Snort@ IDS/l PS Technology

version 2.9

sounGEf
 Table of Contents

MODULE 1 Intrusion Sensing Technology, Challenges, and Sensor Deployment . .1

About This Module . .. .. . .. 1
Module Objectives: . .. . . ... 1
What is Inkusion Sensing Technology? . . .... .2
Host Based .. . . .. . .2
NetworkBased ...........3
Evasion fsshniques . ...... ...4
PacketFragmentationEvasionTechniques ...........4
UsingAltemate StringExpressionsforEvasiou ....... 8
EvasionCountermeasures .....9
Framentation Countermeaswes .. . .. 9
CounteringthelnsertionAttack .....9
Dealing with the Altemate String Representation Problem .....9

SensorPlacement .....10
What Assets Do You Need to Protect? . . . . . . 10
HowDo YoulntendtoUse Yourlntrusioa Sensors? ......... 11
Bandwidth ....... 1I
Network Topology ........12
ComplexNetworkEnvironments ... .,.....12
SensorPlacementOptions .........13
SensorManagement .........15
Module Summary .,,..17

MODULE 2 Introduction to Snort@ Technology t9

AboutThisModule .......19
ModuleObjectives: ........19
 WhatisSnort? .......20
Snort'sBasicArchitecture .........20
Packet Sniffing .......21
Snort's Packet Sniffer .. .. .21
Packet Decoding ... ......21
Preprocessors ... .....22
DetectionEngine .....23
OutputModule .......24
Dynamic Plug-ins ....2s
Module Summary ....26

MODULE 3 Snort Installation 27

About This Module .......27
Modnle Objectives: ......27
.
BuildingaSecureOsFoundation ....28
MajorlssuestoConsider ..........28
ClassOSlnstallation ......28
Pre-installationltems ........29
The Base OS .. .. ,29
SnortPre-installation .... .. 30
Graphicallrterface andAlertAnalysisTools ........31
Pre-installation ....31
AboutTheVirtualNetwork ........33
ffifializingTheVirtualNetworklnfrastructure ......34
Exploring The Virtual Infrastructure ....... . 34
Snortlnstallation .....36
Perform a Service Check . .. ... .. .. 36
InstallSnortandltsComponents ..........37
StartSnort .......42
Configure Snortto StartAutomatically ......45
Lab Wrap-Up .. . .. 46
Module Summary ....47

MODULE 4 Configuring Snort for Database Output and Graphical Analysis ... . 49
AboutThisModule .......49

Notes:

ll
 Module Objectives: ....... 49
TheUnified2 OutputFormats .......50
What is Produced With Unified Outputs? ... . 50
WhatdoYoudoWithUnified2Output? .;..... .....50
Bamyard2DataProcessors ........51
Batnyard2OutputPlug-ins ... .....51
InstallingBamyard2 ......52
ObtaintheBamyardDistribution .......... 52
Confrguration ..... 53
ConfigurationDeclarations ........53
ConfiguringthelnputandOutputPlug-ins .... ......56
BamyardCommandlineOptions .........58
BanryardandCustomRules .......60
ConfiguringtheDatabase .....62
Setupthe Graphicallnterface ........65
LabExercises ... .....74
Lab#l:Bamyard2 Installation .....74
Lab#2:DatabaseConfiguration ....74
Lab#3: BASE Installation ... . ....74
Lab#4:Bamymd2Confrgurationlab ......74
Lab#S: Tmplementing aBamyard2 Starhrp Script ....77
Module Summary .....78

MODULE 5
AboutThisModule .......79
Modnle Objectives: .......79
Overviewof SnortOperation ........80
Snort as aPacket Sniffer .......... 80
Packetloggingwith Snort ........85
Snortasanlnkusion Sensor .......87
Configuration Reloading ......... . 89
LabExercises ... .....91
Lab #1: Operating Snort
Module Summary 92

