295_Snort2e_10.qxd 5/6/04 9:51 AM Page 502 502 Chapter 10 • Optimizing Snort -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- src_addr:0 dst_addr:127.0.0.1 nb:1 ttl:1 sending : teardrop sending : land sending : get_phf sending : bind_version sending : get_phf_syn_ack_get sending : ping_of_death sending : syndrop sending : newtear sending : X11 sending : SMBnegprot sending : smtp_expn_root sending : finger_redirect sending : ftp_cwd_root sending : ftp_port sending : trin00_pong sending : back_orifice sending : msadcs 245.146.219.144 -> 127.0.0.1 80/tcp GET /msadc/msadcs.dll HTTP/1.0 sending : www_frag 225.158.207.188 -> 127.0.0.1 80/fragmented-tcp GET / HTTP/1.0 181.114.219.120 -> 127.0.0.1 80/fragmented-tcp GET /AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/ /cgi-bin/phf HTTP/1.0 (cut remaining tool dump to save page space) Sneeze Sneeze (http://snort.sourceforge.net/sneeze-1.0.tar) took a somewhat different approach than the two previous IDS benchmarking tools. Written by Brian Caswell and Don Bailey, Sneeze was designed to parse Snort IDS rules files with www.syngress.com Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort2e_10.qxd 5/6/04 9:51 AM Page 503 Optimizing Snort • Chapter 10 503 the goal of generating sensor false positives, or fake attacks. Sneeze implements an ingenious tool concept that exposes potential issues that administrators face during the continuous battle of monitoring IDSs and eliminating false positive issues. A significant amount of time is spent analyzing network attacks via the alert and packet logs from Snort, since one of the underlying goals for all IDSs is to provide pertinent, accurate information. A simple attack intrusion detection signature matches malicious packets destined for a sensitive host, but the true value of an IDS is shown through complicated signatures and rules that correlate malicious attack strings and their corresponding target responses. Sneeze allows you to become familiar with the Snort rules that are prone to false positives and the intricacies in determining if indeed the attack is legitimate. Sneeze serves as a free yet useful tool for quickly tracking and testing IDS sensors in a production environment.The latest release of the tool has been tested with Snort 1.8 and its corresponding ruleset. Sneeze is a command-line tool written in Perl that can only be run from UNIX-based platforms.The default parameters the tool requires are the destina- tion host and rules file. Additional options are available. We feel that each of the options is more or less self explanatory, so we only include a tool dump here: Usage C:\sneeze\sneeze.pl -d <dest host> -f <rule file> [options] -c count Loop X times. -1 == forever. Default is 1. -s ip Spoof this IP as source. Default is your IP. -p port Force use of this source port. -i interface Outbound interface. Default is eth0. -x debug Turn on debugging information. -h help Duh? This is it. There are only two prerequisites to running the tool. First, you must have a good Snort rules file that you intend to use to feed data to the Sneeze engine. Varying combinations of content and destination port and IP addresses are char- acteristics of a good rules file. In addition, you also need to preinstall the Net::RawIP Perl module. Sneeze uses this module to lay the groundwork for writing raw packets, spoofed packets, and general packet transmission.You can download the Net::RawIP module from www.cpan.org/modules/by-module/Net/. The biggest downside of the tool is that it can only be run in the UNIX- based