Snort for Dummies

Be the first to write a review

Overview

  • Snort is the world's most widely deployed open source intrusion-detection system, with more than 500,000 downloads-a package that can perform protocol analysis, handle content searching and matching, and detect a variety of attacks and probes
  • Drawing on years of security experience and multiple Snort implementations, the authors guide readers through installation, configuration, and management of Snort in a ...
See more details below
Paperback (BK&CD-ROM)
$20.59
BN.com price
(Save 31%)$29.99 List Price
Other sellers (Paperback)
  • All (18) from $1.99   
  • New (10) from $16.09   
  • Used (8) from $1.99   
Sending request ...

More About This Book

Overview

  • Snort is the world's most widely deployed open source intrusion-detection system, with more than 500,000 downloads-a package that can perform protocol analysis, handle content searching and matching, and detect a variety of attacks and probes
  • Drawing on years of security experience and multiple Snort implementations, the authors guide readers through installation, configuration, and management of Snort in a busy operations environment
  • No experience with intrusion detection systems (IDS) required
  • Shows network administrators how to plan an IDS implementation, identify how Snort fits into a security management environment, deploy Snort on Linux and Windows systems, understand and create Snort detection rules, generate reports with ACID and other tools, and discover the nature and source of attacks in real time
  • CD-ROM includes Snort, ACID, and a variety of management tools
Read More Show Less

Editorial Reviews

From Barnes & Noble
The Barnes & Noble Review
Half a million IT professionals have downloaded Snort, the full-fledged intrusion detection system that doesn’t cost a dime. But, like all IDSes, Snort can be complex, requiring careful configuration and monitoring. Snort for Dummies simplifies all that, so you can get the benefits of intrusion detection with far less hassle and complexity.

Leading security analysts and consultants Charlie Scott and Paul Wolfe have been there, done that -- repeatedly. Here, they begin with a careful, step-by-step discussion of setting up Snort from scratch. You’ll walk through disabling unnecessary services on your underlying Linux system; compiling Snort from source (their recommended approach); securing the SSH daemon; installing and configuring Snort; setting up MySQL to log Snort’s output; and automatically starting Snort at boot time.

Like all IDSes, Snort can generate colossal amounts of data. Scott and Wolfe show how to read and understand its logs and alerts, and how to create visual reports that offer a high-level look at what the data’s telling you. After explaining how to customize Snort with your own rules, they show how to prepare for (and respond to) an actual attack.

There’s extensive coverage of keeping Snort up to date, and extending and automating it. That includes a full chapter on using Barnyard to control output to a database -- thereby allowing Snort to run more quickly and efficiently. Snort developers are creating all sorts of tools for managing and monitoring Snort; Scott and Wolfe profile the best of them.

Bottom line: If you’ve been hesitant to try Snort, get this book and get started. Bill Camarda

Bill Camarda is a consultant, writer, and web/multimedia content developer. His 15 books include Special Edition Using Word 2003 and Upgrading & Fixing Networks for Dummies, Second Edition.

Read More Show Less

Product Details

  • ISBN-13: 9780764568350
  • Publisher: Wiley, John & Sons, Incorporated
  • Publication date: 6/28/2004
  • Series: For Dummies Series
  • Edition description: BK&CD-ROM
  • Edition number: 1
  • Pages: 372
  • Product dimensions: 9.20 (w) x 7.42 (h) x 0.89 (d)

Meet the Author

Charlie Scott is an Information Security Analyst for the City of Austin, where he helps maintain the City’s network security infrastructure and helps analyze intrusion detection data. He has nearly ten years of experience in the Internet industry and has been an avid user of open source security software that entire time. Charlie is a Certified Information Systems Security Professional (CISSP) and a Cisco Certified Network Professional (CCNP).

Bert Hayes is a Security Technical Analyst for the State of Texas, where he maintains network security for a medium sized agency. In Bert’s ten years of IT industry experience, he has done everything from managing a corporate IT shop during a successful IPO to performing white hat penetration tests for corporate and government offices. He has long been a proponent of open source solutions, and is a Red Hat Certified Engineer (RHCE).

Paul Wolfe is an independent information security consultant and author, specializing in open source security.

Read More Show Less

Table of Contents

Introduction.

Part I: Getting to Know Snort and Intrusion Detection.

Chapter 1: Looking Up Snort’s Nose.

