Preface
This book explains how to manage your network'ssecurity using the open source tool Snort. The examples in this bookare designed for use primarily on a Red Hat Linux machine. Theyshould be fully functional on the latest Red Hat Enterprise Linuxversion as well as the latest Fedora release by Red Hat. Allinstructions were documented using the most recent Red Hat releases,patches, and software. The applications were configured using defaultpackages needed for a standard installation, and each machine wassecured according to the latest errata.
The instructions in this book apply to other Linux flavors, such asSuSE, Gentoo, Debian, and most Unix variants, including FreeBSD,OpenBSD, and Solaris. Many of the applications are available fordownload as source or as precompiled binaries. Since performance isoften a consideration when deploying an IDS solution, you willprobably find that building the applications from source yields thebest results. If you do not have the time, desire, or need to buildfrom source, the prebuilt packages should work just fine and installwithout trouble on most systems. Consult your Linux distribution orUnix-based operating system for further information regarding sourcecompilation and installation. Snort binaries are also available forthe Microsoft Windows platform, and instructions for running Snort ona Windows platform are included.
Links to the applications and their respective web sites are providedthroughout and at the end of the chapters. also contains acompendium of all software programs and applications referenced.Check all software sites regularly for the latest updates andinformation regarding their use. Many of the programs are underactive development and new versions are posted frequently. Someapplications require an update with the release of new Linuxversions. Stay current with the most recent release in order to avoidany vulnerabilities or security issues that appear over time.
Topics covered include:
Packet capture and analysis using a variety of command-line and GUIutilities.
An introduction to the interpretation of packet headers and contentwithin an IDS environment.
The threats to your organization's technology assets.
Instructions for installing, configuring, tuning, and customizing anopen source, enterprise-level network intrusion detection system(NIDS) for use in corporate and/or home office environments.
A discussion of ways to utilize Snort as a sniffer, a network gatewaythat blocks malicious traffic, and a passive IDS sensor.
Details on how to configure and tune your Snort IDS installation tomaximize the effectiveness and minimize the labor involved indetecting and tracking down attacks.
An in-depth look at a variety of administration tools that assist inthe management of the Snort IDS environment.
Strategies for deploying an IDS in switched, high-security, andhigh-bandwidth environments.
Audience
This book is designed for network, system, and securityadministrators of large-scale enterprises as well as managers ofsmall businesses or home offices. The instructions should be readablefor those with only a small amount of network and Unix experience,but also useful for experienced administrators with a variedbackground in networking and system administration. To be sure, themore experienced you are, the easier it will be to interpret theresults generated by the Snort IDS.
About This Book
Snort can be used for a variety of applications, from acting as asimple network sniffer to an enterprise-class gateway intrusiondetection system (IDS). This book discusses the various ways to useSnort, and methods of configuring, tuning, and customizing theapplication to best suit your environment. Implementing an IDSsolution can be a labor-intensive and sometimes overwhelming project.This book helps streamline the processes of the initial setup andongoing care and feeding of Snort.
All the source code discussed here is freely available for downloadoff the Internet. I have avoided any software that is closed source,requires a license, or costs money. Though links and source codeversions do change over time, every effort has been made to keeplistings and release numbers for each application as up-to-date aspossible. If you find the URL does not work as listed, please checkwith some of the major open source repositories: http://freshmeat.net and http://sourceforge.net. If you are unable tolocate the applications, use a search engine such as http://www.google.com to find theprogram's new home or current web site.
Links to required libraries or associated applications are usuallyfound on the home pages of most programs. For example, links toSnortCenter and Barnyard are found on the main Snort page athttp://www.snort.org.
Now that you know what this book is about, here is whatit's not about. This book is not abeginner's guide to packet analysis. It is intendedto help you implement viable solutions to everyday intrusiondetection problems. This book does not spend countless pagesexamining the nuances and vagaries of every type of fragmented packetor possible buffer overflow. Instead, it explains how to quicklycapture a sampling of network traffic and look for the tell-talesigns that indicate hostile activity.
If you are searching for a theoretical manual that provides detailedinsight into every possible security application or that explains howto dissect new intrusive packets, you won't find ithere. This book deals with strategies and speedy implementationsusing a reasonable, common-sense approach. By the end of this book,the reader will understand that a network-based intrusion detectionsystem is one part of a larger strategy of defense-in-depth. The bookis based on the experience of a Network Security Engineer who hasboth attacked and defended very large corporate networks and systems.Whether you are looking for something to help secure your homenetwork, or looking for an Enterprise-class solution that can watch 2Gbps of bandwidth in near-real-time, this book will help.
Assumptions This Book Makes
This book does not make too many demands on the average reader. It iswritten in an informal manner and is intended for most securityadministrators, whether they are using Linux (or another Unixoffshoot like BSD) or Windows. The main focus of the book will berunning Snort on a Linux platform. Even beginning Linux users shouldhave no trouble grasping the concepts. Most applicationsalongwith their installation and configurationare clearly spelledout. While this book will provide the average user with the abilityto get a Snort sensor up and running, professional deployments of anyIDS solution benefit from a good knowledge of networking and systemadministration. Without this background, discrimination of what isnaughty and what is nice will be more difficult.
If any of the steps explained in later chapters do not answer allyour questions, please consult the application'shome page or subscribe to its mailing list, if one is available. Itwill be helpful if you are familiar with Usenet newsgroups and canpost detailed questions regarding any additional use of theapplications presented here. You will find that the open sourcecommunity surrounding Snort and the related applications is activeand incredibly helpful.