|
|
Home | Switchboard | Unix Administration | Red Hat | TCP/IP Networks | Neoliberalism | Toxic Managers |
| (slightly skeptical) Educational society promoting "Back to basics" movement against IT overcomplexity and bastardization of classic Unix | |||||||
| "In order for an IDS to
be effective, or in some high-bandwidth cases, even usable, detailed network
and business context must be applied to the IDS. In
a nutshell, IDSs are not as plug-and-play as firewalls or other security
applications."
Eric Stats review of Jack Koziol |
|
|
As this is a "slightly skeptical" site the page should start with some critique of snort. Previously it was "in-line" but due to volume it was recently (as of Aug 12, 2006) converted into a separate article: "Slightly Skeptical View of Snort" .
|
|
Sourcefire provides only Red Hat binaries, but precompiled Snort 2.6 for Solaris (with MySQL support) is now available from www.sunfreeware.com. Also compiling snort for Solaris is a possibility. It's not easy especially with MySQL support. Still Snort 2.4.x can be be compiled and does work on Solaris 10 both Sun release and OpenSolaris. You need gcc-3.4.2 or later. Earlier versions of gcc like gcc-3.3.2 do not work. On Solaris 10 it produces error in make like the following:
Making install in sfutil
make[2]: Entering directory `/export/home/snort/Snort/snort-2.6.0/src/sfutil'
rm -f libsfutil.a
false cru libsfutil.a sfghash.o sfhashfcn.o sflsq.o sfmemcap.o sfthd.o sfxhash.o ipobj.o mwm.o sfksearch.o getopt_long.o acsmx.o acsmx2.o mpse.o util_math.o util_net.o util_str.o asn1.o sfeventq.o sfsnprintfappend.o
make[2]: *** [libsfutil.a] Error 255
make[2]: Leaving directory `/export/home/snort/Snort/snort-2.6.0/src/sfutil'
make[1]: *** [install-recursive] Error 1
make[1]: Leaving directory `/export/home/snort/Snort/snort-2.6.0/src'
make: *** [install-recursive] Error 1
I used it with OpenSolaris since December 2005. The information below was adapted from post by Jacob Ritorto on March 16, 2006 (Snort Forums Archive). You can omit snort compilation as precompiled version works OK. Please note that PHP 4 needs to be compiled with MySQL support. In the notes blow Jacob claims success with PHP 5:
I deployed 2.4.3 on Solaris 10 1/06 x86 with BASE a couple of weeks ago to try for better reliability / performance than we were getting with former Linux installation. Pretty straightforward. Imagine its same on SPARC..
I'll cut/paste my installation notes for you below. Note that they're a bit stale because i've tweaked for multiple interfaces since writing them.
Note links at bottom for references I used to prepare these instructions..
If you don't feel like building source, install the blastwave.org package via pkg-get. That''s really easy and all you have to do afterwards is dl the rules and adjust snort.conf.
Solaris 10 (x86) 1/06 Snort/BASE build and install notes
This procedure leverages mysql, libtool and openssl shipped with Solaris 10. Naturally, you should adjust pathnames to reflect optional software versions you use.
References:
- Download sources for adodb, base, snort, pcre, libpcap, libxml2, php.
- Set your PATH environment variable to something that works for you. For example,
/usr/sbin:/usr/bin:/opt/csw/bin:/usr/sfw/bin:/usr/ccs/bin
- Build and install libpcap: .
./configure –prefix=/opt/libpcap-0.9.4 && gmake && gmake install- Build and install pcre:
http://forum.sun.com/thread.jspa?messageID=104833
./configure –prefix=/opt/pcre-6.3 && gmake && gmake install- Build and install snort:
Set your LDFLAGS environment variable to -R/opt/pcre-6.3/lib
./configure --prefix=/opt/snort-2.4.3 --with-openssl --with-libpcap-includes=/opt/libpcap-0.9.4/include --with-libpcap-libraries=/opt/libpcap-0.9.4/lib --with-libpcre-includes=/opt/pcre-6.3/include --with-libpcre-libraries=/opt/pcre-6.3/lib –with-mysql=/usr/sfw && gmake && gmake install- Unset your LDFLAGS environment variable.
- Go to snort.com to download rules. Untar them into /opt/snort-2.4.3/rules
- Fire up & tweak mysql:
/usr/sfw/bin/mysql_install_db
groupadd mysql
useradd -g mysql mysql
chgrp -R mysql /var/mysql
chmod -R 770 /var/mysql
installf SUNWmysqlr /var/mysql d 770 root mysql
cp /usr/sfw/share/mysql/my-medium.cnf /var/mysql/my.cnf
/usr/sfw/sbin/mysqld_safe --user=mysql &
mysqladmin -u root password 'password'
mysqladmin -u root -h `hostname` password 'password'
set mysql to stop/start at boot, etc: (not the proper smf(5) way; sorry; please fix*.):
ln /etc/sfw/mysql/mysql.server /etc/rc3.d/S99mysql
ln /etc/sfw/mysql/mysql.server /etc/rc0.d/K00mysql
ln /etc/sfw/mysql/mysql.server /etc/rc1.d/K00mysql
ln /etc/sfw/mysql/mysql.server /etc/rc2.d/K00mysql
ln /etc/sfw/mysql/mysql.server /etc/rcS.d/K00mysql
- Cd to snort source directory.