Chapter 2: Fitting In Snort.

Chapter 3: Readying Your Preflight Checklist.

Chapter 4: Makin’ Bacon: Installing Snort for Linux.

Chapter 5: Installing Snort and MySQL for Windows.

Part II: Administering Your Snort Box.

Chapter 6: Snorting Through Logs and Alerts.

Chapter 7: Adding Visuals and Getting Reports.

Chapter 8: Making Your Own Rules.

Chapter 9: What, Me Worry?

Chapter 10: Dealing with the Real Thing.

Part III: Moving Beyond the Basics.

Chapter 11: Reacting in Real Time.

Chapter 12: Keeping Snort Up to Date.

Chapter 13: Filling Your Farm with Pigs.

Chapter 14: Using the Barnyard Output Tool.

Part IV: The Part of Tens.

Chapter 15: Ten Cool Tools for Snort.

Chapter 16: Ten Snort Information Resources.

Appendix A: What’s On the CD-ROM.

Index.

Read More Show Less

First Chapter

Snort For Dummies

By Charlie Scott Paul Wolfe Bert Hayes

John Wiley & Sons

ISBN: 0-7645-6835-3

Chapter One

Installing Snort and MySQL for Windows

In This Chapter

* Getting to know Snort for Windows

* Setting up Snort for Windows 2000

* Setting up MySQL for Windows 2000 and Snort

For an average Windows user, installing Snort is a little more of a headache than for your average Linux user. This is because Snort was developed initially for open-source Unix-like platforms such as Linux, and if you are at all familiar with Linux, you know what that means: command-line options and text-based configuration files. For a Windows user who's used to point-and-click configuration, command-line is a little intimidating. Add to that the fact that there's little supporting documentation for the Windows platform on Snort's Web site or the rest of the Internet, and you have all the makings of a bumpy ride.

Never fear: This chapter gives you step-by-step installation instructions for getting your Snort IDS up and running on Windows.

The Windows Snort IDS Box

These are the minimum requirements for a Windows Snort box:

  •   A PC running Windows NT 4.0, Windows 95, Windows 98, Windows 2000 (Server or Professional), Windows XP (Home or Professional), Windows 2003 Server
  •   A packet-capture driver for Windows (WinPcap is really your only choice)
  •   One or more network interface cards (NICs) and a network connection
  •   Snort

The preceding requirements are definitely the minimum requirements for running Snort on a Windows box: You can get Snort up and running with that configuration. You can also drive a front-wheel-drive car with just the two front wheels, but you're not going to get very far, your tail-end will spew a lot of sparks, and you might explode along the way. The point is that the minimum requirements are not necessarily the best configuration. In the following sections we go over specific recommendations for the Windows OS, logging database, and system resources.

Choosing your Windows OS

TIP

Just because Snort can run on practically any 32-bit version of Windows, doesn't mean you should run Snort on just any version of Windows. We recommend running Snort on either Windows 2000 Professional or Windows XP Professional for the following reasons:

  •   Windows 2000 and XP Professional are more secure and stable than the "home user" Windows systems, such as Windows 98, Windows ME, or Windows XP Home Edition. This is due to features such as the NTFS filesystem, better multitasking, and better memory management in 2000 and XP Professional.
  •   The "home user" Windows systems, such as Windows 98, Windows ME, or Windows XP Home Edition are not suitable for running a Web server such as Internet Information Services (IIS). A Web server is required for the ACID visualization console we cover in Chapter 7.
  •   The "home user" editions of Windows only support a single processor, whereas Windows 2000 and XP Professional support dual processors.
  •   Windows 2000 and XP Professional are still supported by Microsoft, unlike Windows NT 4.0 (or earlier versions of NT).
  •   Windows 2000 and XP Professional are cheaper alternatives than Windows 2000 Server or Windows 2003 Server.

In some high-performance environments the server-class versions of Windows 2000 and 2003 might make more sense, such as when you want to take advantage of systems that have more than two CPUs.

The minimum configuration only gets you text-based logging and alerts, which can be hard to manage. In the long run, we want to be able to classify alerts and use reporting and visualization tools such as the ACID console we cover in Chapter 7. In order to do this, we need to run an RDBMS (Relational Database Management System, a fancy name for a database program).

