Академический Документы
Профессиональный Документы
Культура Документы
version 2.9
sounGEf
Table of Contents
SensorPlacement .....10
What Assets Do You Need to Protect? . . . . . . 10
HowDo YoulntendtoUse Yourlntrusioa Sensors? ......... 11
Bandwidth ....... 1I
Network Topology ........12
ComplexNetworkEnvironments ... .,.....12
SensorPlacementOptions .........13
SensorManagement .........15
Module Summary .,,..17
MODULE 4 Configuring Snort for Database Output and Graphical Analysis ... . 49
AboutThisModule .......49
Notes:
ll
Module Objectives: ....... 49
TheUnified2 OutputFormats .......50
What is Produced With Unified Outputs? ... . 50
WhatdoYoudoWithUnified2Output? .;..... .....50
Bamyard2DataProcessors ........51
Batnyard2OutputPlug-ins ... .....51
InstallingBamyard2 ......52
ObtaintheBamyardDistribution .......... 52
Confrguration ..... 53
ConfigurationDeclarations ........53
ConfiguringthelnputandOutputPlug-ins .... ......56
BamyardCommandlineOptions .........58
BanryardandCustomRules .......60
ConfiguringtheDatabase .....62
Setupthe Graphicallnterface ........65
LabExercises ... .....74
Lab#l:Bamyard2 Installation .....74
Lab#2:DatabaseConfiguration ....74
Lab#3: BASE Installation ... . ....74
Lab#4:Bamymd2Confrgurationlab ......74
Lab#S: Tmplementing aBamyard2 Starhrp Script ....77
Module Summary .....78
MODULE 5
AboutThisModule .......79
Modnle Objectives: .......79
Overviewof SnortOperation ........80
Snort as aPacket Sniffer .......... 80
Packetloggingwith Snort ........85
Snortasanlnkusion Sensor .......87
Configuration Reloading ......... . 89
LabExercises ... .....91
Lab #1: Operating Snort
Module Summary 92
Notes:
ur
MODULE 6 Snort Configuration ..93
About This Module . .. .. .. 93
Module Objectives: ... .. .. 93
snort.conf: Snort'sPrimaryConfigurationFile ....,.94
snort.confOverview ......94
Step 1: Set the Network Variables . . . . 95
Variables ........ 95
Default Variables .........96
The Snort Decoder Options .. .. .. . 100
Step2: ConfiguretheDecoder .....101
Step3: Configurethebasedetectionengine .......104
PacketPerformanceMonitoring ...106
UnderstandingPacketlatencyThresholdng ........107
TheBenefitsofPacketlatencyThresholding ......108
ConfiguringPacketlatencyThresholdingSettings .........108
Understandiog Rule Latency Thresholdng .. .. . .. .. 109
The Benefits ofRule Lateocy Thresholding . . . . . . . . 110
SettingRulelatencyThresholdingOptions ........110
SettingPerformanceProfiling Options .....112
Setting Protocol Aware Flushing . . , ll2
Notes:
lv
MODULE 7 Confi guring Snort Preprocessors
AboutThisModule ......143
Notes:
RuleMaintenance ...218
QftainingUpdatedRules ........218
VRlCertifiedRules .....218
Changing Rule Sets . .. .. .220
Some Things to Consider .. . .. .. .220
AutomatingtheRuleUpdateProcess ......221
Installing PulledPork .....222
ConfiguringPulledPork ..,222
Configuring Location Options . ... .223
Configuring the Temporary Directory and Patl . . . . . 224
Configuring the Rules Files, Directories and Sid-msg.map .224
..
Configuring the SO_RuIes .. .. .225
..
Optional Settings . ... . .. .227
.... .. ..228
Files
Rule Modification .. .228
SelectingRulesets .......228
Rule StateModifications .........230
Rule Categories . .. . .....231
RnleModifrcations ......233
Pulled Pork Commaod Line Syntax .,......234
PulledPork Commands .....236
LabExercises ... ....237
Lab#l: PulledPorklnstallation ....237
Lab#2: Configwationlab .. .. .. .237
Lab#3: Modifrthe Optional Settings ...... 238
Lab#4: ModiSthe snort.conf .... .239
Lab#5:Modifrthedisablesid.conf ........239
Lab #6: Rule Update Exercises .,. .240
Lab#7:YenfytheRuleCount .....240
Module Summary 241
Notes:
vl
sllffiffiffw
RnleActions ....247
Protocols ... ....24t
SourceandDestinationlPs .......24t
Source andDestinationPorts .....249
Speciffing Direction .....249
TheRuleBody ......250
Options,Keywords andArgumentsinRules .......250
DefiningtheEventMessage ... ,,,251
EventClassification ......2S1
Content Matches .. ... .. .254
Qsmtraining ContentMatches ....254
Flow ....2s7
SnortID Option ......... 258
RuleRevisionNumber ...258
Writing Rules .. . ....259
TheRule CreationProcess ....... 259
RuleFilelocations mdConventions ......260
Good Rule Writing Habits ., .261
Use Non-payload Detection Rule Options First .... .261
Use the Flow Option When Applicable ... . 262
Content Match Wisdom .. .263
Variables andVariableUsage .....264
Write Rules to the Vulnerability not the Exploit .... . 265
Troubleshooting Rules ... ...266
IsolateMsbehavingRules .....,.266
Check Your Packet Captures ... .. .267
LabExercises ... ....268
Lab#l: Writing Custom Rules ... .268
Module Summary ....269
Notes:
vrr
MoreonMetacharacters .........274
Classes
Character ... .....277
Combinations
Interesting ...,....279
Summary of Regex Options . .. .. . 281
TestingYourRegularExpressions .........283
PCREUsage inRules ......285
PCREUsageConsiderationsinSnortRules .... ....285
PCRE Usage ....287
LabExercises ... ....288
Lab#l: UsingPCRETEsTtoTestRegexOptions ...288
Lab#Z: Use PCRETEST to Test CustomRegularExpressions ....... 288
Lab#3:WritingRulesThatContainPCRE .,......289
Lab#4:UsePCRETESTtoTestCustomRegularExpressions .......290
ModuleSummary ...291
Notes:
VIII
slllftr[frw
Lab#l: Using Event Filtering 364
Lab #2: Using Suppression 367
Module Summary 369
. InstallingSwatch ....,...372
ConfiguringSwatch ...,..373
Configuring Swatch to Work With Snort Alerts .... .374
LabExercises ... ....375
Lab#l: InstallSwatch ....375
Lab#2: Confrgure Swatch ........ 375
Swatch
Lab #3: Actively Responding to Snort Alerts with .. .376
Lab #4: Execute a Script with SwatchResponses ... . 377
Module Summary ....379
Notes:
lx
LabExercises ... ....396
Lab#l: Using Action
The Drop . . . 396
Lab#Z: Replacing Content .......397
Module Summary ...398
Notes:
Hllffi[tftrm
Multiple Configurations ... ........428
Configs
Creating Multiple ........ 428
Conliguration Options .... 428
Rules ... 429
Variables ....... 429
Prqrrocessors .... 430
Events andOutput ....... 430
How Configuration is applied? . .. . 431
LabExercises ... ....432
Lab #1: ImfrlementingAHostAttribute Table ...... 432
Module Summary ....431
Notes:
xt
Module Summa4y ...457
Notes:
xtI
HIlffit$$rm T
Strategies
PrqnocessorTrming ....486
frag3 .... 486
Sheam5 .... .... 487
HTTP_Inspect ...487
Module Summary ....490
'a-/
\-r'
Notes:
xttr