mysql -u root -p < schemas/create_mysql snort
mysql -u root -p snort
mysql> grant CREATE,INSERT,SELECT,DELETE,UPDATE on snort.* to snort@localhost;
mysql> set PASSWORD FOR snort@localhost=PASSWORD('password');
mysql> flush privileges;
mysql> exit
- Edit the /opt/snort-2.4.3/rules/snort.conf file.
output database: log, mysql, dbname=snort user=snort password=password host=localhost
output database: alert, mysql, dbname=snort user=snort password=password host=localhost
comment out ftp_telnet preprocessor section
comment out smtp preprocessor section
- Test snort & see if it's making database entries:
snort -c /opt/snort-2.4.3/rules/snort.conf
echo "SELECT count(*) FROM event" | mysql -u root -p snort
- Build a newer libxml2
./configure –prefix=/opt/libxml2-2.6.23 && gmake && gmake install- Build, install and configure php and pear:
./configure --prefix=/opt/php-5.1.2 --enable-memory-limit=yes --with-apxs2=/usr/apache2/bin/apxs --with-gettext=/usr/bin/gettext --with-exif --without-mm --with-mysql=/usr/sfw --with-openssl=/usr/sfw --with-zlib --with-jpeg-dir=/usr/sfw --with-png-dir=/usr/sfw --with-exec-dir=/opt/php-5.1.2/libexec --enable-cli --enable-sockets --with-libxml-dir=/opt/libxml2-2.6.23 –with-gd && gmake && gmake install
/opt/php-5.1.2/bin/pear install Image_Color
/usr/local/php/bin/pear install Log
/usr/local/php/bin/pear install Numbers_Roman
/usr/local/php/bin/pear install http://pear.php.net/get/Numbers_Words-0.13.1.tgz /usr/local/php/bin/pear install http://pear.php.net/get/Image_Graph-0.3.0dev4.tgz- Install BASE by untarring it into /var/apache2/htdocs
- Install adodb by untarring it into /var/apache2/htdocs
copy /var/apache2/htdocs/base/base_conf.php.dist to base_conf.php and edit:
- $Dblib_path Full path to the ADOdb installation "/var/apache2/htdocs/adodb"
- $Dbtype Type of database used "mysql"
- $Use_Auth_System Set to 1 to force users to authenticate to use BASE 1
- $BASE_urlpath The root URI of your site "/base"
- $alert_dbname The alert database name "snort"
- $alert_host The alert database server "localhost"
- $alert_port The port where the database is stored (Leave blank if you're not running MySQL on a network socket.) ""
- $alert_user The username for the alert database "snort"
- $alert_password The password for the username "snort_user_password"
http://meljr.com/~meljr/AMPSolaris10.html
http://www.sun.com/bigadmin/features/articles/intrusion_detection.htmlBigAdmin Feature Article Analyzing Snort Data With the Basic Analysis and Security Engine (BASE)
http://forum.sun.com/thread.jspa?messageID=104833
http://www.sun.com/bigadmin/content/submitted/mysql_smf_tip.html
After you solve configuration problems, Snort is very stable even on high volume of traffic (of course it is stupid to run it on high volume of data, in this case you would write the stream to the file with tcpdump and only then analyze it with snort. This is especially true if you try to write log in MySQL, in this case in no way snort can be used in true IDS mode listening to traffic).
In case you want to use complex snort.conf and large rulebase you will always benefit from using tcpdump on the first stage to provide blackbox capabilities and then reprocess tcpdump files on periodic basis (depending on the volume of the traffic; for a O1 connections it can be say, once each 15 min; anyway any period less then an hour is probably an adequate period because just the latent period before any reaction on alert started in a large corporation is usually more then one hour; in this sense processing of data each quarter of an hour represents real time monitoring :-).
|
|
Switchboard | ||||
| Latest | |||||
| Past week | |||||
| Past month | |||||
 |
 |
 |
freshmeat.net
With Snort2Pf, you can turn your local Snort installation easily into an "intrusion detection and prevention system", rather than simply using it for post-mortem analysis. Such a system also blocks the recognized violations.
|
|
|
November 2006 (Bigadmin) This guide serves as a starting point for users to install, configure, and perform basic tuning of the open source stack SAMP (Solaris 10 OS, Apache 2.0.52, MySQL 5.0, and PHP 5). The article also covers PostgreSQL and Tomcat. The Solaris Zones feature (part of Solaris Containers technology in the Solaris 10 OS) is discussed to help users with scalability in mind.Download the document as PDF.
|
|
|
Last updated at 2005/02/17 20:50 in software :: snort-perl
I'm calling the latest version of the Snort+Perl patch snort-perl 1.0. For now, I am maintaining snort+perl as a seperate distribution of Snort. The changes for Snort to integrate with perl on a wide scale are rather large. Keeping up with that diff gets painful. As such, I plan on syncing features from Snort "regular" to Snort+Perl on a semi-regular basis.The 1.0 distro of "snort+perl" is avaiable here.
