Slashdot Mirror
Intrusion Detection with Snort
What Koziol implies throughout Intrusion Detection with Snort, but never states outright, is that Snort holds an inherent advantage over closed source IDSs, in that the IDS itself can be tailored and customized for each individual deployment to a level not possible for closed source competitors. If you have had the displeasure of working with a rigid, uncustomizable, IDS you already know where this is going ...
In order for an IDS to be effective, or in some high-bandwidth cases, even usable, detailed network and business context must be applied to the IDS. In a nutshell, IDSs are not as plug-and-play as firewalls or other security applications. For example, if you know you are not running any HTTP traffic on the segment where the IDS is sniffing, you may not want your IDS to waste cycles looking for attacks on Apache. On the other hand, you may feel that the mere presence of HTTP traffic may indicate something innately suspicious, so it is of value to watch for any HTTP traffic. It all depends on what you feel are legitimate threats to the network you are attempting to protect. Snort gives you the power to "watch" for specific attacks, protocol anomalies, or other chatter that has no legitimate business running on your network. Other closed source IDSs don't, or can't, have the same flexibility. Only Snort can implement something as detailed as "Send a page to the CISO's phone if this particular subnet attacks these Apache servers with the chunked encoding exploit."
With Snort, novices can easily write attack signatures (called rules) enable or disable specific protocol decoders, and detect advanced attacks such as exploits utilizing polymorphic shellcode. Without this level of flexibility, you are likely to be flooded with alerts that are not relevant, or, even worse, miss an actual attack that causes irreparable data loss.
Like many open source applications, Snort's biggest downfall has been documentation. Who wants to write boring user manuals when he can write code, right? Well, that's all fine and dandy for Snort developers, but folks that want to actually use all of the neat features can't, unless you tell them they are there, and how to use them. Intrusion Detection with Snort bridges this gap, and offers a clear, concise, guideline that helps plan, implement and maintain Snort-based IDS.
Another oft-cited problem with Snort that Intrusion Detection with Snort addresses is the lack of Snort features that are not directly related to intrusion detection. In essence, Snort's developers have concentrated on creating the world's best application for detecting unauthorized activity, and left everything else to other applications. If you want to organize and manage the alerts generated by Snort you have to use another application (ACID). If you desire alerts via email or pager you need another tool (swatch or syslog-ng). If you want to centrally manage attack signatures for multiple Snort installations, guess what? You need another tool (IDS Policy Manager or SnortCenter). Finding, installing, and getting all of these tools to work right can be frustrating, so Koziol walks us through these issues, and in the end we have an IDS rivaling the expensive commercial solutions.
On to the nitty-gritty of the book. Essentially, this book is organized into logical three sections, even though the author did not choose to make these demarcations in print. The first section introduces us to intrusion detection in general and features of Snort. The second section is a detailed installation guide, which walks through setting up and installing the various components of a distributed Snort setup. The final section focuses on post-installation and maintenance tasks, as well as advanced topics.
In the first section, the different breeds of IDS (Host and Network) are honestly presented, Koziol acknowledging in great detail some of the major shortcomings of IDS technology. The book then moves to describing Snort in great detail in an unbiased fashion. Other books on this subject written by Snort contributors are less forthcoming with Snort's disadvantages. The inner workings of Snort (such as packet decoders and libpcap) and the largely undocumented preprocessors are described in detail, giving tons real world examples. The examples are somewhat current, and describe exploits commonly found 6-18 months ago. Although the actual exploits found in the wild may change over time, the strategies for discovering them with Snort should remain relatively constant. The book then moves into the activities required in planning for a Snort-based IDS installation. Some of this is common sense for experienced security practitioners, such as establishing an incident response plan (the "Oh shit, I've been hacked, what do I do now!?!?"), but is relevant for novices. Other topics introduced in this section are:
Sensor placement: where to place an IDS from a network design perspective for maximum benefit.