environment, strictly because it uses the Net::RawIP module. Unfortunately, the designer did not create it to be platform neutral. www.syngress.com Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort2e_10.qxd 5/6/04 9:51 AM Page 504 504 Chapter 10 • Optimizing Snort TCPReplay TCPReplay is one of the most useful and straightforward tools that is at your disposal for testing your Snort installation. In short,TCPReplay was created to replay captured TCP PCAP files back “on the wire.” One of the most interesting yet somewhat conventionally useless features is the ability to sniff and store packets from one interface while writing those same packets to a different inter- face. As you might imagine, this feature has the potential to be very fun and pro- vide numerous challenges in regard to data bridging or manipulation.This application provides you with the functionality to sniff, modify, and replay packets across the wire. Another key feature for this application is to store attack sequences in PCAP files with interests in replaying those attacks over and over again, quickly.This allows you to save an extraordinary amount of time since you would only have to run a command-line tool with a switch that leverages a saved input file.The -f option allows you to even save more time by saving tested command-line con- figurations within a text configuration file, whereas you could quickly launch the program and point it at that program. The looping feature, the -l switch, allows you to replay a single file multiple times, throwing the same packets on the wire multiple times. When used in combination with the -R argument (replay the packets as fast as possible), TCPReplay becomes a must-have tool to aid in stress-testing your Snort install. The last key option that most users commonly forget is the -1 (the numeral one) option, which allows you to send a single packet every time you press a key on your keyboard.This is especially useful if you are testing particular rules within your Snort configuration and would like to see if certain rules are flag- ging known attacks or analyze response times. It is a common practice for large enterprises and managed security service providers to utilize this feature for hun- dreds of attacks and determine the response time for their correlation technology and analysts.The following are the options and features that you may utilize in the current version of TCPReplay. Usage: tcpreplay [args] <file(s)> ■ -A “<args>” Pass arguments to tcpdump decoder (use w/ -v). ■ -b Bridge two broadcast domains in sniffer mode. ■ -c <cachefile> Split traffic via cache file. www.syngress.com Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort2e_10.qxd 5/6/04 9:51 AM Page 505 Optimizing Snort • Chapter 10 505 ■ -C <CIDR1,CIDR2, > Split traffic by matching src IP. ■ -D Data dump mode (set this BEFORE -w and -W). ■ -f <configfile> Specify configuration file. ■ -F Fix IP,TCP, UDP and ICMP checksums. ■ -h Help. ■ -i <nic> Primary interface to send traffic out of. ■ -I <mac> Rewrite dest MAC on primary interface. ■ -j <nic> Secondary interface to send traffic out of. ■ -J <mac> Rewrite dest MAC on secondary interface. ■ -k <mac> Rewrite source MAC on primary interface. ■ -K <mac> Rewrite source MAC on secondary interface. ■ -l <loop> Specify number of times to loop. ■ -L <limit> Specify the maximum number of packets to send. ■ -m <multiple> Set replay speed to given multiple. ■ -M Disable sending Martian IP packets. ■ -n Not nosy mode (noenable promisc in sniff/bridge mode). ■ -N <CIDR1:CIDR2, > Rewrite IP addresses (pseudo NAT). ■ -o <offset> Starting byte offset. ■ -O One output mode. ■ -p <packetrate> Set replay speed to given rate (packets/sec). ■ -P Print PID. ■ -r <rate> Set replay speed to given rate (Mbps). ■ -R Set replay speed to as fast as possible. ■ -s <seed> Randomize src/dst IP addresses w/ given seed. ■ -S <snaplen> Sniff interface(s) and set the snaplen length. ■ -t <mtu> Override MTU (defaults to 1500). ■ -T Truncate packets > MTU so they can be sent. ■ -u pad|trunc Pad/truncate packets that are larger than the snaplen. www.syngress.com Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort2e_10.qxd 5/6/04 9:51 AM Page 506 506 Chapter 10 • Optimizing Snort ■ -v Verbose: print packet decodes for each packet sent. ■ -V Version. ■ -w <file> Write (primary) packets or data to file. ■ -W <file> Write secondary packets or data to file. ■ -x <match> Only send the packets specified. ■ -X <match> Send all the packets except those specified. ■ -1 Send one packet per key press. ■ -2 <datafile> Layer 2 data. ■ <file1> <file2> File list to replay. If you quickly want to replay a file and do not need to analyze the results of the packets getting written to the wire, you need only specify the interface that you want to transmit on and the configuration file: root@harriford:/test [root@harriford test]# tcpreplay -i eth0 -f file sending on: eth0 Now leveraging our favorite feature, the -1 argument, we’ll show you how to send one packet at a time. As you can see by the Linux script file that captured our command and STDOUT stream,TCPReplay prompts you to press the Enter key after successfully sending the individual packets.The first example only sends one packet, as you can glean from the following. Script started on Thu 2 Apr 2004 04:09:59 PM EDT root@harriford:/test[root@harriford test]# tcpreplay pi eth0 -1 file -1 sending on: eth0 **** Press <ENTER> to send the next packet: **** Press <ENTER> to send the next packet: 1 packets (60 bytes) sent in 4.18 seconds 14.3 bytes/sec 0.00 megabits/sec 0 packets/sec This example sends an entire file one packet at a time. Notice how it prompts you to send the next packet after it outputs the packet header that was transmitted. Make no mistake that this is the packet header and will not include the payload, nor will it contain all the flags of the packet. root@harriford:/test[root@harriford test]# tcpreplay -i eth0 –l file –v -1 sending on: eth0 www.syngress.com Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort2e_10.qxd 5/6/04 9:51 AM Page 507 Optimizing Snort • Chapter 10 507 **** Press <ENTER> to send the next packet: 12:24:39.529936 arp who-has 192.168.79.10 tell 192.168.10.1 **** Press <ENTER> to send the next packet: 12:24:40.039930 802.1d config 8000.00:03:e3:2f:69:c0.800e root 8000.00:03:e3:2f:69:c0 pathcost 0 age 0 max 20 hello 2 fdelay 15 **** Press <ENTER> to send the next packet: 12:24:41.449947 192.168.10.13.3042 > 192.168.30.230.ssh: P 2061464227:2061464263(36) ack 182807601 win 30 (DF) **** Press <ENTER> to send the next packet: 12:24:41.461231 192.168.30.ssh > 192.168.10.13.3042: . ack 36 win 8576 (DF) [tos 0x10] **** Press <ENTER> to send the next packet: 12:24:42.039961 802.1d config 8000.00:03:e3:2f:69:c0.800e root 8000.00:03:e3:2f:69:c0 pathcost 0 age 0 max 20 hello 2 fdelay 15 **** Press <ENTER> to send the next packet: 12:24:42.130655 arp who-has 192.168.10.120 tell 192.168.10.1 **** Press <ENTER> to send the next packet: 12:24:43.030711 205.188.8.49.5190 > 192.168.10.13.3031: P 2721207987:2721208045(58) ack 2057068322 win 16384 (DF) **** Press <ENTER> to