Notes:

ur
MODULE 6 Snort Configuration ..93
About This Module . .. .. .. 93
Module Objectives: ... .. .. 93
snort.conf: Snort'sPrimaryConfigurationFile ....,.94
snort.confOverview ......94
Step 1: Set the Network Variables . . . . 95
Variables ........ 95
Default Variables .........96
The Snort Decoder Options .. .. .. . 100
Step2: ConfiguretheDecoder .....101
Step3: Configurethebasedetectionengine .......104
PacketPerformanceMonitoring ...106
UnderstandingPacketlatencyThresholdng ........107
TheBenefitsofPacketlatencyThresholding ......108
ConfiguringPacketlatencyThresholdingSettings .........108
Understandiog Rule Latency Thresholdng .. .. . .. .. 109
The Benefits ofRule Lateocy Thresholding . . . . . . . . 110
SettingRulelatencyThresholdingOptions ........110
SettingPerformanceProfiling Options .....112
Setting Protocol Aware Flushing . . , ll2

Step 4: ConfigureDynarnicloadedlibraries ...... 113

Step5:ConfigurePreprocessors ... .......114
Step6: ConfigureOutputPlug-ins ........115
alert_syslog ..... 116
log*tcpdump .... 116
database ......., ll7
Prelude ......... 117
Metadatareference data ...ll7
Step 7: Customize Your Rule Set . . . . 118
WorkingwithRuleFiles .........118
Step 8: CustomizeYowPreprocessorandDecoderRules ........119
Step 9: Customize Your Shared Object Rules ..... .120
AdditionalConfigDirectives .......121
LabExercises... ....140
Lab#7: ConfigureYourlDS/IPSlnstallation .......140

Notes:

lv
MODULE 7 Confi guring Snort Preprocessors
AboutThisModule ......143

Configuring SnortPreprocessors ....144

PreprocessorEvents ..... 145
Normalizer .. ... .146
frag3 .... I48
Stream5 Preprocessor . .. . 153
Performance Statistics . .. .157
HTTP_inspect ... 160
RPC_decode ....176
bo: Back Orifice Detector .. . .. ...176
FTPTelnet ......177
SMTP ... 183
sPortscan .. ... . 188
ARPSpoof ......194
ssH .... 195
DCEiRPC2 .. ...197
DCERPC2 Global Confrguration: .. ...... .197
DCERPC2 Server Configuration .. . 198
DNS .... 200
ssl, ....201
SensitiveData .........202
.,...... .202
Sessionlnitiationhotocol ........203
IMAP ... 205
POP ....207
Reputation .. :. .. . .. ....209
LabExercises ... ....210
Lab#l: ConfigureYourlDS/IPSlnstallation .......210
Lab #2: Stream Reassembly 2tt
Lab#3: Reassembly Policy
Module Summary 215

MODULE 8 KeepingRulesUpToDate o.... .o... .......217

About This Module
Module Objectives: 217

Notes:
 RuleMaintenance ...218
QftainingUpdatedRules ........218
VRlCertifiedRules .....218
Changing Rule Sets . .. .. .220
Some Things to Consider .. . .. .. .220
AutomatingtheRuleUpdateProcess ......221
Installing PulledPork .....222
ConfiguringPulledPork ..,222
Configuring Location Options . ... .223
Configuring the Temporary Directory and Patl . . . . . 224
Configuring the Rules Files, Directories and Sid-msg.map .224
..
Configuring the SO_RuIes .. .. .225
..
Optional Settings . ... . .. .227
.... .. ..228
Files
Rule Modification .. .228
SelectingRulesets .......228
Rule StateModifications .........230
Rule Categories . .. . .....231
RnleModifrcations ......233
Pulled Pork Commaod Line Syntax .,......234
PulledPork Commands .....236
LabExercises ... ....237
Lab#l: PulledPorklnstallation ....237
Lab#2: Configwationlab .. .. .. .237
Lab#3: Modifrthe Optional Settings ...... 238
Lab#4: ModiSthe snort.conf .... .239
Lab#5:Modifrthedisablesid.conf ........239
Lab #6: Rule Update Exercises .,. .240
Lab#7:YenfytheRuleCount .....240
Module Summary 241

MODULE 9 Rules ..... ....243

AboutThisModule ......243
Module Objectives: 243
Overview of Snort Rules 244
What is aRule? 244
Anatomy of a Rule 245
Rule Headers 246