Inserting a sensor into an in place network: covers using taps, span ports, and dedicated hubs.
Specific hardware and OS considerations: basically, why a flavor of Unix is best for Snort.
Creating a unidirectional sniffing cable: allows network traffic to flow in a single direction, minimizing risk to an IDS segment.
The second section is a detailed guide to building a distributed or 3-tiered Snort IDS. Getting the three components, the sensor (where Snort is actually installed), the server (database, alert management, and reporting server), and the analyst console (secure place to access other components and store config files and scripts) up and working on Linux takes up the bulk of this section. The analyst console chapter walks through the ever-popular Analysis Console for Intrusion Databases (ACID). Attention is paid to configuring a secured setup that encrypts traffic between the various sensors, servers, and consoles. Various packages and tools are described, as well as condensing all of the Snort tiers onto one physical box. Installing and configuring on Windows is covered as well, although this choice of setup is not as thoroughly explained as the others. The third and final section picks up where most books that deal with a specific application or software package too often leave off, namely, keeping the damn thing working. A chapter is dedicated to tuning Snort, and what thresholds can be configured to maximize benefit and performance. Getting real-time alerting via email working with ancillary tools, is covered in a dedicated chapter. Developing a targeted ruleset (a set of automagically generated signatures that will only detect attacks that have the potential to be successful) using a custom shell script is described.
A very important topic in Snort administration, writing custom rules (attack signatures) gets its own chapter. The syntax for creating rules is clearly described, followed by concrete examples. The book works through writing rules by reading through raw packet captures (last year's Slapper worm is a particularly good example). This is followed by upgrading and managing rules, which is highly useful if you have a number of Snort installations to manage. Finally, Intrusion Detection with Snort closes with a chapter on advanced topics. The advanced topics chapter primarily covers the latest fad 'Intrusion Prevention.' Snort can be made into an IPS device via packet scrubbing or shunting. For packet scrubbing, the Snort Inline patch is used and the box is placed in between a trusted and untrusted network, dropping packets that match specifically created rules. Shunting is accomplished with SnortSam, which basically sends a request to a border router or firewall to block an attacking IP address for a predetermined period of time.
Overall Jack Koziol's Intrusion Detection with Snort is a viable text for learning Intrusion Detection with the worlds premier open source IDS, even if it is light on diagrams and pictures, but it still comes highly recommended from this reviewer.
You can purchase Intrusion Detection with Snort from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
To be honest, I only noticed this book because it had Bruce Perens' name on it). It is a good book, regardless of what you think of Bruce (does anybody *not* like him? why?). It's concise and the included scripts look like they do what you need them to do. They also go over what the scripts do, how they work, etc.
Natch, the scripts are available online, so no need to retype them in.
Do you even lift?
These aren't the 'roids you're looking for.
Someone could write an IDS that does something better than Snort in one or two areas, but it would take quite some time to build the same breadth that Snort has. Plus, Snort has good community support behind it, and the rule format is a de facto standard. Ever notice that most of the commercial IDS products support Snort rules?
Point being that I don't think Snort is going away any time soon.
I installed snort.. then realized that the rules were just to much to learn in one sitting. I still have not had time to play with it to learn how to set up the rules. I wish there was a curses based GUI for remote admin.
Only 'flamers' flame!
Does slashdot hate my posts?
Just wanted to add my .02 to the mention about Snort 2.0 Intrusion Detection from Syngress. I was brand new to Snort, boss came home from a confrence and he heard people were using Snort and wondered why we weren't. So I picked up the book and it was a great book to learn. Also comments from the Snort mailing list are another great place to learn more information. But you all probablly know that stuff already
This is *way off topic*, but someone must know the answer. I'm noticing tons of default.ida and cmd.exe type IIS "hack" attempts on my Apache boxes. They obviously dont work, but some of these guys are dammed persistant and go over and over and over again. I'd like to be able to do something to change my packet filtering rules to send them to /dev/null or something. It would be great to do this as soon as it happens, but something running on a 5 minute cron would be fine too.