MySQL, your SQL

The RDBMS we chose is MySQL. MySQL is a free database that works on a number of platforms, including Windows. As a Windows user you might already be familiar with some of the Microsoft database products, such as MS SQL and Access, and are wondering why we aren't using those. MySQL has a number of things going for it as a backend database for Snort:

  •   Snort can log directly to MySQL natively, as the alerts come in. Snort can't currently log in real-time to Access databases.
  •   Snort's unified logging output can be converted directly to MySQL using the Barnyard utility (covered in Chapter 14). Barnyard cannot currently convert Snort's unified logging output directly to Access formats.
  •   MySQL is supported by many extra Snort tools, including the ACID visualization console we cover in Chapter 7. ACID currently does not support Access databases.
  •   Did we mention that MySQL is free? MS SQL and Access licenses aren't free, which can increase the cost of your Snort IDS if you don't already own those licenses.

If you've never used MySQL or any other RDMS before, don't worry. You don't need to be a database guru or even understand SQL queries to get Snort up and running with MySQL. We provide instructions to get Snort logging to MySQL under Windows.

Two resource hogs: Windows and Snort

All Windows-based operating systems have high base hardware requirements relative to other operating systems, even with as much unnecessary stuff removed as possible. When it comes to recommended hardware, for Snort, the faster and more the better. Snort needs as much processor speed and memory you can throw at it, relative to the activity on your network:

  •   If Snort runs out of resources, it drops packets; it won't analyze all of the network packets that come under its nose. With Snort dropping packets, the entire purpose of an IDS is defeated; an attack on your network or hosts can come at any time. (Murphy's Law says the attack will probably come when your IDS is overloaded.)
  •   If you plan to run MySQL (or another database system), IIS (or another Web server), and ACID (and all its dependencies) on the same computer as Snort, consider fielding a very fast system.

WARNING! For high-traffic production networks, you'll get the best performance from Snort by running the database, Web server, and sensor on different computers. Look at your network traffic and the requirements for the OS you select before setting up a Snort system. Chapter 3 should give you a better idea about how to size your Snort system to your particular environment.

Program storage requirements

With MySQL and support programs, the full Snort complement could fill as much as 60MB of hard drive space. That's not a huge amount of space by today's I-need-hundreds-of-gigs-just-for-my-downloaded-music standards, but that figure is only for the software itself, not the data you're going to collect using it. The Snort executable takes a measly 400KB of disk space. The entire Snort package takes 5.8MB on initial install.

Data storage

Your data storage requirements depend on what you do with the data:

  •   If you're capturing all packets on your network and storing them with Snort (not something you'd normally keep around forever, though) your storage needs will grow exponentially, daily.
  •   If you are running a single sensor and looking for only a few alerts or using a small rule base, you don't need much disk storage space.

TIP

In our testing environment, we captured alerts off of the basic Snort rules, and these alerts average about 5KB per alert in the text alert format. Though the size of the alert may be pretty standard, how many are generated on your network and how many are captured are up to you. Chapter 8 gives more detailed guidelines on rules and how to use them to maximize your Snort system.

Partition configuration

When installing your Windows operating system, set up at least two partitions on the hard drive:

  •   A small partition sized for the OS and applications running on your computer. By "small" we mean large enough to hold the Windows operating system, which can take as much as 3GB of disk space. We recommend making this partition at least 6GB in size.
  •   A larger partition for data depending on the amount of data you plan for Snort to capture. This is where your Snort logs and alerts go, so the amount of space varies depending on your network. It's a good idea to make it as large as you can.

Separate OS and data partitions keep the partitions from corrupting each other in case one fills up, and makes it much easier to back up to the partitions individually on separate schedules.

TIP

For extra security on your Web server we recommend having your IIS document root on its own partition, too.

Keeping Your Windows Locked

Before installing Snort and any other components, it's important to lock down your Windows system. After all, what good is a Snort IDS that's been compromised by an attacker? No good at all.

Hardening any Windows OS has become more difficult over the past few years, as more and more applications are integrated with the base operating system. Even so, following the guidelines and recommendations set forth in this section will help you secure your Windows-based Snort system.

Limit physical access

Physically secure the system in the following ways:

  •   Locate your Snort sensor in a secure area, accessible only to people who need physical access to the machine.
  •   Configure the system to boot only from the hard drive. You don't want someone bypassing Windows' security controls simply by booting off a floppy disk or CD-ROM, or even a keychain-sized USB drive!
  •   Consider using a system with a locking front panel that prevents an unauthorized person from booting from a floppy disk or CD-ROM.