Notes:

vl
sllffiffiffw
 RnleActions ....247
Protocols ... ....24t
SourceandDestinationlPs .......24t
Source andDestinationPorts .....249
Speciffing Direction .....249
TheRuleBody ......250
Options,Keywords andArgumentsinRules .......250
DefiningtheEventMessage ... ,,,251
EventClassification ......2S1
Content Matches .. ... .. .254
Qsmtraining ContentMatches ....254
Flow ....2s7
SnortID Option ......... 258
RuleRevisionNumber ...258
Writing Rules .. . ....259
TheRule CreationProcess ....... 259
RuleFilelocations mdConventions ......260
Good Rule Writing Habits ., .261
Use Non-payload Detection Rule Options First .... .261
Use the Flow Option When Applicable ... . 262
Content Match Wisdom .. .263
Variables andVariableUsage .....264
Write Rules to the Vulnerability not the Exploit .... . 265
Troubleshooting Rules ... ...266
IsolateMsbehavingRules .....,.266
Check Your Packet Captures ... .. .267
LabExercises ... ....268
Lab#l: Writing Custom Rules ... .268
Module Summary ....269

MODULE 1O Using PCRE in Rules ... .. .... ..271

AboutThisModule ......271
ModuleObjectives: ......271
What areRegularExpressions ......272
WhatisPCRE? .........272
Regex Basics 273
Character Types in Regex 273

Notes:

vrr
 MoreonMetacharacters .........274
Classes
Character ... .....277
Combinations
Interesting ...,....279
Summary of Regex Options . .. .. . 281
TestingYourRegularExpressions .........283
PCREUsage inRules ......285
PCREUsageConsiderationsinSnortRules .... ....285
PCRE Usage ....287
LabExercises ... ....288
Lab#l: UsingPCRETEsTtoTestRegexOptions ...288
Lab#Z: Use PCRETEST to Test CustomRegularExpressions ....... 288
Lab#3:WritingRulesThatContainPCRE .,......289
Lab#4:UsePCRETESTtoTestCustomRegularExpressions .......290
ModuleSummary ...291

MODULE 1{ General Rule Options andUsage ........ .. .... . ...... . 293

About This Module
Module Objectives:
GeneralRuleOptionsandUsageExamples .......294
GeneralRuleOptions .,,.294
Payload Detection Rule Options . . . 300
Non-payloadDetectionRuleOptions .,.,,.332
Post-detection Rule Options .. ... .346
Module Summary 352

MODULE 12 BasicSnortTuning ..... ............... ........353

About This Module . .. ... 353
Module Objectives: . .. .. . 353
WhyTune? ...354
CheckingPerformance ...354
EventFiltering ......359
ConfrguringEventFilters ........359
Suppression 362
Applying Event Filtering and Suppression to Preprocessor Alerts . . . . . 363
LabExercises... .,..364

Notes:

VIII

slllftr[frw
 Lab#l: Using Event Filtering 364
Lab #2: Using Suppression 367
Module Summary 369

MODULE {3 Active Response in Snort . . .371

Module
About This . .. .. .371
ModuleObjectives: ......371

. InstallingSwatch ....,...372
ConfiguringSwatch ...,..373
Configuring Swatch to Work With Snort Alerts .... .374
LabExercises ... ....375
Lab#l: InstallSwatch ....375
Lab#2: Confrgure Swatch ........ 375
Swatch
Lab #3: Actively Responding to Snort Alerts with .. .376
Lab #4: Execute a Script with SwatchResponses ... . 377
Module Summary ....379

MODULE 14 Building A Snort IPS Installation 381

AboutThisModule ......381
Module Objectives: . .. .. . Stf
IPS vs. IDS . . .382
IDSModeDeployaent ...383
IPS Mode Deploynent .. . 384
IPSModeConfiguration .....385
Hardware Considerations ... .. .. . 385
Software Considerations .... ... . . 385
How Snort Works in IPS Mode . . . . 387
PolicyModes ... ....388
IPS InstallationProcess .....389
SoftwareRequirements ...389
hepare the Vlrtual Machines for IPS deplolment . . . 389
PreliminarylnstallationandConfiguration .........390
ModiffSnortDAQMode ........390
Configure and Test the Snort Startup Scripts .,.... .392

Notes:

lx
 LabExercises ... ....396
Lab#l: Using Action
The Drop . . . 396
Lab#Z: Replacing Content .......397
Module Summary ...398

