basically, why a flavor of Unix is best for Snort.
Creating a unidirectional sniffing cable: allows network traffic to flow in a single direction, minimizing risk to an IDS segment.
The second section is a detailed guide to building a distributed or 3-tiered Snort IDS. Getting the three components, the sensor (where Snort is actually installed), the server (database, alert management, and reporting server), and the analyst console (secure place to access other components and store config files and scripts) up and working on Linux takes up the bulk of this section. The analyst console chapter walks through the ever-popular Analysis Console for Intrusion Databases (ACID). Attention is paid to configuring a secured setup that encrypts traffic between the various sensors, servers, and consoles. Various packages and tools are described, as well as condensing all of the Snort tiers onto one physical box. Installing and configuring on Windows is covered as well, although this choice of setup is not as thoroughly explained as the others. The third and final section picks up where most books that deal with a specific application or software package too often leave off, namely, keeping the damn thing working. A chapter is dedicated to tuning Snort, and what thresholds can be configured to maximize benefit and performance. Getting real-time alerting via email working with ancillary tools, is covered in a dedicated chapter. Developing a targeted ruleset (a set of automagically generated signatures that will only detect attacks that have the potential to be successful) using a custom shell script is described.
A very important topic in Snort administration, writing custom rules (attack signatures) gets its own chapter. The syntax for creating rules is clearly described, followed by concrete examples. The book works through writing rules by reading through raw packet captures (last year's Slapper worm is a particularly good example). This is followed by upgrading and managing rules, which is highly useful if you have a number of Snort installations to manage. Finally, Intrusion Detection with Snort closes with a chapter on advanced topics. The advanced topics chapter primarily covers the latest fad 'Intrusion Prevention.' Snort can be made into an IPS device via packet scrubbing or shunting. For packet scrubbing, the Snort Inline patch is used and the box is placed in between a trusted and untrusted network, dropping packets that match specifically created rules. Shunting is accomplished with SnortSam, which basically sends a request to a border router or firewall to block an attacking IP address for a predetermined period of time.
Overall Jack Koziol's Intrusion Detection with Snort is a viable text for learning Intrusion Detection with the worlds premier open source IDS, even if it is light on diagrams and pictures, but it still comes highly recommended from this reviewer.
You can purchase Intrusion Detection with Snort from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
I use snort in my network...and it's the fastest, cheapest (!) no-nonsense scanner out there. Beats out anything commercial I've seen, and it's open to boot. I know there's tons of features I never use...Maybe I should buy the book.
I haven't read Koziol's book. The other books the reviewer mentions are:
Snort 2.0 Intrusion Detection
Which is the one I helped out with, and:
Snort 2.0 : The Complete Guide to Intrusion Detection
which isn't out yet. The Syngress book came out really well. Jeff, Dragos, and Jed are all really sharp guys, so I don't doubt their book will be good too, but it's not out quite yet.
The book I helped on has been getting really good reviews on Amazon, and sales have been great. It was written by some great guys from the Snort community, notably Brian Caswell who runs snort.org and Jay Beale, who people will probably recognize from the Bastille project.
The very BIG thing, is Snort will not "clean" or delete the infected message. It will simply report a problem.
Other than that, the snort engine can pretty much detect anything that has a signature to it.
I use ClarkConnect linux for my firewall/router, which includes snort
one thing, you need some relatively decent hardware for it to work, as it chews significant processing power sorting thru your packets, and even more cpu time to sort thru all your logs and generate an intrusion detection report.
on my k6-2 500mhz firewall with 256mb ram on my home cable connection, it takes ~30 minutes at 100% cpu to generate a report
..and I have to say it is the most powerful combo I've come across. Ease of adding/updating/removing snort rules, and an excellent interface for actually viewing the data in a meaningful manner. I'd highly recommend this combination to get the most out of your IDS.
Everyone is entitled to their own opinion. It's just that yours is stupid.
Don't forget that this open source project runs on Windows too. Setup will be a bit strange for non-linuxers, but it does work fine. Add the Snortcenter GUI and you're pretty much fully point-and-clickified. But I prefer the command-line linux version. An interesting use is to track someone's particular e-mails....in a school district it proves valuable if a student is harassing someone, for example. Just set it up to log particular names, and voila...it spits out a daily report of what they've been saying.
Google is great, but there is nothing like picking up a well-organized resource book, especially when tying other modules (like ACID, MySQL, etc.) into the mix. Besides, when you can see information in a single, coherent, organized form, you are able to get a much better feel for the big picture, instead of just the pieces of the puzzle as separate components.
And it never hurts to have a bookshelf packed with technical reference manuals behind your desk for then the PHBs walk in ;-)
"terrorism" and "pedophilia" are the root passwords to the Constitution
If you run a linux/unix/not windows server then install these programs and run them and actually pay attention to them
Snort runs just dandy on Windows 2000. So that's not an excuse to not run an IDS.
I do wish there was an open free tripwire version for windows. For that you need to shell out the bucks.
The first couple days covered TCP/IP packet composition and attacks. There were then a couple of days about installing and using Snort (taught by Marty Roesch, creater of Snort). Really taught how to use and get value out of your IDS, including a lot of real world examples from people who use it in sites attacked a lot more frequently than mine.
Highly Recommended.
http://www.sans.org
Months, huh? So one could assume it's been on your network since before April of this year? Guess what! You've got yourself a remote root exploit!
/320148
http://www.securityfocus.com/archive/1
Using any plugins? You've probably got more than one:
http://www.securityfocus.com/archive/1/318 669
And this is just going back to April.
So, in conclusion, you have a remote root 'sploit on your network and "wouldnt even know its there unless I told you".
I haven't bothered to look into the ways of snort too much, but it's built into smoothwall. I've learned at leat one thing from it.... I still get hit with code red attacks multiple times a day!
/bin/fortune | slashdotsig.sh
Also, the source to the first two books in my series is now online at phptr.com/perens.
Thanks
Bruce
Bruce Perens.
Bruce
Bruce Perens.
...some of these guys are dammed persistant...
Heh, they aren't guys, they're worms. The persistent ones probably share two or three octets of your IP address. The default.ida attacks are from Code Red variants and the cmd.exe attacks are from Nimda. Both attack IPs somewhat randomly but are weighted to attack 'nearby' IPs far more frequently. It was a very effective tactic, too.
Those are unpatched infected IIS servers doing that. It's really sad. Code Red almost went away for a few months but now I'm getting more Code Red hits than Nimda, but I see both every day. The SQL Slammer worm is still a daily occurrence, too.
(TCP port 1433 three SYNs in a row).
My 'intrusion detection' so far is from Apache and ipchains logs. I think I'll install Snort because I'm curious how many NetBIOS attacks I'm getting.
There is no possibility of any exploit if you only use snort as a sniffer on a seprate nic. In this case you have no ip configured for this nic and you are only monitoring traffic. 100% Safe