|
|
|
On Thu, Nov 18, 2004 at 12:07:30PM -0800, Cliff Massey wrote: > There used to be a perl preprocessor for snort called snort-perl. > Has this been discontinued? Does anyone know if there is a way to > use a perl script as a preprocessor? This would be very useful.
snort-perl was never a preprocessor. snort-perl is a detection plugin only ever available as a patch. Jeff & I wrote it a few years ago. It is a little out of date, but still useful. I'm currently working on a replacement for it that is much more advanced, but don't expect to see my replacement for another few months. If you ask very nicely, I'll update snort-perl to work with 2.3.0RC1 (which should be out shortly). Brian
|
|
|
recently rolled out Snort at my place of employment. Sadly I had to make some serious compromises because I was given a Compaq DL360 (Gen 3) for deployment and Solaris 10 X86 was unhappy on the box. I was forced to use Linux and I was unsure of all the various best practices for Snort on Linux. Thankfully Mr. Patrick S. Harper was there to save the day! On the Snort.org documentation page you can find two of his papers:
- Snort, Apache, SSL, PHP, MySQL, and BASE Install on CentOS 4, RHEL 4 or Fedora Core [PDF]: A wonderful step-by-step end-to-end guide for installing, securing, and configuring Linux, Snort, Apache, SSL, MySQL, and BASE.
- Oinkmaster Installation and Configuration Guide [PDF]: An excellent step-by-step look at properly installing and configuring OinkMaster for daily automated Snort rules updates.
Both these docs are extremely simple and follow and well tested. I printed both, put them in a binder, set it on top of my crappy DL360 and started installing CentOS. I followed it step by step and was never led astray. I've now got a pretty kickin' Snort box attached to mirror ports on each of our front-end switches. Thanks to BASE (Basic Analysis and Security Engine) there is a simple to user and understand web interface that my manager and network admin can access to get all the information they need without the need to log into the system or dig through dumps and logs.
If your thinking about playing with or deploying Snort I highly recommend that you consider these two docs as your guide through the Snort universe. I bought both the Managing Security with Snort & IDS Tools and Snort Cookbook books from O'Reilly, but frankly Patrick's papers where far more useful to me. If you want to learn about Snort or dig into any particular aspect of a snort system, buy the books... but if you want to deploy a system, go and see Mr. Patrick S. Harper.
[May 16, 2006] Snort ruleset downloads
This message is to announce the availability of an update for the Sourcefire community rule set, which can be downloaded free of cost or registration from http://www.snort.org/pub-bin/downloads.cgi.
Snort education/Catalog Search Results
|
|
|
In order for an IDS to be effective, or in some high-bandwidth cases, even usable, detailed network and business context must be applied to the IDS. In a nutshell, IDSs are not as plug-and-play as firewalls or other security applications. For example, if you know you are not running any HTTP traffic on the segment where the IDS is sniffing, you may not want your IDS to waste cycles looking for attacks on Apache. On the other hand, you may feel that the mere presence of HTTP traffic may indicate something innately suspicious, so it is of value to watch for any HTTP traffic. It all depends on what you feel are legitimate threats to the network you are attempting to protect. Snort gives you the power to "watch" for specific attacks, protocol anomalies, or other chatter that has no legitimate business running on your network. Other closed source IDSs don't, or can't, have the same flexibility.
Why so many IDS deployments fail....
(Score:4, Insightful)
by saint10 (248611) on Thursday May 29, @01:34PM (#6068871)
"In order for an IDS to be effective, or in some high-bandwidth cases, even usable, detailed network and business context must be applied to the IDS. In a nutshell, IDSs are not as plug-and-play as firewalls or other security applications."
This hits the nail right on the proverbial head. So many articles in the security industry focus on "IDS failures" [sans.org]. If you don't know your network, servers, routers, and what they should be doing, you can't implement IDS effectively.
Very important topic, I'm glad this point so often missed made it into this book. Should be a good read.
You need HISTORY to develop good detection rules
(Score:3, Insightful)
by GringoGoiano (176551) on Thursday May 29, @04:04PM (#6070265)
- "In order for an IDS to be effective, or in some high-bandwidth cases, even usable, detailed network and business context must be applied to the IDS.
Snort and the other intrusion detection systems perform to varying degrees at monitoring corporate resources resources and alerting personnel when something is amiss, according to the rulesets they've been given. The article assumes the rulesets are known in advance: your work is to take those rulesets and implement them in Snort or your favorite IDS.
The real world isn't so simple. IT personnel can only guess at all the possible security problems with the network equipment, hardware, server software, clients, external network connections, malicious hackers and information thiefs out there -- as well those rare dishonest insiders. A more effective security implementation includes plenty of logging, and subsequent log analysis.
Logs are easy to generate for all varieties of hardware and software. Collecting and centralizing log data lets you:
- track the history of all aspects of IT infrastructure
- analyze patterns of past resource use as personnel understand more about potential threats (have such exploits occurred in the past? what additions to current real-time IDS rulesets will address such exploits?)