Snort in and of itself is not capable of "cleaning" traffic, as you call it. But, as stated in the article, it can't send email alerts by itself either. However, by combining Snort with other applications it becomes increasingly powerful. If you want email alerts, you use swatch and mailx.
If you want your traffic "cleaned" then you must use Snort in combination with IPTables as an inline firewall. This allows Snort to drop, block, reroute, malicious traffic. At this point, Snort is no longer an IDS but, is instead an Intrusion Prevention System(IPS), the latest buzzword acronym to infest the IT world.
Want something that will do that?
Check out Hogwash
Also, a buddy of mine hacked hogwash to support IP tables a while back (no extra hogwash box necessary).
..if snort could be modified to be a web application error detection system. load it up with rules governing common errors that -- let's admit it now -- we don't always do a good job of coding into our actual applications.
In my broadband cable modem acceptable use policy, it says I can't run packet sniffers or analyzers for ANY purpose whatsoever. So can I run this snort program? I'd like to know if someone is trying to get into my comp.
"Can't go wrong"? Where have I heard that before?
Clearly, an IDS can be part of a well-designed network, and Snort certainly seems like a decent IDS, especially when you look at the cost. However, there are circumstances in which it (or any other IDS) just don't add enough security to be worth the administrative burden and additional risk. For a small office where the only services exposed to the Net are SMTP and HTTP, running on boxen with a mature, proven IP stack and a decent OS (think OpenBSD), set up to log like a bastard to a hardened internal loghost, an IDS may well be unneccesary. In part, it depends on your threat model -- here, I am assuming the bad guys are all on the outside, for example. In short, think about what you need for your situation -- don't just drop in an IDS because it is a no-brainer.
I've run Snort for a little over a year and a half. I love it, but this book will probably be out of date in a month or two. We've seen versions 1.6 thru 2.0 released within a years time. Some large changes were made along the way as well.
The basics won't change much, but I wonder.
I wonder if the book covers some of the great addons available like acid, barnyard, and snortsnarf?
Why worry? Each of us is wearing an unlicensed "nucular" accelerator on his back.
Sig changed for readability by G.W.
1. Installing on a switched network. For example, we have about 30 switches, so there is no one place that has visibility to all traffic.
2. Using it to detect virus signatures on the network?
The reason you couldn't find a reference to back you up is because as edhall pointed out sizeof(void*) is not guaranteed to be sizeof(int). For example on an Alpha machine:
You will notice the plain 'unsigned' there, that's the problem in snort. You really wouldn't want plain ints to be 64bit anyways for performance reasons. I wish you were right and they just used a typedef in their header files but they don't. For example snort for me crashes in the function: static int otnx_match( unsigned id, int index, void * data)
{
...PMX *pmx = (PMX*)id;
RULE_NODE *rnNode = (RULE_NODE*)(pmx->RuleNode)
...
You will notice that id is just plain 'unsigned' no typedef. Then it is cast to a pointer, the pointer is then referenced and in my case the upper bits are important so snort crashes.
The main problem is the snort code is littered with tons of bad coding like this which just makes it prime to be exploited. Granted you minimize exploits by chroot and running it with non-root privileges (is that even currently possible with snort?), but it still makes it completely unusuable on 64bit machines like Alphas.
I have no spanning capabilities on my switch and I'm not about to put some $40 CompUSA hub on my production network so the only real choice for me is an ethernet tap. However, I'm having a very difficult time finding schematics for building a 100Mbit ethernet tap. The best I could find is this brief PDF that discusses a bi-directional tap. Unfortunately, this method also requires a spanning port on a switch.
I've found commercial ethernet taps for sale but they all cost upwards of $400. Surely there is a way to build one of these in a home workshop. Does anyone have schematics?
Chris