send the next packet: 12:24:43.196248 192.168.10.13.3031 > 205.188.8.49.5190: . ack 58 win 16716 (DF) **** Press <ENTER> to send the next packet: 12:24:43.511205 arp who-has 192.168.10.40 tell 192.168.10.1 **** Press <ENTER> to send the next packet: 12:24:44.040280 802.1d config 8000.00:03:e3:2f:69:c0.800e root 8000.00:03:e3:2f:69:c0 pathcost 0 age 0 max 20 hello 2 fdelay 15 **** Press <ENTER> to send the next packet: 12:24:44.449945 192.168.10.13.3093 > 192.168.30.171.ssh: P 2541684072:2541684108(36) ack 2140890790 win 16192 (DF) **** Press <ENTER> to send the next packet: 12:24:44.461258 192.168.30.171.ssh > 192.168.10.13.3093: . ack 36 win 8576 (DF) [tos 0x10] **** Press <ENTER> to send the next packet: 12:24:46.049927 802.1d config 8000.00:03:e3:2f:69:c0.800e root 8000.00:03:e3:2f:69:c0 pathcost 0 age 0 max 20 hello 2 fdelay 15 **** Press <ENTER> to send the next packet: 12:24:46.626381 arp who-has 192.168.10.40 tell 192.168.10.1 **** Press <ENTER> to send the next packet: www.syngress.com Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort2e_10.qxd 5/6/04 9:51 AM Page 508 508 Chapter 10 • Optimizing Snort 12:24:46.963430 192.168.10.13.3042 > 192.168.30.230.ssh: P 36:72(36) ack 1 win 16500 (DF) **** Press <ENTER> to send the next packet: 12:24:46.972758 192.168.30.230.ssh > 192.168.10.13.3042: . ack 72 win 8576 (DF) [tos 0x10] **** Press <ENTER> to send the next packet: 12:24:47.380193 205.188.8.49.5190 > 192.168.10.13.3031: P 58:118(60) ack 1 win 16384 (DF) **** Press <ENTER> to send the next packet: 12:24:47.499927 192.168.10.13.3031 > 205.188.8.49.5190: . ack 118 win 16656 (DF) **** Press <ENTER> to send the next packet: 12:24:48.050018 802.1d config 8000.00:03:e3:2f:69:c0.800e root 8000.00:03:e3:2f:69:c0 pathcost 0 age 0 max 20 hello 2 fdelay 15 **** Press <ENTER> to send the next packet: 12:24:49.961361 192.168.10.13.3093 > 192.168.30.171.ssh: P 36:72(36) ack 1 win 16192 (DF) **** Press <ENTER> to send the next packet: 12:24:49.970187 192.168.30.171.ssh > 192.168.10.13.3093: . ack 72 win 8576 (DF) [tos 0x10] **** Press <ENTER> to send the next packet: 12:24:50.058135 802.1d config 8000.00:03:e3:2f:69:c0.800e root 8000.00:03:e3:2f:69:c0 pathcost 0 age 0 max 20 hello 2 fdelay 15 **** Press <ENTER> to send the next packet: 12:24:52.058599 802.1d config 8000.00:03:e3:2f:69:c0.800e root 8000.00:03:e3:2f:69:c0 pathcost 0 age 0 max 20 hello 2 fdelay 15 **** Press <ENTER> to send the next packet: 12:24:52.970009 192.168.10.13.3042 > 192.168.30.230.ssh: P 72:108(36) ack 1 win 16500 (DF) **** Press <ENTER> to send the next packet: 12:24:52.979929 192.168.30.230.ssh > 192.168.10.13.3042: . ack 108 win 8576 (DF) [tos 0x10] **** Press <ENTER> to send the next packet: 12:24:54.061184 802.1d config 8000.00:03:e3:2f:69:c0.800e root 8000.00:03:e3:2f:69:c0 pathcost 0 age 0 max 20 hello 2 fdelay 15 **** Press <ENTER> to send the next packet: 12:24:55.861213 arp who-has 192.168.10.12 tell 192.168.10.1 **** Press <ENTER> to send the next packet: www.syngress.com Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort2e_10.qxd 5/6/04 9:51 AM Page 509 Optimizing Snort • Chapter 10 509 12:24:55.969979 192.168.10.13.3093 > 192.168.30.171.ssh: P 72:108(36) ack 1 win 16192 (DF) **** Press <ENTER> to send the next packet: 12:24:55.980057 192.168.30.171.ssh > 192.168.10.13.3093: . ack 108 win 8576 (DF) [tos 0x10] **** Press <ENTER> to send the next packet: 12:24:56.061448 802.1d config 8000.00:03:e3:2f:69:c0.800e root 8000.00:03:e3:2f:69:c0 pathcost 0 age 0 max 20 hello 2 fdelay 15 **** Press <ENTER> to send the next packet: 