- analyze past resource use to see whether newly discovered, real exploits have been used in the past (the organization can take appropriate measures to uncover abuse two months ago, a year ago; what data was compromised then?)
Having the history lets an organization more effectively implement the "detailed network and business context" within the real-time IDS solutions.
Of course, the real problem is the $2 million for the Oracle DB to manage all that log data. And querying all that history is a bear. And the DBAs, the software developers, etc. to manage that log history. I've heard that addamark's log management system [addamark.com] (LMS) is a good alternative. Someone told me their product replaced a DB2 cluster at one organization after a two-hour DB2 query took three minutes on an Addamark cluster. The cost savings, storage capacity, and log compression were phenomenal too.
Are there other log centralizing solutions out there you've heard of? Addamark seems to work because it's not a full-fledged traditional DB, but optimized for this log management problem -- can a traditional DB keep pace?
Building an Ethernet Tap(Score:4, Interesting)
by cjsnell (5825) on Thursday May 29, @05:14PM (#6070946)
(Last Journal: Friday October 04, @09:30PM)I read this review and looked through the Snort site and I've come to the conclusion that you must implement one of the following to use Snort to monitor incoming traffic between your router and a switch:
- An ethernet tap
- A spanning port on your switch
- A hub in between the router and switch
I have no spanning capabilities on my switch and I'm not about to put some $40 CompUSA hub on my production network so the only real choice for me is an ethernet tap. However, I'm having a very difficult time finding schematics for building a 100Mbit ethernet tap. The best I could find is this brief PDF [snort.org] that discusses a bi-directional tap. Unfortunately, this method also requires a spanning port on a switch.
I've found commercial ethernet taps [comcraftfr.com] for sale but they all cost upwards of $400. Surely there is a way to build one of these in a home workshop. Does anyone have schematics?
Chris
|
|
|
|
|
|
"Check Point Software Technologies Ltd. and Sourcefire, Inc., developers of Snort, today announced that they have signed a definitive agreement for Check Point to acquire privately held Sourcefire for a total consideration of approximately $225 million.
"Martin Roesch Founder and CTO of Sourcefire, Inc. said the following:
"'I am very excited to announce that Check Point has signed an agreement to acquire Sourcefire, the company that develops the Snort project and maintains the snort.org domain. I know that many of you are probably going to ask 'what does this mean for Snort?,' so I'd like to take a few minutes to talk about that...'"
|
|
|
Building Snort with ACID (Analysis Console for Intrusion Databases) is not that difficult. On some level it may seem complex because there is a lot to compile, recompile, configure, install and reinstall. Don't throw in the towel. Stick with it and you shall prosper. It's well worth it. I have built snort with ACID more than 10 times in the last two months. Based on those experiences, I have done everything to make your experience quick and easy.
But, before we get started let's clear up a few things first.
|
|
|
This book excerpt is from Chapter 6 of Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID by Rafeeq ur Rehman, ISBN 0-13-140733-3, copyright 2003. All rights reserved. This chapter, titled "Using ACID and SnortSnarf with SNORT" is posted with permission from Prentice Hall PTR.
Analysis Console for Intrusion Databases (ACID) is a tool used to analyze and present Snort data using a Web interface. This chapter provides information about ACID and discusses how to install it with MySQL and Snort to view and analyze the intrusion detection data logged by Snort into the database.
In addition to ACID, the chapter also provides basic information about SnortSnarf, another tool that can be used with a web server. SnortSnarf is able to parse Snort log files and generate HTML pages that can be viewed using a Web browser.
|
|
|
|
|
|
|
|
|
|
|
|
From FAQ:
How do I get Snort to log the packet payload as well as the header?
Use the "-d" command line option.
|
|
|
Abstract: After a brief discussion of intrusion detection systems (IDS), this article focuses on a pattern-matching network-based IDS, Snort.
Contents:
- What Is Intrusion Detection?
- Installing Snort and Supporting Software
- Running Snort as a Simple Packet Sniffer/Logger
- Snort as an IDS: the Snort Configuration File
- Snort
varStatements- Snort
includeStatements- Snort
configStatements- Snort
preprocessorStatements- Snort
outputStatements- Snort Rules, Configuring the Detection Engine
- Managing and Updating Rules
- Resources
As soon as someone discovers a new computer security vulnerability, hordes of crackers start knocking at the doors of computers worldwide to see if they can penetrate their defenses. Many sites employ a combination of border router firewalls and host-based packet filters and wrappers to protect themselves, but what if the vulnerability is in the very mechanism that's used to secure a service? How can systems administrators know that their machines are under attack and/or have been compromised? The best way to catch the crackers in the act is to use an intrusion detection system (IDS).
|
|
|
http://www.ntsug.org/downloads/archivePlus.tar.gzSay thank you Paul :)
Patrick S. Harper | CISSP RHCT MCSE
www.internetsecurityguru.comIn a world of compromise, some don't.
-----Original Message-----
From: snort-users-adminlists.sourceforge.net
[mailto:snort-users-admin
System Admin
Sent: Friday, May 20, 2005 5:54 AM
To: Snort Mailing List
Subject: [Snort-users] Periodic DB PruningHey,
Does anyone have any scripts to troll the snort databases and/or logfiles and prune any reports older than a day (or some other period)?
