Biles Simon - Snort Cookbook

Beijing Cambridge Farnham Kln Sebastopol Tokyo

If you purchased this ebook directly from oreilly.com, you have the following benefits:

If you purchased this ebook from another retailer, you can upgrade your ebook to take advantage of all these benefits for just $4.99. to access your ebook upgrade.

Please note that upgrade offers are not available from sample content.

If you are building a castle, you dig a moat and put up high walls, you may even build two layers of securitya perimeter and a more secure keepbut at the end of the day, you still need a way for supplies and people to get in and out. To make this part of your castle secure, you post watchmen, guards, and soldiers to ensure that only those who should be are getting in. Often youll find that physical security in a company is similar, complete with locked doors, pass cards, and security guards.

The principles of securing a computer system are no different than those of securing any other system, but often this final layer of security is left out. Too often people assume that the perimeter protection of the firewall is sufficient to keep all attackers at bay, not considering that attackers might just walk over the bridge through the front gate. All firewalls have rules that allow accessotherwise, you might as well not have the network connection in the first placeand usually it is these rules that are used by a malicious attacker to breach your network. Attackers dont kick down the door, they walk through it pretending to be someone else.

An intrusion detection system (IDS) doesnt exist to check the identity of people coming through a firewall; it keeps an eye out for behavior from those people that is against the rules. It is the security guard who watches to see if someone is trying the lock on the door marked Private.

This book is about Snort, an open source IDS, freely available to all who wish to make use of it, with updates provided by a large community of developers. It covers all topics from installation through tuning it to your needs, even mentioning some things it wasnt originally designed to do. At the end of this book, you should be able to place a security guard on your network to make sure it stays secure.

Audience

This book is for network, security, and system administrators for networks of any size. It is written to cover as many of the operating systems Snort will run on as possible and should be accessible to anyone with a little experience with any of them. There are a few sections where programming experience might make life a bit easier, but these are few and far between and are written in Perl, which is nearly English anyway.

Contents of This Book

Here is the breakdown of the chapters:

This chapter contains the basics of installation, configuration, optimization, and placement. These are the basics of your Snort sensor; start here if you are a beginner.

This chapter covers the areas of logging activity with Snort and creating alerts. What good is a sentry if there is no way of communicating the warnings and keeping track of what has happened? If you need to tune your logging and alerting, there are some recipes here that may solve your problems.

This chapter covers the creation of Snort rules and signatures to detect specific types of traffic. Signature and rule writing has sometimes been seen as a bit of a black art. This chapter clarifies the syntax for you and gives you some pointers on good rule writing.

This chapter details the Snort preprocessors, which control the way that Snort handles certain types of network traffic. Preprocessors are one of the most powerful features of Snort, allowing you to pick and choose the way Snort deals with certain types of packets. This chapter covers their use and configuration.

This chapter gives some usage instructions for certain Snort administrative tools, allowing ease of configuration and administration. This chapter is for those people for whom the command line is not a friend. Snort need not be a painful experience for you; there are recipes in here for using graphical tools to control your Snort installation.

This chapter covers log analysis of recorded data. Snort can generate more logs than you can read in a decade. This chapter details log analysis tools that help you sift through the chaff to find the wheat.

This chapter covers some other interesting uses of Snort, more than packet sniffing and intrusion detection. This chapter contains all the things we couldnt fit in to all the other chapters and includes some ideas you might like to investigate further as to things for which you might find Snort useful.

Conventions Used in This Book

The following typographical conventions are used in this book:

Plain text

Indicates menu titles, menu options, menu buttons, and keyboard accelerators (such as Alt and Ctrl).

Italic

Indicates new terms, URLs, email addresses, filenames, file extensions, pathnames, directories, and Unix utilities.

Constant width

Indicates commands, options, switches, variables, attributes, keys, functions, types, classes, namespaces, methods, modules, properties, parameters, values, objects, events, event handlers, XML tags, HTML tags, macros, the contents of files, or the output from commands.

Constant width bold

Shows commands or other text that should be typed literally by the user.

Constant width italic

Shows text that should be replaced with user-supplied values.

Tip

This icon signifies a tip, suggestion, or general note.

Warning

This icon indicates a warning or caution.

Using Code Examples

This book is here to help you get your job done. In general, you may use the code in this book in your programs and documentation. You do not need to contact us for permission unless youre reproducing a significant portion of the code. For example, writing a program that uses several chunks of code from this book does not require permission. Selling or distributing a CD-ROM of examples from OReilly books does require permission. Answering a question by citing this book and quoting example code does not require permission. Incorporating a significant amount of example code from this book into your products documentation does require permission.

We appreciate, but do not require, attribution. An attribution includes the title, author, publisher, and ISBN. For example: " Snort Cookbook , by Angela Orebaugh, Simon Biles, and Jacob Babbin. Copyright 2005 OReilly Media, Inc., 0-596-00791-4.

If you feel your use of code examples falls outside fair use or the permission given above, feel free to contact us at .

Safari Enabled

When you see a Safari Enabled icon on the cover of your favorite technology book, that means the book is available online through the OReilly Network Safari Bookshelf.