12:24:56.870830 205.188.8.49.5190 > 192.168.10.13.3031: P 118:183(65) ack 1 win 16384 (DF) **** Press <ENTER> to send the next packet: 12:24:57.011311 192.168.10.13.3031 > 205.188.8.49.5190: . ack 183 win 16591 (DF) **** Press <ENTER> to send the next packet: 12:24:57.877652 arp who-has 192.168.10.2 tell 192.168.10.1 **** Press <ENTER> to send the next packet: 12:24:57.882818 arp who-has 192.168.10.3 tell 192.168.10.1 **** Press <ENTER> to send the next packet: 12:24:57.888295 arp who-has 192.168.10.4 tell 192.168.10.1 **** Press <ENTER> to send the next packet: 12:24:58.066606 802.1d config 8000.00:03:e3:2f:69:c0.800e root 8000.00:03:e3:2f:69:c0 pathcost 0 age 0 max 20 hello 2 fdelay 15 **** Press <ENTER> to send the next packet: 12:24:58.889928 arp who-has 192.168.10.12 tell 192.168.10.1 **** Press <ENTER> to send the next packet: 12:24:58.971205 192.168.10.13.3042 > 192.168.30.230.ssh: P 108:144(36) ack 1 win 16500 (DF) **** Press <ENTER> to send the next packet: 12:24:58.979943 192.168.30.230.ssh > 192.168.10.13.3042: . ack 144 win 8576 (DF) [tos 0x10] **** Press <ENTER> to send the next packet: 12:24:59.597502 arp who-has 192.168.10.6 tell 192.168.10.1 **** Press <ENTER> to send the next packet: 12:24:59.602729 arp who-has 192.168.10.7 tell 192.168.10.1 **** Press <ENTER> to send the next packet: 12:24:59.608208 arp who-has 192.168.10.8 tell 192.168.10.1 **** Press <ENTER> to send the next packet: www.syngress.com Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort2e_10.qxd 5/6/04 9:51 AM Page 510 510 Chapter 10 • Optimizing Snort 12:24:59.613320 arp who-has 192.168.10.9 tell 192.168.10.1 **** Press <ENTER> to send the next packet: 12:24:59.624168 arp who-has 192.168.10.11 tell 192.168.10.1 **** Press <ENTER> to send the next packet: 12:24:59.633763 4.11.150.188.3353 > 192.168.10.13.135: S 2355639698:2355639698(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) **** Press <ENTER> to send the next packet: 12:24:59.639793 arp who-has 192.168.10.14 tell 192.168.10.1 **** Press <ENTER> to send the next packet: 12:24:59.645089 arp who-has 192.168.10.15 tell 192.168.10.1 **** Press <ENTER> to send the next packet: 12:24:59.646625 192.168.10.13.3183 > 192.168.10.5.domain: 2+ PTR? 188.150.11.4.in-addr.arpa. (43) **** Press <ENTER> to send the next packet: 12:24:59.649925 arp who-has 192.168.10.16 tell 192.168.10.1 **** Press <ENTER> to send the next packet: 12:24:59.649971 arp who-has 192.168.10.17 tell 192.168.10.1 **** Press <ENTER> to send the next packet: 12:24:59.650103 192.168.10.5.domain > 192.168.10.13.3183: 2 1/5/0 (228) (DF) **** Press <ENTER> to send the next packet: 12:24:59.659954 arp who-has 192.168.10.18 tell 192.168.10.1 **** Press <ENTER> to send the next packet: 12:24:59.660004 arp who-has 192.168.10.19 tell 192.168.10.1 **** Press <ENTER> to send the next packet: 12:24:59.669925 arp who-has 192.168.10.20 tell 192.168.10.1 **** Press <ENTER> to send the next packet: 12:24:59.669970 4.11.150.188.3361 > 192.168.10.21.135: S 2356091652:2356091652(0) win 64240 <mss 1460,nop,nop,sackOK> (DF) **** Press <ENTER> to send the next packet: 12:24:59.670038 192.168.10.21 > 4.11.150.188: icmp: host 192.168.10.21 unreachable - admin prohibited [tos 0xc0] **** Press <ENTER> to send the next packet: 12:24:59.681226 arp who-has 192.168.10.23 tell 192.168.10.1 **** Press <ENTER> to send the next packet: 12:24:59.689930 arp who-has 192.168.10.24 tell 192.168.10.1 **** Press <ENTER> to send the next packet: www.syngress.com Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 295_Snort2e_10.qxd 5/6/04 9:51 AM Page 511 