-Dan Mahoney
12/2/02
|
|
|
Do most people ever worry about the security of their Intrusion Detection System (IDS)? They should. With high speed Internet access being so common around the world, many personal PCs are being hijacked or shared by hackers these days. These hijacked PCs serve as a launch point for attacks, making it easier and more tempting for anyone to try their latest exploit because a reverse trace will most likely lead back simply to a compromised PC. Having a secure IDS is a necessary tool to see what kind of attacks or exploits are being tested against your network and systems. It can also reveal traffic from a prior hack if the intruder is still occasionally logging in. Hopefully, the latter never occurs.
With the addition of an IDS to your network, you do not want to neglect securing it and you do not want to also add the possibility of an attack or entry point. This would be all around embarrassing, especially if the IDS was a hard sell to management to begin with.
This paper will focus on installing a Snort IDS on the Solaris operating system, and securing it in a chrooted environment. Snort is an easy to use, cost effective, lightweight IDS that compiles and runs on every major operating system. Snort has had one major security flaw in it's time, due to a RPC protocol buffer overflow, [ref 1] which is why we will chroot its installation.
The effect of chrooting a process minimizes the impact of future buffer overflows like this one. The IDS process would still likely crash, taking the IDS offline, but the hacker would not gain access due to the overflow because the chrooted environment would not contain a shell.
Chrooting is the process of executing commands relative to the directory provided, which to the application becomes the new system root. All future system calls by the chrooted process will use the new system root directory as its filesystem root. As an example, if /export/home/ids is to be the new system root and Snort is normally located in /usr/local/bin/snort, it would now be located in /export/home/ids/usr/local/bin/snort. Nothing outside of /export/home/ids would be accessible.
To further reduce the chances of an IDS exploit we will also:
- run the program as a user with minimal privileges (nobody)
- Use non-addressed interfaces (interfaces without an IP address) for capturing traffic
It's a good idea to also read the following two articles on Snort before continuing with this article:
|
|
|
Intrusion-detection systems (IDS) have a mixed reputation in the world of enterprise IT. Many IDSs have been accused of being overly sensitive and flooding system administrators with false alerts. They are also notoriously tough to manage. On the other hand, such vendors as Symantec and Network Associates have gone out of their way to gobble up makers of intrusion-detection products, believing that they will become a must-have for an organization"s security arsenal.
In the meantime, however, many organizations are still on the fence about intrusion detection. For them, the answer may lie with a product called "Snort," an open-source IDS distributed under the GNU GPL license by Martin Roesch, its creator. Snort allows IT organizations to start detecting intruders on the cheap, and it is a powerful program with a large following. But Snort is far from perfect, and potential users need to be aware of both its strengths and weaknesses.
A Foot in the Door
In short, Snort is capable of performing real-time traffic analysis and packet logging on IP networks. It uses protocol analysis and content matching to detect attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes and others. Snort also boasts real-time alerting capabilities for Syslog, user-specified files, or via other means. Primarily, it is used as a straight packet sniffer, a packet logger for network traffic debugging, or as a full-blown intrusion-detection system.
Many organizations bring Snort into the enterprise when they do not yet have the budget to support a commercial IDS, Michael Rasmussen, a director at Forrester Research, told NewsFactor. "It"s in a lot of large-scale enterprises," he said, and is useful when management refuses to budget for intrusion detection because they do not understand its value.
"It"s better than nothing, but most people will use it as a step along the journey" to using a commercial intrusion-detection system, Rasmussen said. Oftentimes, Snort is used to augment commercial IDSs, he noted.
Richard Stiennon, vice president of research at Gartner, said he frequently recommends installing Snort to organizations thinking of purchasing an IDS. "In doing so, you get 90 percent of the value of an IDS and get up to speed with the sorts of things an IDS is going to tell you," he pointed out. "You also learn what a pain in the butt [IDSs are] to manage."
Open Advantage
The strength of Snort is in its sensing capabilities, Stiennon said. "The goal of Snort is to have an efficient engine that identifies signatures of attacks and is quickly updateable," he added. Snort has a comprehensive database of such signatures maintained and updated by the open-source community.
The fact that Snort is open source also gives it a very robust programming language for organizations to build their own rule base, Dave Wreski, CEO of Guardian Digital, told NewsFactor. An administrator can take a particular string and use it to search for keywords that might be generated from someone across the Internet trying to attack a server.
Snort"s rules language for describing traffic that should be collected or passed is flexible, and its detection engine utilizes a modular plug-in architecture. The plug-in capabilities, enhanced in version 2.0 of Snort, are powerful and enable administrators to develop an additional set of features -- like the ability to analyze a new type of traffic or log to a new type of database. These features can be plugged into a running version of Snort without having to recompile or obtain an additional license, Wreski said.
Other enhancements to version 2.0 include the ability to coexist with and analyze traffic in gigabit Ethernet and other fast networks. The Snort code base also was subjected to a third-party professional security audit. Additionally, the Snort developers have begun to introduce stateful pattern matching into the product, Wreski said, so that it can keep track of the state of network connections and analyze them as a whole rather than as individual parts.