REMEMBER

Nobody should have access to the console of the Snort IDS sensor but you!

Tighten OS access control

Limiting the users who can log on to your system and having a good password policy are imperative. Here are a few suggestions for keeping your accounts secure:

  •   Set up a strong password policy on the system.

Always use a complex password that uses a combination of upper and lower case letters, numbers, and special characters (*!#$).

Use passwords of eight characters or more.

Enable logging of login attempts, failures, and successes.

  •   You need one user on this system: the Administrator.

Immediately change the Administrator account name. Rename and disable the Guest account (you can't remove it).

Remove all other accounts.

Nothing makes a hacker's job easier than choosing a simple word or name for your password, or allowing guest access to your system. So, don't make a hacker's day: Follow the preceding account lockdown suggestions.

Harden the OS

Hardening an OS means to take measures to increase security and reduce vulnerabilities that go beyond the default installation of the OS. Since Windows is a general-purpose OS designed for user-friendliness, there are many features turned on by default that aren't required on a Snort system. Here are a few suggestions for hardening a Windows Snort IDS box:

  •   Install only components that are absolutely necessary to run the OS.

Windows operating systems install many programs that you don't need for a Snort IDS. Most notable are such applications as Windows Media Player and Outlook Express. Install nothing extra and add what programs you need, later.

When given the option, just say no.

  •   After installing Windows, turn off all unneeded services.

Windows runs a plethora of services in the background that aren't needed for every implementation of the OS. Figure out what you need and turn off the rest.

  •   Disable unneeded network protocols. All you need is TCP/IP. That's it. Everything else: out the window!

TECHNICAL STUFF

Use netstat from the command line on your Windows box to list the network services that are listening (or connected) at any given time. To use netstat to list all the listening ports by protocol, open a command window and type

netstat -an

  •   Conduct all remote communications to and from the sensor with secure protocols and applications, such as IPSec, SSL, and ssh.
  •   Apply all security updates, patches, and service packs.

Maintenance is imperative. Regularly check for new security updates, patches and service packs. New Windows-specific exploits hit the wire all too frequently.

There are reams of information available on the Internet for securing Windows systems. Here are a few of our favorite Windows security resources:

  •   The security wizards at SANS list the Top 20 critical security vulnerabilities for Windows (at sans.org/).
  •   The Center for Internet Security (a group that includes SANS, government agencies, and private industry) has a security benchmarking tool at cisecurity.org/.
  •  _Microsoft's Baseline Security Analyzer and IIS Lockdown Tool is available at its Web site, microsoft.com/. Always get the latest versions.

Hardening your Windows Snort IDS is an ongoing process.

Installing the Base Snort System

Installing the base Snort system requires two components: the WinPcap packet capture library, and the Snort IDS program itself. In the following sections we configure and install both WinPcap and Snort.

WinPcap

WinPcap (Windows Packet Capture Library) is a packet-capture driver. Functionally, this means that WinPcap grabs packets from the network wire and pitches them to Snort.

TECHNICAL STUFF

WinPcap is a Windows version of libpcap, which is used for running Snort with Linux. For more on libpcap, see Chapter 4.

Functions

The WinPcap driver performs these functions for Snort:

  •   Obtains a list of operational network adapters and retrieves information about the adapters.
  •   Sniffs packets using one of the adapters that you select.
  •   Saves packets to the hard drive (or more importantly for us, pitches them to Snort).

Installation

The installation and configuration of WinPcap is dead easy, with almost no intervention by you:

1.

Continues...

Excerpted from Snort For Dummies by Charlie Scott Paul Wolfe Bert Hayes Excerpted by permission.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.
Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star

(0)

4 Star

(0)

3 Star

(0)

2 Star

(0)

1 Star

(0)

Your Rating:

Review Guidelines
Add Recommendations
Your Name: Create a Pen Name or

Barnes & Noble.com Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & Noble.com that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & Noble.com does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at BN.com or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation

Reminder:

  • - By submitting a review, you grant to Barnes & Noble.com and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Noble.com Terms of Use.
  • - Barnes & Noble.com reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & Noble.com also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on BN.com. It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

 
Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)