Optimizing Snort • Chapter 10 511 12:25:00.059967 802.1d config 8000.00:03:e3:2f:69:c0.800e root 8000.00:03:e3:2f:69:c0 pathcost 0 age 0 max 20 hello 2 fdelay 15 59 packets (3953 bytes) sent in 17.37 seconds 232.0 bytes/sec 0.00 megabits/sec 3 packets/sec root@harriford:/test[root@harriford test]# exit Script done on Thu 2 Apr 2004 04:16:30 PM EDT In the last scenario, we sent a TCPReplay file out to the wire as fast as pos- sible, continuously. In addition to speed, we also specified that we wanted to see verbose output sent to STDOUT so that we could quickly analyze what packets were sent and when. [root@harriford test]# cd /home/kevin/tcpreplay –f file -i eth0 -R -v sending on: eth0 12:24:39.529936 arp who-has 192.168.10.41 tell 192.168.10.1 12:24:40.039930 802.1d config 8000.00:03:e3:2f:69:c0.800e root 8000.00:03:e3:2f:69:c0 pathcost 0 age 0 max 20 hello 2 fdelay 15 12:24:41.449947 192.168.10.13.3042 > 192.168.30.230.ssh: P 2061464227:2061464263(36) ack 182807601 win 30 (DF) 12:24:41.461231 192.168.30.230.ssh > 192.168.10.13.3042: . ack 36 win 8576 (DF) [tos 0x10] 12:24:42.039961 802.1d config 8000.00:03:e3:2f:69:c0.800e root 8000.00:03:e3:2f:69:c0 pathcost 0 age 0 max 20 hello 2 fdelay 15 12:24:42.130655 arp who-has 192.168.10.120 tell 192.168.10.1 12:24:43.030711 205.188.8.49.5190 > 192.168.10.13.3031: P 2721207987:2721208045(58) ack 2057068322 win 16384 (DF) 12:24:43.196248 192.168.10.13.3031 > 205.188.8.49.5190: . ack 58 win 16716 (DF) 12:24:43.511205 arp who-has 192.168.10.40 tell 192.168.10.1 12:24:44.040280 802.1d config 8000.00:03:e3:2f:69:c0.800e root 8000.00:03:e3:2f:69:c0 pathcost 0 age 0 max 20 hello 2 fdelay 15 12:24:44.449945 192.168.10.13.3093 > 192.168.30.171.ssh: P 2541684072:2541684108(36) ack 2140890790 win 16192 (DF) 12:24:44.461258 192.168.30.171.ssh > 192.168.10.13.3093: . ack 36 win 8576 (DF) [tos 0x10] 12:24:46.049927 802.1d config 8000.00:03:e3:2f:69:c0.800e root 8000.00:03:e3:2f:69:c0 pathcost 0 age 0 max 20 hello 2 fdelay 15 12:24:46.626381 arp who-has 192.168.10.40 tell 192.168.10.1 12:24:46.963430 192.168.10.13.3042 > 192.168.30.230.ssh: P 36:72(36) ack 1 win 16500 (DF) www.syngress.com Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com [...]... Optimizing Snort Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com 12:24:46.9727 58 1 92.16 8. 30.230.ssh > 1 92.16 8. 10.13.3042: ack 72 win 85 76 (DF) [tos 0x10] 12:24:47. 380 193 205. 188 .8. 49.5190 > 1 92.16 8. 10.13.3031: P 58: 1 18( 60) ack 1 win 16 384 (DF) 12:24:47.499927 1 92.16 8. 10.13.3031 > 205. 188 .8. 49.5190: ack 1 18 win 16656 (DF) 12:24: 48. 0500 18 802.1d config 80 00.00:03:e3:2f:69:c0 .80 0e... root 80 00.00:03:e3:2f:69:c0 pathcost 0 age 0 max 20 hello 2 fdelay 15 12:24:49.961361 1 92.16 8. 10.13.3093 > 1 92.16 8. 30.171.ssh: P 36:72(36) ack 1 win 16192 (DF) 12:24:49.970 187 1 92.16 8. 30.171.ssh > 1 92.16 8. 10.13.3093: ack 72 win 85 76 (DF) [tos 0x10] 12:24:50.0 581 35 80 2.1d config 80 00.00:03:e3:2f:69:c0 .80 0e root 80 00.00:03:e3:2f:69:c0 pathcost 0 age 0 max 20 hello 2 fdelay 15 12:24:52.0 585 99 80 2.1d config... 12:24:52.0 585 99 80 2.1d config 80 00.00:03:e3:2f:69:c0 .80 0e root 80 00.00:03:e3:2f:69:c0 pathcost 0 age 0 max 20 hello 2 fdelay 15 12:24:52.970009 1 92.16 8. 10.13.3042 > 1 92.16 8. 30.230.ssh: P 72:1 08( 36) ack 1 win 16500 (DF) 12:24:52.979929 1 92.16 8. 30.230.ssh > 1 92.16 8. 10.13.3042: ack 1 08 win 85 76 (DF) [tos 0x10] 12:24:54.061 184 80 2.1d config 80 00.00:03:e3:2f:69:c0 .80 0e root 80 00.00:03:e3:2f:69:c0 pathcost... 