MODULE 15 Building a Distributed Snort Installation 399

AboutThisModule ......399
ModuleObjectives: ......399
Overview of aDistributedArchitecture ....400
PlenningTheDiskibutedArchitecture .....400
Confrguration Overview ........ . 4U
Tmplementing TheDistributedArchitecture ... ....403
Disable Local Services on snortbox .. .. .. . 403
Compile Stuonel ........403
An Overview of How Stunnel is ImFlemerted . . . .. . 404
ReviewConfrguration of Sturnel oolamp ......... 405
Conligrue Stunnel to Run On Snortbox .. .. 407
TestingtheTunnel .......408
Conflguring the Ssnsors to Report to the Database on lamp .. . 409
LabExercises ... ....410
Lab #l: Perform The Distributed Installation ...... . 410
Module Summary ... 4ll

MODULE 16 Miscellaneous Alerting and Detection Features 413

About This Module ..... . 413
Module Objectives:
Managing Decoder & Preprocessor Alerts . . 414
Decoder & PreprocessorAlertActions ,.... 414
ConfiguringDecoder & PreprocessorAlerts .......414
Corfiguration
Decoder/?reprocessorAlert .......,.416
SensitiveDataRules .......417
CustomMatches ........418
HostAttributeTableCapability .....419
HostAttributeFiles ......419
DelnringHostAttributes ..,......421
TriggeringRules OnHostAttributeDefined Services .......427

Notes:

Hllffi[tftrm
 Multiple Configurations ... ........428
Configs
Creating Multiple ........ 428
Conliguration Options .... 428
Rules ... 429
Variables ....... 429
Prqrrocessors .... 430
Events andOutput ....... 430
How Configuration is applied? . .. . 431
LabExercises ... ....432
Lab #1: ImfrlementingAHostAttribute Table ...... 432
Module Summary ....431

MODULE 17 Alert Database Management ..435

AboutThisModule ......435
Module Objectives: . .. .. . 435
Overview of The Snort Database
Basic MySQL Commands 437
SecuringAccounts
SettingUp and ......,.437
Creatingald{JsingDatabases .....438
WorkingWithDatabaseTables ....439
Backup & Restore ....443
Backup ......... 443
Restore .........444
Creating andUsing the Archive Database 445
Creating the Archive Database 44s
Moving Alerts to The Archive Database .., , 448
GeneralAlertManagement ........450
CreatingAlertGroups ....451
AssigningltemsToAnAlertGroup .,.....452
v Other Database Management and Maintenance Tasks . . . . . .454
Deleting Alert Data Wittr BASE .. . 454
LabExercises ... ....455
v Lab #1: Exploring The Database .. . 455
Lab #2: Backing Up Your Alert Database .. . 455
Lab #3: Creating an Archive Database .... . 455
Lab #4: Creating Alert Groups ... . 456
Lab#5: DatabaseMaintenaace ....456

Notes:

xt
 Module Summa4y ...457

MODULE 18 SensorPerformance&PerformanceMonitoring .....459

AboutThisModule ......4S9
Module Objectives: ..... . 459
HardwareConsiderations ...... ...460
CPU&Memory ........460
TheSystemBus .... .....461
TheNIC ........462
Disk Drives ..... 462
Software & Configuration Considerations ........463
UsingTheMemoryMappedBuffers ......463
OtherPerformanceEnhancing Susgestions ........465
Performance Profiling ......AGG
EnablingTheProfilingFeature ....466
ConfiguriryRulehofiling .......466
ConfiguringPreprocessorProfiling ........469
InterpretingPrefilingData .......471
LabExercises ... ...,472
Lab#l: Profilinglab ...,472
Lab #2: Testing Rules With Per@rofrling . . . 473
Module Summary ...474

MODULE 19 Event Analysis & Enterprise Tuning Strategies 475

Abont This Module ..... . 475
Modnle Objectives: ... .. . 475
AnalyzingEvents ....476
Classiffing&Quali$ingAlerts ...476
AlertsRelatedToMsconfigurations .......476
FalsePositives ...477
Incidents ....... 478
Snort Tuning Strategies ... .. 481
VariablesAndVariableUsage .....481
StrategiesForDefiaing$HoME_NETVs. $EXTERNAL_NET ......481
OtherConsiderationsRegardingVariables .........485
Rule Set Customization Strategies .. .. .. .. 485

Notes:

xtI

HIlffit$$rm T
 Strategies
PrqnocessorTrming ....486
frag3 .... 486
Sheam5 .... .... 487
HTTP_Inspect ...487
Module Summary ....490

'a-/

\-r'

Notes:

xttr