Experts Only
Snort is not for the faint of heart. It requires a high level of technical aptitude, as well as knowledge about software security, Wreski said. And like most intrusion-detection products, it requires time to be tuned to a particular network environment. "Snort right off the Web is a framework for building an intrusion-detection system," said Wreski. "It"s not automatically going to protect your network. It requires a level of commitment by management and technical staff."
Like most IDS products, there is a huge amount of overhead to running Snort, Rasmussen noted. "You can get it up and running in a basic implementation, but to get the full value of it requires a lot of time, dedication and experience," he said. "It takes a detailed understanding of the Snort source code."
Scalability Issues
On large networks, Snort does not scale as well as commercial systems, according to Rasmussen. Snort requires the skills to manage a number of different sensors across disparate networks. But with many commercial intrusion-detection products, IT staff can purchase a sensor for each network and use a single management console to collate the information. Snort developers are working on features that will facilitate that capability in Snort, Wreski said.
Meanwhile, Snort"s data-management and workflow-management capabilities are not up to the standards of commercial software, Stiennon said. "Open-source software developers usually aren"t half interested in GUIs and distributed management," he said. Stiennon recommends enterprises use an independent security-management console to gather the security-event data that Snort produces.
SourceFire, the company started by Roesch to offer a commercial version of Snort, recently announced that it has integrated the SourceFire Intrusion Management System with GuardedNet"s neuSECURE security-management platform. As a result, customers will be able to correlate data from SourceFire"s intrusion-detection products with data from firewalls, routers and other IDSs.
If SourceFire manages to take some of the kinks out of Snort and make it more suitable for large networks, there is no telling how far the product can go.
|
|
|
This document was written when I created an IDS sensor with Snort and using some statistic tools in order to help others implementing it. ...
www.faqs.org/docs/Linux-HOWTO/ Snort-Statistics-HOWTO.html - 91k -
|
|
|
This project uses a modified unix domain socket output plugin of the network intrusion detection system snort. The alerts generated by snort are read from the unix domain socket by another process called sockserv. This process reads from a socket and sends the alerts via TCP to a central server. On the central server a program called servsock reads these data and writes them via an unix domain socket to a database.
So this project is developed for environments with several remote sensors and one central server gathering the informations. With the normal database output plugin there would be several SELECT and INSERT statements via the network which would slow down the INSERT rate. Additionally in this scheme snort is blocked until all data is spooled to the database. The only reason why you will not loose traffic in between is the buffering in the kernel and/or libpcap. If this results in a buffer overrun in the kernel buffer you will not even notice it. In contrast the libpcap will report the dropped packets if it drops them. (With Linux you should use the libpcap version of Phil Woods at http://public.lanl.gov/cpw/ to get useful statistics.)
The advantage of this method is the complete decoupling of the output processing from snort. The programs sockserv and servsock buffer all alerts in cases of a slow network or a slow database access (or a heavy attack is going on generating a lot of alerts in a very short period). Both programs use two threads, one to receive data and one to forward this data either to the central server or to the database.
In addition to avoid an overrun of the internal buffer of the programs there exists a drop feature. Herein the alerts were dropped before they were forwarded to the central server (sockserv) or the database (servsock). A short description of each dropped alert can be e-mailed to a list of recipients.
Finally there is an alert feature which is able to send alerts as e-mails if the priority reaches a given level. This feature is intended to inform an admin on a high level alert. (There is still a problem in the definition of a high level: Is this a high priority value or a low one? This seemed to be changed sometimes between snort-1.8 and snort-2.0.)
Two further programs/features were added:
- fpg: A false positive generator to test the whole system under a defined load.
- An output option for snort to write statistics to a unix domain socket. This way statistics can be written via a perl script stats.pl to a RRD database.
|
|
|
Snort - A Look Inside an Intrusion Detection System by Kristy Westphal. This article will explore setting up Snort, how to use the various plugins, how to interpret the output of packet captures from Snort, and how it can complement other IDS's.
|
|
|
|
|
|
Google matched content |
Snort - The Lightweight Network Intrusion Detection System -- main Snort site
Snort-Setup for Statistics HOWTO
Snort Websites
- Activeworx, Inc. - Sponsor of the tools that are located on this website.
- WinSnort.com - Great place to gather more information about running Snort on windows.
- Snort.org - Homepage for Snort.
- Sourcefire - Developers of Snort.
- bleedingsnort.com - Clearinghouse for Snort rules and up to the minute threats and ideas.
Snort Books
- Managing Security with Snort and IDS Tools(2004) - by Christopher Gerg, Kerry J. Cox - Amazon
- Snort 2.1 Intrusion Detection, Second Edition(2004) - By Jay Beale and Brian Caswell - Amazon
- Snort for Dummies (2004) - By Charlie Scott, Paul Wolfe, Bert Hayes - Amazon
- Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID (2003) - by Rafeeq Rehman - Amazon
- Intrusion Detection with Snort (2003) - by Jack Koziol - Amazon
- Network Intrusion Detection (3rd Edition) - by Stephen Northcutt, Judy Novak - Amazon
Snort Documentation
- Official Snort Documentation
- Snort Setup Guides
- Winsnort.com Installation Guides
- Construction and Use of a Passive Ethernet Tap
Snort Add-Ons
- SnortSam - allows for automated blocking of IP addresses on firewalls.
- Snort Inline - Turn Snort into an IPS
- IDMEF - XML plugin for Snort to output alert events in the form of IDMEF messages.
- BASE - Basic Analysis and Security Engine
- SGUIL - Cross Platform Snort Gui to view events
Sourcefire Network Security - Intrusion Sensor -- commercial version of Snort (appliances).
Alternative source download page http://www.scorpions.net/~fygrave/snort-current.tar.gz (Fyodor ([email protected]))
Debian Administration Using the 'snort' Intrusion Detection System
Third Party Tools - Snort Forums Archive
Neohapsis Archives - Snort Discuss
Whitehats Network Security Resource -- contain a useful database of snort rule interpretations
Snort Documentation -- by Andrew R. Baker (in HTML)
Neohapsis Archives -- snort mail list -- pretty useful
snort internals -- Fyodor's document
Incident.org's Snort Database Plugin Page Contains the latest information about database support for the Snort. The latest database plug-in provides support for logging to MySQL, Postgresql, and any database supported by unixODBC
[PDF] Snort Users Manual 2.4.0
Snort-Setup for Statistics HOWTO
Snort Documentation Patrick Harper documents.
Snort Documentation (2000, slightly outdated)
the Bleeding Edge of Snort - Documentation
| Snort Installation Guide with BASE and MySQL |
 |
| Wednesday, December 08 2004 @ 08:38 PM EST Contributed by: jonkman Views: 2435 |
Ghaith Nasrawi has just posted a very detailed and useful installation guide
to get you going with BASE and snort on Mysql. Very useful
if you're trying to get into the IDS arena and need a little push. |
Neohapsis Archives -- snort mail list -- pretty useful
[Snort-users] Improving the rule IDS212 - MISC - DNS Zone Transfer
[Sept 30, 2005] BigAdmin Feature Article- Introduction to Intrusion Detection With Snort by Amy Rich. Pretty superficial article. Still can serve as a template for creation of your own documentation.
Abstract: After a brief discussion of intrusion detection systems (IDS), this article focuses on a pattern-matching network-based IDS, Snort.
Contents:
var Statementsinclude
Statementsconfig Statementspreprocessor
Statementsoutput StatementsAs soon as someone discovers a new computer security vulnerability, hordes of crackers start knocking at the doors of computers worldwide to see if they can penetrate their defenses. Many sites employ a combination of border router firewalls and host-based packet filters and wrappers to protect themselves, but what if the vulnerability is in the very mechanism that's used to secure a service? How can systems administrators know that their machines are under attack and/or have been compromised? The best way to catch the crackers in the act is to use an intrusion detection system (IDS).
Snort is an Open Source, multiplatform, lightweight Intrusion Detection System. What does that really mean, and why should you consider deploying it? In this first of two articles on Snort, Joseph Dries helps you decide whether it is a good choice for your needs.
[Jun 15, 2001] Implementing Snort A Lightweight Intrusion Detection System Installing Snort by Joseph Dries.
Implementing Snort can be a bit daunting for those unfamiliar with Intrusion Detection Systems. This second article on Snort walks you through the process of obtaining, installing, configuring, testing, and managing Snort in a multiplatform computing environment.
[Jul 27, 2000] Sysadmin, September 2000
Snort - A Look Inside an Intrusion Detection System by Kristy Westphal. This article will explore setting up Snort, how to use the various plugins, how to interpret the output of packet captures from Snort, and how it can complement other IDS's.
[July 17, 2000] SecurityFocus Snort Installation and Basic Usage by Dale Coddington <[email protected]> This is a Solaris specific article that addresses the installation and usage.
These instructions have been tested with the following:
- Slackware 4.x
- Solaris 7 sparc and Intel
- FreeBSD 4.0
Gathering the Required Software
- Snort www.snort.org
This paper is based on the most recent version of Snort, v1.6.6.2
- libpcap ftp://ftp.ee.lbl.gov/libpcap.tar.Z
Snort requires lipbcap for packet capture. BSD derivatives typically include libpcap; Linux typically does notAfter downloading the required software packages store them in /usr/local
Installation
- Step 1 - Install libpcap (skip to Step 2 if you already have libpcap installed)
# gzip -d -c libpcap.tar.Z | tar xvf -
# cd libpcap-0.4/
# ./configure
# make
# make install
# make install-incl
# make install-man
- Step 2 - install Snort
# gzip -d -c snort-1.6.2.2.tar.gz | tar xvf -
# cd snort-1.6.2.2/
# ./configure
# make
# make installUsing Snort
To see how snort can be used to read packets off the wire try the following command:
#snort -v
[Jul 27, 2000]
Network Intrusion Detection Using Snort By
"This document takes you through the basics of intrusion detection, the steps necessary to configure a host to run the snort network intrusion detection system, testing its operation, and alerting you to possible intrusion events."
[Jul 27, 2000] Snort Portscan Preprocessor
ZDNet eWEEK The software that cried wolf -- That is a universal problem for example for Snort too many false positives especially from virus rules is a real nuisance...
Chances are, your company's intrusion detection software stopped suspicious-looking traffic today. Chances are, it was a false alarm, too.
Network attacks, including distributed denial-of-service and buffer overflow incursions, have put intrusion detection software on the front line in the battle against hackers. But the wider the deployment of intrusion detection, the more administrators are realizing the technology's limits and frustrations.
The reason: Too often, the software puts out false-positive alerts, which warn administrators about traffic that turns out to be innocuous but still send IT managers scurrying to plug security holes.
"It got to an absurd point, where every other day we were literally just blowing away our log file," said Robert Boyle, CEO of Tellurian Networks Inc., a managed-service provider in Newton, N.J.
Technically, false-positive intrusions are a hard problem for software companies to solve. The technology is a slave to a statistical phenomenon called the base rate fallacy. Attacks are rare relative to the amount of traffic coming into a network. The rarer the event, the more accurate the test must be to be useful. Right now, intrusion detection is not accurate enough and returns more false positives than true positives.
Note: This is a very questionable approach...
FLoP - Fast Logging Project for Snort
This project uses a modified unix domain socket output plugin of the network intrusion detection system snort. The alerts generated by snort are read from the unix domain socket by another process called sockserv. This process reads from a socket and sends the alerts via TCP to a central server. On the central server a program called servsock reads these data and writes them via an unix domain socket to a database.
So this project is developed for environments with several remote sensors and one central server gathering the informations. With the normal database output plugin there would be several SELECT and INSERT statements via the network which would slow down the INSERT rate. Additionally in this scheme snort is blocked until all data is spooled to the database. The only reason why you will not loose traffic in between is the buffering in the kernel and/or libpcap. If this results in a buffer overrun in the kernel buffer you will not even notice it. In contrast the libpcap will report the dropped packets if it drops them. (With Linux you should use the libpcap version of Phil Woods at http://public.lanl.gov/cpw/ to get useful statistics.)
The advantage of this method is the complete decoupling of the output processing from snort. The programs sockserv and servsock buffer all alerts in cases of a slow network or a slow database access (or a heavy attack is going on generating a lot of alerts in a very short period). Both programs use two threads, one to receive data and one to forward this data either to the central server or to the database.
In addition to avoid an overrun of the internal buffer of the programs there exists a drop feature. Herein the alerts were dropped before they were forwarded to the central server (sockserv) or the database (servsock). A short description of each dropped alert can be e-mailed to a list of recipients.
Finally there is an alert feature which is able to send alerts as e-mails if the priority reaches a given level. This feature is intended to inform an admin on a high level alert. (There is still a problem in the definition of a high level: Is this a high priority value or a low one? This seemed to be changed sometimes between snort-1.8 and snort-2.0.)
Two further programs/features were added:
- fpg: A false positive generator to test the whole system under a defined load.
- An output option for snort to write statistics to a unix domain socket. This way statistics can be written via a perl script stats.pl to a RRD database.
Society
Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers : Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism : The Iron Law of Oligarchy : Libertarian Philosophy
Quotes
War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda : SE quotes : Language Design and Programming Quotes : Random IT-related quotes : Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce : Bernard Shaw : Mark Twain Quotes
Bulletin:
Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 : Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law
History:
Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds : Larry Wall : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS : Programming Languages History : PL/1 : Simula 67 : C : History of GCC development : Scripting Languages : Perl history : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history
Classic books:
The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month : How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite
Most popular humor pages:
Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor
The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D
Copyright © 1996-2021 by Softpanorama Society. www.softpanorama.org was initially created as a service to the (now defunct) UN Sustainable Development Networking Programme (SDNP) without any remuneration. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License. Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.
This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...
|
|
You can use PayPal to to buy a cup of coffee for authors of this site |
Disclaimer:
The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.
Created May 15, 2003; Last updated: March 12, 2019
(Score:1)
by Outland Traveller (12138) on Thursday May 29, @05:53PM (#6071283)(http://www.amergin.org/)
Errr, buy a cheap hub and be done with it if you're router is a T1 or less. It will run virtually forever without impacting performance.
If you are a hardware snob then go out and buy an expensive hub to the specifications you desire. All the big boys make them.
(Score:2)
by smnolde (209197) on Thursday May 29, @06:07PM (#6071401)(http://www.smnolde.com:7080/)
What you could use is an OpenBSD computer in a bridging configuration. It takes about ten minutes to set up and you can look at all the traffic there or tee it off to another nic. The bridge requires two nics, and a third for the tee.
I've done something similar and it works great.
(Score:2)
by DaveAtFraud (460127) on Friday May 30, @01:25PM (#6078382)Another alternative... replace your unmanaged switch with a used, managed switch. I picked up a Bay Networks BayStack 24T (24 port, autoswitch 10/100, supports VPNs, trunking, spanning, etc.) for $125 from a local company that was also downsizing their network infrastructure. All the docs are on-line (PDF). You can probably find something equivalent (both price and capability) on eBay.