80 00.00:03:e3:2f:69:c0 .80 0e root 80 00.00:03:e3:2f:69:c0 pathcost 0 age 0 max 20 hello 2 fdelay 15 12:24:55 .86 1213 arp who-has 1 92.16 8. 10.12 tell 1 92.16 8. 10.1 12:24:55.969979 1 92.16 8. 10.13.3093 > 1 92.16 8. 30.171.ssh: P 72:1 08( 36) ack 1 win 16192 (DF) 59 packets (3953 bytes) sent in 0.10 seconds 393960.5 bytes/sec 3.01 megabits/sec 588 0 packets/sec root@harriford:/test [root@harriford test] If you are wondering what a TCPReplay... enough www.syngress.com 523 524 Chapter 10 • Optimizing Snort Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Unfortunately, the list of commercially available intrusion detection testing appli­ cations and tools is short—or should we say that the list encompasses IDS Informer Blade Software’s IDS Informer is the only intrusion detection applica­ tion that has a graphical interface... their particular needs When Snort 1.5 was released, it added the capability for users to add preprocessor and detection plug-ins that could be used to add features without the need to understand the entire system Snort 1.6 added a similar mechanism for adding output plug-ins With this architecture, Snort started to accumulate many more ways to output events However, as Snort was deployed on faster... publicized and inappropriately hyped IDS testing tool, was released some ago to intrusion detection sensor developers Stick has several useful features, the most notable being speed.Yet it also has one very large downside: It does not effectively monitor and handle the packet and attack state, thereby allowing an intrusion detection engine to poten­ tially finger the tool A similar program, Snot, has... Ftester, Stick, and just about any other port and vulnerability scanner you can get your hands on Snort intrusion detection can be a highly effective and useful network appli­ cation in your environment if the proper thought and resources are leveraged throughout the entire NIDS implementation life cycle Snort can prove a great technological advantage in fighting digital enemies or simply a neglected... the mean time to complete the Snort installation process Finding and Eliminating Bottlenecks � Bottlenecks can range from small nuisances to major concerns that can lead to the complete breakdown of your intrusion detection deployment Review your configuration, installation, and hardware to help identify some of these bottlenecks � Both online and commercial help exists for Snort deployments � Do not underestimate... harder it will be to debug the scripts.The –i flag specifies the interface; the –n flag tells Snort to exit after one packet is received.This allows you to ensure that the rule is in the proper format: Test Syntax: snort –i eth0 –n 1 –c /Snort/ rules/example.rule Berkeley Packet Filter Tests Similar to testing individual Snort syntax rules, you have the ability to individual test BPF rules with the tcpdump . 1 92. 16 8 .10 .1 12 : 24:43.030 711 20 5 . 18 8 .8. 49. 519 0 > 1 92. 16 8 .10 .13 .30 31: P 27 2 12 0 7 987 :27 2 12 0 80 45( 58) ack 20 570 68 322 win 16 384 (DF) 12 : 24:43 .19 624 8 1 92. 16 8 .10 .13 .30 31 > 20 5 . 18 8 .8. 49. 519 0: . ack 58. 20 5 . 18 8 .8. 49. 519 0 > 1 92. 16 8 .10 .13 .30 31: P 58 :11 8( 60) ack 1 win 16 384 (DF) 12 : 24:47.499 927 1 92. 16 8 .10 .13 .30 31 > 20 5 . 18 8 .8. 49. 519 0: . ack 11 8 win 16 656 (DF) 12 : 24: 48. 050 0 18 8 02. 1d config 80 00.00:03:e3:2f:69:c0 .80 0e. 2 fdelay 15 12 : 24:44.449945 1 92. 16 8 .10 .13 .3093 > 1 92. 16 8. 30 .17 1.ssh: P 25 416 84 0 72: 25 416 8 410 8( 36) ack 21 4 089 0790 win 16 1 92 (DF) 12 : 24:44.46 12 5 8 1 92. 16 8. 30 .17 1.ssh > 1 92. 16 8 .10 .13 .3093: