654 Chapter 12 • Active Response Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com may be difficult to detect the application modification at the client side (for example, buffer overflow attacks frequently involve trial and error before hitting the offsets correctly), and before the attack is able to cause any damage.This is even more interesting considering that most attacks that can result in an actual compromise instead of a DoS of a target system exploit an application-level vul­ nerability Snort_inline is meant to run on a Linux system that is running in bridging mode, and as such is an inline device Snort_inline make use of a packet queuing library called libipq that is provided by IPtables to allow the kernel to queue packets from kernel space to an application running in user space In our case, this application will be Snort_inline, which is a version of Snort that has been modified to use libipq as its packet collection mechanism instead of the standard libpcap (see www.tcpdump.org) After examining each packet in turn, Snort_inline will make a decision about whether to drop, reject, or alter the packet before sending on it way via libnet (see www.packetfactory.net/Projects/Libnet/) OINK! Both libpcap and libnet are two extremely important libraries used by many projects in the open-source community Libpcap is a packet cap­ ture library that can be used to assist in the creation of everything from a custom Ethernet sniffer to an IDS Libnet is a low-level interface used to create packets and put them on the wire Libnet can be used to create network testing or scanning tools, and is useful for answering questions like, “I wonder how the IP stack on host X will handle a strange packet like Y.” So far, with Snortsam and Fwsnort we have seen two implementations of active response, but neither of these pieces of software touched packet application-layer data Snortsam implemented active response at the network layer through the wholesale blocking of IP addresses Fwsnort implemented active response at the transport layer through the use of TCP reset packets for indi­ vidual TCP sessions or issuing ICMP port-unreachable messages in response to UDP packets In this section, we will revisit the passwd.txt access and mountd overflow attacks from the previous sections and show how Snort_inline responds to such exploits at the application layer www.syngress.com Active Response • Chapter 12 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Installation The installation of Snort_inline is somewhat involved It requires a kernel recom­ pile and the installation of bridge-utils and libipq (which is classified as a devel­ opment library by the Netfilter project) In addition, Snort_inline requires a 1.0.x version of libnet instead of a later version in the 1.1.x series, so you may need to install the older libnet if your Linux distribution shipped with a recent version A stock Linux kernel in the 2.4 series (and higher) can be compiled to act as an Ethernet bridge and act as a firewall with IPtables However, Linux cannot support both capabilities at the same time.Therefore, Linux cannot apply IPtables restrictions to packets that are to traverse interfaces that have been configured to be part of a bridge Fortunately, the open-source community has not neglected this nagging detail A patch to the kernel sources is provided by the Ebtables pro­ ject (see http://ebtables.sourceforge.net/) and adds the capability to firewall packets sent through an Ethernet bridge Although a thorough treatment of the kernel compilation process is beyond the scope of this book, the general steps in Figure 12.25 are required to correctly configure and compile the kernel for our needs Note that for this discussion, we will assume the sources for kernel 2.4.24 are already installed in the directory /usr/src/linux-2.4.24 Figure 12.25 Compilation Steps for Bridging Linux Kernel Download the Ebtables kernel patch against Linux kernel 2.4.24 from http://ebtables.sourceforge.net/download.html#latest Copy the resulting file ebtables-brnf-5_vs_2.4.24.diff to the kernel sources direc­ tory /usr/src/linux-2.4.24 Run the following command to apply the patch to the kernel sources: patch -p1 < ebtables-brnf-5_vs_2.4.24.diff Configure the kernel with your favorite kernel configuration interface, such as “make menuconfig.”The important kernel options to enable under the Networking options tree are: ■ 802.1d Ethernet Bridging ■ Network packet filtering (replaces IPchains) ■ Userspace queuing via NETLINK Continued www.syngress.com 655 656 Chapter 12 • Active Response Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Figure 12.25 Compilation Steps for Bridging Linux Kernel ■ IP tables support (required for filtering/masq/NAT) ■ Packet filtering Compile and install the kernel in the usual way (see the kernel-HOWTO for more information: www.tldp.org/HOWTO/Kernel-HOWTO/ index.html) Now that we have a properly built kernel available to power the Snort_inline Linux system, we need to install libipq, bridge-utils, and finally Snort_inline itself (we assume that a 1.0.x version of libnet is already installed) For libipq, we download the latest release of IPtables (1.2.9 as of this writing) from www.netfilter.org or copy it from the accompanying CD-ROM Unpack the tarball and issue the following commands from the resulting IPtables-1.2.9 directory: # make KERNEL_DIR=/usr/src/linux-2.4.24 # make install KERNEL_DIR=/usr/src/linux-2.4.24 # make install-devel Similarly, download bridge-utils from http://bridge.sourceforge.net/download.html or copy it from the accompanying CD-ROM, unpack the tarball, and issue the following commands from the bridge-utils sources directory: # /configure –prefix=/usr # make # make install Lastly, we download the latest release of Snort_inline (2.1.0a as of this writing) from http://snort-inline.sourceforge.net/ or copy it from the accompa­ nying CD-ROM, unpack the tarball, and run the following commands from the snort_inline-2.1.0a directory: # /configure –-prefix=/usr enable-inline # make # make install The installation is now complete and we have a functional IPS at our disposal www.syngress.com Active Response • Chapter 12 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Configuration The configuration of Snort_inline involves three main steps We must configure the Linux system to bridge two Ethernet segments, set up an IPtables policy that sends packets into the QUEUE target, and edit the Snort configuration (including the rules).This discussion will illustrate a basic configuration that gets Snort_inline up and running For a more complete implementation of a script to automate this process, refer to Rob McMillen’s rc.firewall script (see www.honeynet.org/papers/honeynet/tools/) We will assume that the Snort_inline Linux system has two Ethernet interfaces, eth0 and eth1.The basic script in Figure 12.26 configures a bridge called br0, sets up forwarding, and starts IPtables packet queuing in the FOR WARD chain An important thing to note about the config­ uration script is that forwarding is turned off.The reason for this is that Snort_inline is responsible for constructing packets (via libnet) on the egress interface instead of the native IP stack of the underlying system.This allows Snort_inline to only forward those packets that not trip a rule in the Snort detection engine, or alter those packets that do.This also means that if the Snort_inline process dies or is killed, all network connectivity will be severed for the network segments bridged by the system on which Snort_inline is deployed Figure 12.26 Basic Bridge Configuration Script #!/bin/sh BRIDGE=/usr/sbin/brctl IFCONFIG=/sbin/ifconfig IPTABLES=/usr/sbin/iptables ECHO=/bin/echo ### remove any potential IP addresses on interfaces $IFCONFIG eth0 0.0.0.0 up -arp $IFCONFIG eth1 0.0.0.0 up -arp ### build the bridge br0 out of the eth0 and eth1 interfaces $BRIDGE addbr br0 $BRIDGE addif br0 eth0 $BRIDGE addif br0 eth1 Continued www.syngress.com 657 658 Chapter 12 • Active Response Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Figure 12.26 Basic Bridge Configuration Script ### activate the bridge (note the use of ifconfig just like ### for any other normal networking interface) $IFCONFIG br0 0.0.0.0 up -arp ### clear any existing iptables ruleset and then send all packets ### in the FORWARD chain to the QUEUE target so that Snort_inline ### can examine them $IPTABLES -F $IPTABLES -A FORWARD -j QUEUE ### turn forwarding OFF!!! $ECHO > /proc/sys/net/ipv4/ip_forward Most Snort rules have a default rule action of alert Snort_inline adds three new rule actions that can be specified in Snort rules: drop, reject, and sdrop.The action drop instructs Snort_inline to drop the packet via IPtables and log it as Snort nor­ mally does A rule action of reject is similar to the functionality provided by Fwsnort where a TCP reset is generated for TCP sessions and an ICMP port-unreachable message is generated for UDP packets A rule action of sdrop is the same as the drop action, but this time Snort will not log the packet Finally, Snort_inline implements the new rule option replace that will substitute matching content with specific con­ tent specified by the administrator.The remainder of our discussion will concen­ trate on using the replace option with the normal alert rule action, since the drop, reject, and sdrop options are fairly self-explanatory.The following two modified Snort rules taken from the file README.INLINE in the Snort_inline sources illustrate this new option: alert tcp any any any 80 (msg: "tcp replace"; content:"GET"; replace:"BET";) alert udp any any any 53 (msg: "udp replace"; content: "yahoo"; replace: "xxxxx";) Note that the replace option can only replace packet contents with new data of exactly the same length as the original data Otherwise, Snort_inline would break both the TCP and UDP protocols In the case of TCP, if Snort_inline sub­ stituted a series of characters with a different length from the original content, then the data sequence acknowledgment numbers would not match across the www.syngress.com Active Response • Chapter 12 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com session and would force retransmissions to take place (recall Figure 12.12) In the case of UDP, there is a length field in the UDP header that specifies the length in bytes of both the UDP header and the data it encapsulates If a different length series of bytes were substituted, then the length field would no longer be correct Snort_inline must not break protocols Even with the requirement that the replace option contain data of the same length as contained in the content option, Snort_inline must still recalculate transport-layer checksums.This recalculation is mandatory for TCP, and is optional for UDP unless the UDP checksum was previously calculated by the client The only remaining task is to configure the snort.conf file We leave this as an exercise for the reader, since Chapters and cover this in detail Architecture Now that we have Snort_inline installed on a system that is configured to act as a bridge, how we place this system in our original network in Figure 12.1? The answer is that we use the bridge to connect the Ethernet segment between the Web and NFS servers to the firewall itself All packets that are destined for either server must go through the bridge where they will be processed by Snort_inline.The network architecture that makes this possible is shown in Figure 12.27 Note that there are no IP addresses assigned to the Snort_inline system.This emphasizes the fact that this system is acting as a bridge In a real-life scenario, there would most likely be a management network to which the Snort_inline system would be connected via a third interface For the sake of pedagogical simplicity, we’ll leave this out.The fact that the Web and NFS servers are connected via a switch makes no difference to the Snort_inline system, since the only packets that make it through to this section of the network have already been processed through the Snort detection engine.This is one of the key advan­ tages of using an inline solution—you can absolutely guarantee that it will see every packet, since every packet destined for the protected machines must tra­ verse the inline device www.syngress.com 659 660 Chapter 12 • Active Response Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Figure 12.27 Snort_Inline Network Architecture evilhost (207.174.x.x) NFS server (192.168.10.30) firewall (68.48.x.x) switch Intnernet 192.168.10.1 Snort_inline Web server (192.168.10.20) Web Server Attack Let’s revisit the WWWBoard passwd.txt access attack one last time and see how Snort_inline mitigates its effects We add the replace directive to Snort SID 807 so that any Web traffic that contains the suspect string /wwwboard/passwd.txt will be altered by Snort_inline before such traffic hits the Web server.The Web server will actually see a request to /wwwboard/nofile.txt that corresponds to a file that does not exist See Figure 12.28 for the modified signature Note the removal of the flow option, since Snort_inline does not yet support the stream4 preprocessor In addition, the uricontent option has been changed to just content, since the uricon­ tent directive corresponds to the httpinspect preprocessor, which Snort_inline also does not support Figure 12.28 Modified WWWBoard passwd.txt Access Snort Rule (SID 807) alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"WEB-CGI /wwwboard/passwd.txt access"; content:"/wwwboard/passwd.txt"; replace:"/wwwboard/nofile.txt"; nocase; reference:arachnids,463; reference:cve,CVE 1999-0953; reference:nessus,10321; reference:bugtraq,649; classtype:attempted-recon; sid:807; rev:7;) Let’s execute our attack and see what happens (see Figure 12.29) www.syngress.com Active Response • Chapter 12 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Figure 12.29 wget Attack Request [evilhost]$ wget –O passwd.txt –t http://68.48.x.x/wwwboard/passwd.txt 17:38:32 http://68.48.x.x/wwwboard/passwd.txt => `passwd.txt.6' Connecting to 68.48.x.x:80 connected HTTP request sent, awaiting response 404 Not Found 17:38:33 ERROR 404: Not Found This time, the attack appears to be completely unsuccessful and the request seems to indicate that the /wwwboard/passwd.txt URL is not even a valid URI Instead of viewing a packet trace taken on the external interface of the firewall as before, we examine a trace taken on the Web server itself in Figure 12.30 (some packet data and header information has been removed for brevity) Figure 12.30 wget Attack Packet Trace [webserver]# tcpdump -i eth0 -s 1500 -l -n -X port 80 tcpdump: listening on eth0 204.174.x.x.48662 > 192.168.10.20.80: S 783689484:783689484(0) win 5840 192.168.10.20.80 > 204.174.x.x.48662: S 2323945504:2323945504(0) ack 783689485 win 5792 204.174.x.x.48662 > 192.168.10.20.80: ack win 5840 204.174.x.x.48662 > 192.168.10.20.80: P 1:119(118) ack win 5840 0x0000 4500 00aa 801b 4000 3106 3ec1 ccae df18 E @.1.> 0x0010 c0a8 1e02 be16 0050 2eb6 270d 8a84 9821 P ' ! 0x0020 8018 16d0 dc5a 0000 0101 080a 150b a733 .Z .3 0x0030 0097 fa17 4745 5420 2f77 7777 626f 6172 GET./wwwboar 0x0040 642f 6e6f 6669 6c65 2e74 7874 2048 5454 d/nofile.txt.HTT 0x0050 502f 312e 300d 0a55 7365 722d 4167 656e P/1.0 User-Agen 0x0060 743a 2057 6765 742f 312e 382e 320d 0a48 t:.Wget/1.8.2 H 0x0070 6f73 743a 2036 382e 3438 2e78 782e 7878 ost:.68.48.xx.xx 0x0080 370d 0a41 6363 6570 743a 202a 2f2a 0d0a Accept:.*/* 0x0090 436f 6e6e 6563 7469 6f6e 3a20 4b65 6570 Connection:.Keep 0x00a0 2d41 6c69 7665 0d0a 0d0a -Alive 192.168.10.20.80 > 204.174.x.x.48662: ack 119 win 5792 192.168.10.20.80 > 204.174.x.x.48662: P 1:572(571) ack 119 win 5792 0x0000 4500 026f 6215 4000 4006 4c02 c0a8 1e02 E ob.@.@.L Continued www.syngress.com 661 662 Chapter 12 • Active Response Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Figure 12.30 wget Attack Packet Trace 0x0010 ccae 0000 0000 be16 8a84 9821 2eb6 2783 .P ! ' 0x0020 8018 16a0 8fd9 0000 0101 080a 0097 fa35 0x0030 150b a733 4854 5450 2f31 2e31 2034 3034 .3HTTP/1.1.404 0x0040 204e 6f74 2046 6f75 6e64 0d0a 4461 7465 Not.Found Date 0x0050 3a20 5765 642c 2033 3120 4d61 7220 3230 :.Wed,.31.Mar.20 0x0060 3034 2030 343a 3034 3a34 3620 474d 540d 04.04:04:46.GMT 0x0070 0a53 6572 7665 723a 2041 7061 6368 652f Server:.Apache/ 0x0080 322e 302e 3438 2028 556e 6978 2920 6d6f 2.0.48.(Unix).mo 0x0090 645f 7373 6c2f 322e 302e 3438 204f 7065 d_ssl/2.0.48.Ope 0x00a0 6e53 534c 2f30 2e39 2e37 630d 0a43 6f6e nSSL/0.9.7c Con 0x00b0 7465 6e74 2d4c 656e 6774 683a 2033 3235 tent-Length:.325 0x00c0 0d0a 4b65 6570 2d41 6c69 7665 3a20 7469 Keep-Alive:.ti 0x00d0 6d65 6f75 743d 3135 2c20 6d61 783d 3130 meout=15,.max=10 0x00e0 300d 0a43 6f6e 6e65 6374 696f 6e3a 204b Connection:.K 0x00f0 6565 702d 416c 6976 650d 0a43 6f6e 7465 eep-Alive Conte 0x0100 6e74 2d54 7970 653a 2074 6578 742f 6874 nt-Type:.text/ht 0x0110 6d6c 3b20 6368 6172 7365 743d 6973 6f2d ml;.charset=iso- 204.174.x.x.48662 > 192.168.10.20.80: ack 572 win 6852 204.174.x.x.48662 > 192.168.10.20.80: F 119:119(0) ack 572 win 6852 192.168.10.20.80 > 204.174.x.x.48662: F 572:572(0) ack 120 win 5792 204.174.x.x.48662 > 192.168.10.20.80: ack 573 win 6852 We see that our attack request displayed in bold in Figure 12.30 has been fun­ damentally altered.The HTTP GET against the URL /wwwboard/passwd.txt has become a GET request for /wwwboard/nofile.txt Of course, this new path does not even exist on the Web server and so the client receives the standard “404 File Not Found” error.The client has no way of knowing whether the remote passwd.txt file even exists without further investigation.The attack was thwarted in such a way that the TCP stream remained intact It should be noted that in this particular case, there is in general no legitimate reason why anyone should be accessing the passwd.txt file Hence, this attack is a good example of the type of attack that an IPS should be configured to stop However, there is one possible exception: the case of the administrator who is trying to troubleshoot admin-level access if things are not working properly by verifying that the Web server has per­ mission to open the passwd.txt file Snort_inline effectively disables the ability to www.syngress.com Active Response • Chapter 12 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com troubleshoot in this way across all source networks contained within the Snort rule $EXTERNAL_NET variable No external client can query any URI on the Web server that contains the string “/wwwboard/passwd.txt”.There is always a tradeoff between offering a vulnerable service to untrusted networks versus disabling use of the service altogether with an IPS such as Snort_inline.This just teaches us to be very careful when deploying this type of technology—we must audit every single rule that will actively interfere with the network NFS mountd Overflow Attack For our last example, we revisit the NFS mountd overflow attack First, we modify Snort SID 316 to replace the content of the mountd attack with the hex code 0x65, which happens to correspond to the ASCII code for the letter “e” Again, we launch our attack from evilhost against the NFS server, but this time, we take a packet trace from the server itself as shown in Figure 12.31 As we expect, the critical portion of the attack that instructs the remote system to point back into the exploit payload has been translated into a harmless series of “e” characters completely unrelated to the original attack by Snort_inline (see Figure 12.32) Figure 12.31 Modified NFS mountd Overflow Snort Rule (SID 316) alert udp $EXTERNAL_NET any -> $HOME_NET 635 (msg:"EXPLOIT x86 Linux mountd overflow"; content:"|eb56 5E56 5656 31d2 8856 0b88 561e|"; replace:"|6565 6565 6565 6565 6565 6565 6565|"; reference:cve,CVE-1999-0002; reference:bugtraq,121; classtype:attempted-admin; sid:316; rev:3;) Figure 12.32 NFS mountd Overflow Attack [evilhost]$ /mx 68.48.x.x code length = 211, used retaddr is bfffe7a0 ok, attacking target 68.48.x.x [nfs_server]# tcpdump -i eth0 –s 1500 udp -X -l –n tcpdump: listening on eth0 15:53:59.266187 204.174.x.x.33854 > 192.168.10.30.sunrpc: udp 56 (DF) 15:53:59.267033 192.168.10.30.sunrpc > 204.174.x.x.33854: udp 28 (DF) 15:53:59.267662 204.174.x.x.33854 > 192.168.10.30.32772: udp 1108 (DF) 0x0000 4500 0470 0000 4000 4011 7929 c0a8 1e01 E p @.@.y) Continued www.syngress.com 663 708 Index Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com PCAP, 326–327 Snort as packet sniffer/logger, 75–85 by Snort-Inline, 688 Snort unified, 338–342 tests, 478–479 XML, 322 logging component, of Snort, 70, 72–73 logging format syntax, 89 logging option, 213 LogMessage function, 295 LogMessage function, 590–591 log_packets.sh, 408, 415 logparser, 93 log_pcap, 564 logsnorter, 387 log_tcpdump output plug-in, 326–327 logto keyword incident handling with, 680–681 for logging, filtering, 681–682 Lucas, Michael W., 151 M m , 148 M , 148 MAC address, 496–497 macro virus, 693 magic value, 602 mailing lists Barnyard, 603 for operating systems, 93 security/anti-virus, 462 SecurityFocus IDS mailing list, 259 make command installing libpcap from source with, 122 libpcap installation from source with, 114 for Snort installation from source, 130 for Snort installation using OpenBSD ports, 152–153 software installation with, 118–119 make install command installing libpcap from source with, 122 libpcap installation from source with, 114 for Snort installation from source, 130 for Snort installation using OpenBSD ports, 152, 153–155 software installation with, 118–120 makefile, 119–120 Makefile.am, 594–595 management, for CIRT organizations, 463 management questions, 57–58 master boot record virus, 693 matching ports, 187–188 max keyword, 678 Maximum Transfer Unit (MTU), 248 Mayers, Phil, 371 McMillen, Rob, 653, 686 memcap option flow configuration with, 251–252 in frag2 preprocessor, 249 of stream4 preprocessor, 242–244, 247 memory frag2 preprocessor and, 249 stream4 preprocessor’s use of, 242–244 memory fault, 243 memory space, 464 message map files, 545 message option, 212–213 messages alert, localization of in Barnyard, 596–597, 601 alert_syslog, 554–556 alert_syslog2, 556–560 blocking agent, 632–633 error, Barnyard configuration, 540 meta-data options, rule, 209–212 Metasploit, 459 Microsoft Windows for ACID, 389 detect_state_problems parameter and, 239 OS choice for Snort, 479, 484 Snort installation on, 140–146 Snort rus reliably on, 102 milestones, benchmark, 495 minimal threats, 489, 490 min_ttl parameter flow configuration with, 252–253 in frag2 preprocessor, 249–250 function of, 193 Mitnick, Kevin, 31 mobile sensors, 526–527 mobile workstations, 376 moderate threats, 489 mod_ssl module, 397 monitoring of system calls, 21 for updates, 462–465, 468 motherboard, 473–474 motives, attack, 28–30 mountd buffer overflow exploit See NFS mountd overflow exploit MS SQL, 333 mSplit() function, 295 MTU (Maximum Transfer Unit), 248 multi-partite virus, 693 multiple address variable, 190 multiple attack paths, 6–7 multiple file processing, 571 multiple process running, 576–577 multiprocessor support, Linux, 102 multitasking, 475 MyDoom worm, 30 myPluginAlert, 350 myPluginCleanExit, 350 myPluginInit, 349–350 myPluginRestart, 350 myPluginSetup, 349 MySQL ACID installation and, 393–394 ACID supports, 388 compacting, 438 installing from RPM, 124–126 installing from source, 126–127 PHP support, 390–391 vs PostgreSQL, 333–338 Snort installation from SRPM and, 134 Snort script, 333 mysqltcl, 411 N N, 148 n , 148 Nazario, Jose, 151 nc.exe, 88 Neped, 90 Nessus, 520 NetBSD, 61 Netdude,THC’s, 513–517 Net::RawIP Perl module, 503 Netsky virus, 443 network architecture, Snort and, 86–87 Barnyard and, 531 IDS, 10–13 IDS data collection and, 20–21 size, hardware choice and, 472 sniffing tools, 11 Network-Based Intrusion Detection Systems (NIDSs), 10–13, 50 network bridge, 686 network card, 136 network connectivity testing, 477 Network File System (NFS) server attack, 611 network impact, 490 network interface card (NIC) choice for Snort optimization, 474, 477 network connectivity testing, 477 Snort hardware requirement, 58–59 Network Intrusion Detection System (NIDS) invoking Snort as, 85–86 network architecture and, 86–87 stress testing, 520–521 using Snort as, 62–63, 73–74 Network Intrusion Prevention Systems (NIPS) described, 49 firewalls and, 665–666 Slammer worm and, 607 See also Intrusion Prevention Systems Index 709 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com network layer, 608 Network Node IDS (NNIDS), 48 network operations, 672–680 flow preprocessor family, 673–675 in general, 672 network traffic, unusual, 679–680 overview of, 697 perfmon preprocessor, 675–679 network reconnaissance attack, 187–188 network traffic known good vs known bad, 22–23 unusual, monitoring, 679–680 network, using Snort on in general, 73–74 network architecture and, 86–87 as NIDS, 85–86 overview of, 95 as packet sniffer/logger, 74–85 pitfalls when running Snort, 87–89 Network Virtual Terminal (NVT), 280 Newsham,Tim, 434, 650, 40 NFS mountd overflow exploit Fwsnort and, 650–653 overview of, 616–619 Snort_inline and, 663–664 Snortsam and, 633–636 NFS (Network File System) server attack, 611 NIC See network interface card NIDS See Network Intrusion Detection System NIDSs (Network-Based Intrusion Detection Systems), 10–13, 50 Nikto, 520 NIPS, 665–666 See Network Intrusion Prevention Systems NMAP IDS and, 47 link to, 520 TCP ACK option and, 208 NMAP TCP ping scan, 208 NNIDS (Network Node IDS), 48 no_alert_incomplete parameter, 264 no_alert_large_fragments parameter, 264 no_alert_multiple_requests parameter, 264 noalerts option, 247 nocase option to match content strings, 229 in rule, 201 noinspect option, 241 nolog, 193 nonpromiscuous mode, 10 nonrule detection, 269 See also anomaly-based detection, preprocessor options no_promisc, 193 (NormalizeTelnet()) function, 283 Norton, Marc, 169, 258 NTOMax, 520 NVT (Network Virtual Terminal), 280 Oracle, 333 order, 193 organizations, testing within, 459–462 OS See operating system OTN (OptTreeNodes), 168–169 o, 148 output O, 149 of frag2 preprocessor, 250 obfuscate, 193 HTTP decode preprocessor, 262 OBSD See OpenBSD rpc_decode preprocessor, 265 Offline NT Password & Registry Snort plug-in, 367–371 Editor, 34 Snort plug-in, problems with, offset option content, 201 371–372 Oinkmaster Snort vs tcpdump, 78 function of, 71 of stream4 preprocessor, 247 for rules updates, 451–455 Telnet negotiation preprocessor, 255 Omnibus Crime Control and Safe Output function, 591–593 Streets Act of 1968, 3–4 output plug-ins “One Way Cable Preparation Guide” choice for speed, 492–493 (Gray), 59 configuration for Snort, 139 Online Update tool (YOU), 111 selection of/configuration of, 72 open-source software, 530 Snortsam, 621–622 OpenBSD (OBSD) See also Snort output plug-ins Linux advantages over, 102 output plug-ins, Barnyard Linux has more support, 103–104 acid_db, 565–567 ports, Snort installation using, adding to op_plugbase.c, 593–594 152–157 alert_csv, 551–554 Snort installation on, 150–159 alert_fast, 550–551 operating system for Snort alert_syslog, 554–556 optimization alert_syslog2, 556–560 considerations, 479 build system update, 595 “good” OS selection, 480 described, 598 hardware and, 526 directives, 549 leveraging Win32 IPSEC via Snort, log_dump, 561–564 480–484 log_pcap, 564 Linux, 527 Makefile.am update, 594–595 measuring OS selection, 484–485 overview of, 549–550 overview of, 523, 524 real-time console alerting, 595–596 testing, 485–486 sguil, 567 operating system (OS) source files setup, 585–587 for ACID, 388 writing functions, 587–593 for ACID installation, 389 writing, overview of, 584, 601 attacks on, 92 outsourcing, Barnyard and, 538, 603–604 compatible with Snort, 96 mailing lists for, 93 security, 32 p, 149 security tips for, 93 -p option, 544 for Snort installation, 101–107, 161, P , 149 163 package management Snort requirements, 60–61 with Debian GNU/Linux, 108 op_plugbase.c, 593–594 with Gentoo Linux, 109 optimizing Snort with Slackware Linux, 109 benchmark characteristics, 494–496 packet analysis benchmarking options, 496–519 with Ethereal Network Analyzer, Berkeley Packet Filter tests, 217–220 521–522 for rule development, 224 hardware choices, 472–479 packet browser, ACID, 387 operating system choice, 479–486 Packet Capture Library (PCAP), rule tests, 521 326–327 speeding up, 486–493 packet captured length, 536 stress testing, 520–521 packet data tuning rules, 522 intrusion analysis and, 382 OptTreeNodes (OTN), 168–169 unified log record field, 536 O P 710 Index Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com packet decoder function of/configuration, 63–64 in Snort’s process, 62 packet generation, 517–518 packet headers, 78 packet length, 536 packet logger, 62, 74–85 packet logs, analysis of, 431–434 packet loss hardware choice and, 472, 473, 474 NIC choice and, 477 packet matching, 232 packet reassembly See reassembling packets packet sniffer for rule content, 229 for Snort rule content, 217–220 using Snort as, 74–85 packet sniffing, 20–21 packet timestamp, 536 packets attack detection and, 167–173 decoders, 166–167 IDS and, 35 Netdude and, 513–517 overview of, 166 preprocessors and, 64 tagged in unified log records, 535 Paketto Keiretsu, 520 Palmer, Brendan, 151 parser function, 178–179 parsing, 21, 64 partition separation of log and database partitions, 389 Snort installation on OpenBSD and, 151 pass keyword, 196 pass rules alert rules and, 68 when to use, 197 passive response, 24–25, 26 passwords ACID installation, 393, 394 ACID security and, 398 Back Orifice and, 268 for SGUIL database, 409 Web server password for ACID, 396 patch-o-matic, 637 patches for Linux security, 111–112 patch/IAVA verifications, 692 for securing Snort system, 92 for SGUIL installation, 413–414 Snort installation and, 101 pattern matching failures, 254 GREP and, 527 PCRE for, 69 rule matching, 67–68 speed and, 490 payload size, 213–214 pcap installing, 112–123 Snort requirement, 163 Pcap binary format, 382 PCAP file, 513, 517 PCAP (Packet Capture Library), 326–327 PCI bus speed, 473 PCRE See Perl Compatible Regular Expressions PCRE library package, 123–124 Pen Register,Trap and Trace Statute, perfmon-graph tool, 457–458, 675–676 perfmon preprocessor dropped packets, 699 how to use/options of, 677–679 uses for, 675–676 perfmonitor, 457–458 perfmonitor preprocessor, 274–275 performance, stripping Linux for, 104–106 Perl leveraging Win32 IPSEC via Snort, 480–484 SnortSnarf, 422–427 snort_stat.pl, 419–422 Perl Compatible Regular Expressions (PCRE) for behavioral tracking, 689–692 described, 69 regular expressions for, 202–203 Phlak described, 110 Web site, 111 PHP (Hypertext Preprocessor) ACID installation and, 390–391 acronym history, 17 version for ACID, 438 PHPlot library, 391–392 physical security, 32–34 PigSentry, 72 pipe characters (|), 199–200 pkgtool, 109 pktcnt keyword, 678 pkt_count, 194 plan, security, 31 playback mode, 318–321 plug-ins adding preprocessor into Snort, 300–302 detection, 183 detection, writing, 173–181 preprocessors as, 233 See also output plug-ins, Barnyard policy company, monitoring with Snort, 44 firewall, 621–622 security, IDS and, 50 policy-based intrusion detection described, 694–695 security with, 672 policy enforcement, 692, 694–695 policy enforcement rules, 464–465 policy-based IDS, 19 politics, as attack motivations, 30 Pomraning, Michael, 202 port density, 461 port matching, 187 Port Scan Attack Detector, 648 port scans, 669 Portage tree, 109, 110 portmapper, 263 ports rpc_decode preprocessor configuration, 263–264 Snort hardware requirement, 59–60 Snort in switched network and, 87 Snort installation using OpenBSD ports, 152–157 specifying for Snort, 164 Telnet negotiation codes and, 255 Telnet negotiation preprocessor code and, 293–299 ports option, 247 portscan preprocessor configuring, 267 function/process, 265–267 SGUIL installation and, 413–414 portscan2 preprocessor configuring, 272–273 conversation preprocessor with, 271–272 portscans, stealth mode, 96 PostgreSQL ACID installation and, 393–394 ACID supports, 388 vs MySQL, 333–338 PHP support, 390–391 Snort installation from SRPM and, 134 Snort script, 333 Preprocess, 167–168 preprocessor arguments, 315 preprocessor output, 188 preprocessor stream4_reassemble, 244–247 preprocessors configuration for Snort, 139 configuring for speed, 490–491 decoding/normalizing protocols, options for, 254–265 defined, 233–234 experimental, 269–275 flow-portscan, 66–67 frag2, 248–254 function of, 64 functionality of, 232 HTTPInspect, 65–66 nonrule/anomaly-based detection options, 265–269 overview of, 303–306 as plug-ins, 233 Index 711 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com SGUIL installation and, 413–414 stream4 preprocessor, 234–247 preprocessors, writing adding preprocessor into Snort, 300–302 decoding protocols, 276 nonrule or anomaly-based detection, 276–277 overview of, 306 preprocessor’s code, 280–300 reassembling packets, 275 setting up my preprocessor, 277–280 prevention, attack, 40–42 print statements, 190 PrintXref function, 593 priorities, 554 priority, 533 privacy IDS and, 3–4 regulations, 12–13 prmfindrulegroup, 170 processors choice for Snort optimization, 474–475 speed/architecture for Snort optimization, 473 ProcessPacket, 166 production environment, benchmark in, 496 production systems, 444–446 promiscuous interfaces, 90–91 promiscuous mode NIDS, 10 port in, for switched network, 87 protected trade secrets, protocol active response and, 611 alert record field, 534 analysis, 24–25, 49 normalization, 308 rule header category, 195–196 Ptacek,Tom, 434, 650, 40 Q q, 149 query building, with ACID, 387 querying ACID database, 400–401 alert groups in ACID, 402–404 queueing, event, 171 quiet, 194 R -R argument, 504 -R (“dry run” option), 543, 569–571 −r switch, 84–85 r , 149 Random Access Memory (RAM), 475–476 Rash, Michael, 648 rawbytes, 255, 282 Razorback, 71 react keyword, 691 real-time console alerting, 583–584, 595–596 reassembling packets frag2 for, 249–254 preprocessor options for, 305 preprocessors for, 234, 275 stream4 preprocessor for, 235–247 Red Hat Linux, 112 Red Hat Package Manager (RPM) installing SQL from, 124–126 libpcap installation from, 122–123 Linux distributions that use, 108 rpm2targz utility, 109 Snort installation from, 132–134 reference_net, 194 RegisterPreprocessor() function, 284–285 regular expressions PCRE for behavioral tracking, 689–692 in rule, 202–203 regulations, privacy, 12–13 relational database plug-ins, 368 remote administration test, 485 Remote Procedure Call (RPC) protocol, 262–265 remote syslog alerting, 578–580 RenderTimeval function, 593 replace keyword, 688 Request for Comments (RFC) protocol information from, 383 Telnet protocol, 279 resources as attack targets, 29–30 locking down OpenBSD, 151 for Snort, 56 system, Barnyard and, 322 TCP/IP Illustrated, Volume (Stevens), 236 See also shared resources; Web site resouces resp option, 215 response See active response return on investment (ROI), 47–48 RFC (Request for Comments) protocol information from, 383 Telnet protocol, 279 RFC3164 message format overview of, 557–558 timestamp and, 560 “The Rime of the Ancient Mariner” (Coleridge), 386 Roelker, Daniel, 169, 256–258 Roesch, Martin, 326 detection engines and, 169 development of Snort, 56 preprocessor design by, 233 on sequence number option, 206 on stream4 preprocessor, 235 stream4 preprocessor and, 246 ROI (return on investment), 47–48 “root” permissions, 150 rpc option, 214 RPC preprocessor, 443 RPC (Remote Procedure Call) protocol, 262–265 rpc_decode preprocessor configuring, 263–264 decoding protocols with, 276 functions of, 234 output, 265 overview of, 303 reasons for, 262–263 RPM See Red Hat Package Manager rpm2targz utility, 109 rrdtool, 458 RTN (RulesTreeNodes), 168–169 Ruiu, Dragos, 271 rule difference from signature, 307 examination of, 383 rule actions activate and dynamic rules, 197–198 custom rule actions, 197 pass rule, 197 rule header category, 195–196 types of, 196–197 rule-based analysis, IDS, 24–25 rule body format, 198–199 function of, 186 rule content ASCII and binary content, 200 ASCII content, 199 binary content, 199–200 depth content option, 200 flow control, 203–204 nocase option, 201 offset option content, 201 regular expressions, 202–203 session option, 201 stateless option, 202 Uniform Resource Identifier content option, 201–202 rule headers categories, 195–196 function of, 186 overview of, 227 rule actions, 196–198 rule matching with detection engine, 67–69 in Snort, 232 rule options, 198–215 ICMP options, 208–209 IP options, 204–206 712 Index Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com meta-data options, 209–212 miscellaneous, 212–215 overview of, 227 rule body, 198–199 rule content, 199–204 TCP options, 206–208 rule revision number, 210 rules actions in Snort_inline, 658–659 blocking, 621–622 dissecting, 187–188 drop, 628 engine, 545 file, local, 449–450 forensic, 465 frequency of installation, 469 Fwsnort and, 636 in general, 186–187 for mobile sensors, 526–527 order of, 183 policy enforcement, 464–465 removing from ruleset, 450–451 rule headers, 195–198 rule options, 198–215 rule type order and, 171 short-term, 464 Snort configuration, 191–195 suppression, 173 testing, 521–522 tuning, 522 updating, 467 variables for, 188–190 writing good rules, 215–225 rules updates overview of, 447–448, 466 removing rules from ruleset, 450–451 using IDSCenter for rules merging, 455–456 using local rules file, 449–450 using Oinkmaster, 451–455 using variables, 448–449 rules, writing action events, 216–217 bad rule, elements of, 223 capabilities with, 186 evolution of, 224–225 in general, 215 good rule, elements of, 216 overview of, 227 proper content, 217–220 questions about, 228–229 steps of, 224–225 subnet masks, merging, 220–222 ruleset configuration for Snort, 139–140 determining, 488–490 removing rules from, 450–451 upgrading Snort and, 89 RulesTreeNodes (RTN), 168–169 server port, 537 server-specific variables, 139 s, 149 serveronly option, 246–247 S , 149 services, 105 -s option, 544 session Salgado, Richard, 689 stream4 preprocessor and, 247 SAM (Snort Alert Monitor), 336–338 TCP, 235–237 Samhain, 93 session keyword, 681 Sarbanes-Oxley requirements, 47–48 session option, 201 SATA drive, 476 session reassembly, 244–247 scale, 57 session:printable keyword, 681–682 A Scandal in Bohemia (Doyle), 380 set_gid, 194 scanning SetTelnetPorts() function, 293–294 compromise vs., 5–6 set_uid, 194 IDS and, 29 Setup() function, 301 scripts Setup function Barnyard configuration options, of detection plug-ins, 176 539–540 overview of, 588–589 contrib directory, 331–333 SetupTelNeg() function, 284 SCSI, 476 setwise pattern match, 68 search, 400–401 severity, 558 Secure Architectures with OpenBSD severity identifier option, 210 (Palmer and Nazario), 151 SGUIL See Snort GUI for Lamers Secure Shell (SSH), 91 sguil, Barnyard output plug-in, 567 securing Snort system, 92–93, 97 SGUIL client security function of, 408–409 ACID, 397–398 installation, 413 of Linux distribution, 111–112 SGUIL database, 409–410 physical, 32–34 Sguild (SGUIL server) plan, IDS and, 31 function of, 408 securing Snort system, 92–93, 97 installing, 410–412 Snort’s advanced features for, 672 sguild.conf, 411–412 security fixes, 92 sguil.tk, 413, 416 security holes, 518, 519 Shadow Sensor/OS, 111 security plans, 31 shared resources, 42 security, system, 328 shellcode, 271 SecurityFocus IDS mailing list, 259 short-term rules, 464 SELinux, 111 show tables command, 334–335 sendmail buffer overflow, show_year, 194 sensor placement, 478 sid-msg-map configuration directive, sensor scripts, 408, 413–415 548, 602 sensor_agent.tcl, 408, 415 SID (Snort event ID), 545 sensors SID (Snort signature ID), 69–70 attacks on, 443 signal handling, 577 deploying Snort as NIDS, 73–74 signature, 307 deployment and network signature-based analysis, 24–25 architecture, 86–87 signature generator ID, 533 detection of Snort system on signature ID, 533 network, 90–91 signature revision, 533 in DIDS, 14–16 signatures memory space and, 464 Snort and, 52 SGUIL and, 408 updating, 443 in switched network, 87 writing for Snort, 44 variables and, 448–449 Simple Network Management SENTINIX GNU/Linux, 128–129 Protocol (SNMP), 321 September 11 terrorist attacks, 30 simple string matching, 187–188 sequence number option, 206 single file processing, 568–569 sequence option, 209 single point of failure, 89 server bytes, 537 Slackware Linux, 108–109 server configuration section, 65–66 Slammer worm, 607 server IP address, 537 “Smashing the Stack for Fun and server packets, 537 Profit” (Aleph1), 271 S Index 713 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com SMB alerting, 326 Sneeze benchmarking with, 502–503 testing with, 459 sniffing link, 612 sniffing tools, 11 SNMP (Simple Network Management Protocol), 321 Snort configuration to work with SnortSnarf, 424–425 exploit tools and, 43–44 preprocessor, adding into, 300–302 rules engine, 545 in security architecture, 42–44, 51 Stick/Snot and, 46 unified alert records, 532–535 unified files, overview of, 532 unified log records, 535–536 unified stream-stat records, 536–537 updates, 444–446 worms/viruses and, 40–42 writing signatures with, 44 Snort 2.1 defined, 55–56 features, 62–73 need for, scenarios, 54–55 system requirements, 57–62 system security with, 89–93 using on network, 73–89 Snort 2.1 features, 62–73 add-ons to, 70–72 alerting/logging components, 70, 72–73 detection engine, 67–70 in general, 62–63 overview of, 95 packet decoder, 63–64 preprocessors, 64–67 Snort 2.1.3 Release Candidate 1, 68 Snort 3, 445–446 Snort, advanced features behavioral tracking, 689–692 forensics/incident handling, 680–685 honeynets and, 686–689 network operations, 672–680 patch/IAVA verifications, 692 policy enforcement, 692, 694–695 trojan, virus, worm, differences, 693–694 Snort Alert Monitor (SAM), 336–338 Snort event ID (SID), 545 Snort GUI for Lamers (SGUIL) components, 407–409 function of, 71 installing, 409–416 overview of, 435 questions about, 439 using, 416–418 Snort ID option, 209–210 Snort ID (SID) 316, 611, 617, 663–664 Snort ID (SID) 807 Fwsnort command for, 644–646 Web server attacks and, 611, 613–616 Snort-Inline, 686–689, 699 Snort installation command-line switches, 147–150 CVS, 160 in general, 100–101 getting Snort for installation, 127–128 installatiion of bleeding-edge versions of Snort, 159 installation from RPM, 132–134 installation from source, 129–132 installation on MS Windows platform, 140–146 Linux distributions, 108–112 on OpenBSD, 150–159 operating system for, 101–107 preparation for, 112–127 SENTINIX GNU/Linux, 128–129 snort.conf file, editing, 138–140 using apt, 134–137 Snort output plug-ins default logging, 316–321 described, 312–315 MySQL vs PostgreSQL, 333–338 options, 315 output problems with, 371–372 overview of, 312 PCAP logging, 326–327 post-Snort data modification, 367–371 setting up, 345–348 SMB alerting, 326 SNMP traps, 321 Snortdb, 327–333 Syslog, 322–326 unified logs, 338–342 W3C, 348–350 W3C code example, 353–366 W3C, running/testing, 367 W3C source code, 350–353 writing, overview of, 342–345 XML logging, 322 Snort signature ID (SID), 69–70 Snortalog, 71 snort.conf file alerting/logging components called from, 70 detection engine and, 67 editing, 138–140 in Snort process, 63 stream4 preprocessor activation in, 238–239 using Snort as NIDS and, 85–86 Snortdb, 327–333 Snort_inline architecture, 659–660 configuration, 657–659 described, 608, 610–611, 669 installation, 655–656 NFS mountd overflow attack and, 663–664 overview of, 653–654 Web server attack, 660–663 Snortplot.php, 71 Snortsam in action, 624–636 architecture, 621–624 described, 608, 610, 668 installation, 619–620 overview of, 619 SnortSnarf browsing packet contents in, 439 configuring Snort to work with, 424–425 function of, 71, 435 for high-level information, 418 installing, 422–423 using, 425–427 snort_stat.pl for high-level information, 418 running, 419–422 Snot IDS and, 46 Snort attacks with, 91 testing with, 459 Web site for information on, 519 software open-source, 530 operating system for ACID installation, 389 Snort requirements, 60–62 stripping Linux, 105 Song, Dug, 248, 40 source compiling from, 118–120 intrusion data correlation and, 384, 385 libpcap installation from, 113–117 Snort installation from, 129–132 Snort installation on OpenBSD from, 157–159 SQL installation from, 126–127 source builds, 444–445 source files, 585–587 source information, 195–196 source IP address, 534 source port, 534 source RPM (SRPM), 133–134 Sourcefire, 56 SourceFire, 169–170 SourceForge, 160 speed hardware choices for, 473 preprocessors slow down speed, 232–233 speed, Snort, 486–493 analysis timeframe, 487–488 generic variables, 492 714 Index Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com goals/methods, 486–487 output plug-in choice, 492–493 overview of, 525 pattern matching and, 490 preprocessors, configuring for, 490–491 rulesets, determining, 488–490 SPIKE, 520, 521 spo_alert_full output plug-in, 345–348 spoofing, 269–270 spool directory option (-d), 543–544 spp frag2 message, 431 spp_portscan, 413 spp_stream4, 413 SQL database, 75 SQL Slammer, 6–8 SRPM (source RPM), 133–134 SSH (Secure Shell), 91 StackGuard to harden operating system, 93 for Snort protection, 92 Start function, 589 start time, 537 stateful, 194–195 stateful inspection, 238–244 statefulness,TCP, 235–244 stateless option, 202 stealth interfaces, 90–91 stealth mode, 16 stealth mode portscans, 96 stealth packets, 266 Stearn, Bill, 382 Stearns, William, 636 Stevens, Richard, 236, 279 stick IDS and, 46 pros/cons of, 519 Snort attacks with, 91 stateful monitoring with, 238 stream4 preprocessor and, 246 Stop function, 590 storage medium, for Snort, 476 stream-stat records, 536–537 stream4 preprocessor applying patch to, 413 conversation preprocessor and, 308 function of, 235 functions of, 234 output, 247 overview of, 303 packet reassembly and, 275 session reassembly, 244–247 SGUIL installation and, 414 speed and, 491 TCP statefulness with, 235–244 stress testing for operating system tests, 485 tools for, 520–521 string match module, 637–638 stripping Linux, 104–106 SubDomain to harden operating system, 93 for Snort protection, 92 subnet masks common, 139 merging, 220–222 subnet-specific information, 19–20 sudo make install, 152, 153–155 Summary screen, of SnortSnarf, 425 summary scripts function of, 418 SnortSnarf, 422–427 snort_stat.pl, 419–422 Sun Solaris TTY prompt buffer overflow attack, 688 suppression, rules, 173 SUSE Linux 9.1 installing pcap, 112–123 installing SQL, 124–127 libpcre installation, 123–124 security, 111 Snort installation on, 100 swapping, 243–244 Swatch configuration, 428–430 function of, 71, 435 monitor log files with, 93 process stopped, 438–439 switched networks sensor placement tests on, 478 using Snort in, 87, 97 switches, 75 SYN flag, 236–237 Syslog, 322–326 syslog alerts remote, 578–580 Swatch configuration for, 428–430 syslog_host, 559 syslog_port, 559 system administration tests, 486 system call monitoring, 21 system requirements, Snort 2.1, 57–62 hardware, 58–60 operating system, 60–61 overview of, 94 questions of management, 57–58 questions of scale, 57 software, 61–62 system security, Snort 2.1, 89–93 attacks, 90–92 in general, 89 overview of, 95 securing Snort system, 92–93 system services, 105 system, stripping Linux, 106–107 systems production, 444 T T, 149 t , 149 tag, 559 tag option, 213 tagging activate/dynamic roles phased out by, 198 packet, 171–172 taps, 686 tar command, 121 tarball configure, make, make install, 118–120 defined, 108 downloads, 638 installing libpcap from, 113–117 Snortsam, 620 target, 384 target-based IDS, 49 tcl, 410–411 tclx, 411 TCP ACK option, 208 TCP flags option, 207–208 TCP/IP Illustrated, Volume (Stevens), 236, 279 TCP/IP (Transmission Control Protocol/Internet Protocol), 55–56, 61 TCP options, rule sequence number option, 206 TCP ACK option, 208 TCP flags option, 207–208 TCP packets, 170 TCP session reassembly, 244–247 TCP statefulness, 235–244 TCPDump, 327 tcpdump BPF rules testing with, 521–522 Netdude designed to work with, 513 options, 613 output format, 78 output formats, 432 tcpdump binary format, 75 TCPReplay benchmarking with, 504–513 Netdude works with, 513 teardrop attack, 431–434 technologies, for IDS implementation, 24–25 TelNegInit() function, 283, 284, 294 Telnet decoding, 491 session reassembly, 244–245 Telnet negotiation preprocessor adding preprocessor into Snort, 300–302 code, 280–300 configuring, 255 decoding protocols with, 276 function of, 254 getting data into Snort, 300 output, 255 overview of, 303 setting up my preprocessor, 277–280 Telnet protocol, 279–280 Index 715 Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com template, preprocessor, 277–280 terminology, IDS, 48–49 test lab compiled builds and, 445 in large organizations, 461 single box/nonproduction, 460 for testing Snort/rules, 457 testing, 456–457 with batch-processing mode, 579 Berkeley Packet Filter tests, 521–522 of detection plug-ins, 180–181 hardware, 477–479 operating system, 485–486 rule content, 220 rule tests, 521 rules, 225 Snort/rules, 457–462, 466, 468 stress testing, 520–521 See also benchmarking deployment text case, 201 THC’s Netdude, 513–517 threats, ruleset configuration and, 489–490 thresholding detection engine, 172–173 with Snort, 69–70 time, 384, 385 time keyword, 678–679 Time to Live (TTL) feature of IDS Wakeup, 501 flow configuration and, 252–253 frag2 preprocessor and, 249–250 option, 206 Time::JulianDay module, 422 timeout option, 241–242 timeout parameter, 249 timestamp, 560 tools bootable, 33–34 EagleX, 460 exploit, 43–44 Metasploit, 459 network sniffing, 11 perfmon-graph, 457–458 perfmonitor, 457 rrdtool, 458 Sneeze, 459 Snot, 459 Stick/Snot/Snort, 45–46 for updates management, 463 User-Mode Linux, 458 Virtual PC, 458 VMware, 458 top tool, 243 TOS (Type-of-Service) option, 206 trace analysis, 516 trace area management, 513, 514 traffic altering based on IDS alerts, 609–619 effects of active response on, 610 encrypted, IDS and, 18 reconstruction, 682–685 rules for, 186 Snort sensor deployment and, 86–87 validation, 383 validation for analyzing IDS events, 431–433 traffic scrubber, 434 Transmission Control Protocol/Internet Protocol (TCP/IP), 55–56, 61 transport layer, 608 trimming, 406 Trinux, 110, 111 Tripwire, 93 trojan 55808 Trojan, 680 defined, 693–694 IDS and, 32 Trustix, 110, 111 TTL See Time to Live ttl_limit parameter flow configuration with, 253 in frag2 preprocessor, 250 of stream4 preprocessor, 241 tuning, rules, 225, 522 twenty-five percent test, 478 Type-of-Service (TOS) option, 206 U U, 150 u , 150 UCD-SNMP, 134 UDP bomb attack, 187 UDP (User Datagram Protocol), 323–324 UltraSPARC processor, 475 UM (User-Mode) Linux, 458 Unicode, 260 unicode option, 260 Unified binary format logging packet data in, 382 SGUIL installation and, 414–415 unified files alert records, 532–535 file archiving and, 576 host byte order and, 602–603 log records, 535–536 magic value, 602 overview of, 532, 599 stream-stat records, 536–537 unified logs Snort, 338–342 storing, pros/cons of, 370 unified output format, 72–73 unified.alert continual-processing mode and, 572–573 in remote syslog alerting, 579–580 Uniform Resource Identifier (URI) content option, 201–202, 219–220 Uniform Resource Locator (URL), 256–259, 303 UNIX for ACID, 389 Barnyard and, 537–538 OS choice for Snort, 484–485 Sneeze runs in, 503 Syslog and, 323 unmask, 195 up2date, 111 updates of build system in Barnyard, 595 change control, 456–457 frequency of, 469 overview of, 442–444 rules, 447–455 Snort, 444–446 testing Snort/rules, 457–462 watching for, 462–465, 468 upgrade, Snort, 88–89 URI (Uniform Resource Identifier) content option, 201–202, 219–220 URL Encoder command-line tool, 258 URL (Uniform Resource Locator), 256–259, 303 user ACID installation and, 393 IDS and, user-agent field, 450 User Datagram Protocol (UDP), 323–324 User-Mode (UM) Linux, 458 utc, 195 V V, 150 v, 150 -v option, 569 −v switch, 74, 79 validation of traffic, 383 of traffic, analyzing IDS events, 431–433 var EXTERNAL_NET variable, 139 var HOME_NET variable, 138 variables defining for rules, 228 local rules file and, 449 rules, 448–449, 469 rules updates and, 448–449 for rulesets, 188–190, 226–227 Snort configuration options, 191–195 verbose, function of, 195 verbose mode, 140 virtual consolers, 106 716 Index Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com virtual local area networks (VLANs), 87 Virtual PC, 458 viruses active response and, 670 defined, 693 overview of, 6–8 Snort and, 40–42 VisualCVS, 160 VLANs (virtual local area networks), 87 VMware, 458 vulnerabilities operating system attacks and, 92 remote vulnerabilities in Snort, 91 rule development and, 224 vulnerability assessors, 74 W W3C, 375 W3C Snort output plug-in code example, 353–366 myPluginAlert, 350 myPluginCleanExit, 350 myPluginInit, 349–350 myPluginRestart, 350 myPluginSetup, 349 overview of, 348–349 running/testing, 367 source code, 350–353 watchlists, 694 Web-based configuration, of SENTINIX, 128–129 Web server ACID installation and, 388–389, 390 password for ACID protection, 396 PHP4 support for, 390–391 SnortSnarf and, 427 Web server attack active response and, 611 Snort_inline, 660–663 Web site resources ADODB library, 393 aggregate, 222 Barnyard, 538–539 Barnyard/SourceForge, 604 BSD/MIT license, 334 Checkinstall, 120 Chen’s script, 335 correlation information, 434 CVS, 159 EagleX, 460 Ethereal, 217 FIRE, 33 fragroute, 40 Ftester, 519 Fwsnort, 636 GD library, 391 hardened Linux distributions, 111 Honeynet Project, 611, 686 honeypot legal issues, 689 HPing2, 501 “HTTP IDS Evasions Revisited” (Roelker), 256 IDS Informer, 496 IDS Wakeup, 501 intrusion attempt log analysis, 21 Iris, 318 Kiwi Software Syslog, 325 Knoppix, 33 libpcap, 112 libpcap/TCPDump, 327 Linux-BBC, 34 Metasploit, 459 MySQL archive, 126 Net::RawIP Perl module, 503 Nmap, 47 Offline NT Password & Registry Editor, 34 “One Way Cable Preparation Guide” (Gray), 59 Packet Factory, 501 patch-o-matic, 637 Pcap-aware tools, 382 PCRE package, 123 perfmon-graph, 457 perfmon-graph tool, 675 PHP, 17 PHPlot library, 392 Port Scan Attack Detector, 648 promiscuous interface detection programs, 90 for protocol-based analysis IDS, 24 Request for Comments, 383 RFC3164 message format, 557–558 RPMs, 132, 133 rrdtool, 458 rules updates, 442 for rules updates, 452 SAM, 336 for security, 93 SecurityFocus IDS mailing list, 259 sguil, 567 Sneeze, 502 Snort, 127 Snort add-ons, 70–72 Snort preprocessors, 64 Snort resources, 56 Snort source code, 157 SnortSnarf, 422 Snot, 46, 519 software downloads, 61 StackGuard and SubDomain, 92 Stick, 46 stress-test tools, 520 SUSE Linux download, 100 target-based IDSs, 40 tcl tools, 411 TCP/IP stack system benchmarks, 61 Telnet protocol, 279 for updates, 462 updates management, 463 User-Mode Linux, 458 Virtual PC, 458 VMware, 458 wget command, 614 Whisker, 520 Win32, 480–484 WinCVS, 160 WinPcap, 141–142 winvnc.exe, 88 with-mysql-includes=, 539 with-mysql-libraries=, 539 with-postgres-includes=, 539 withpid, 559 witty worm, 443 worms active response and, 670 defined, 694 MyDoom, 30 overview of, 6–8 Slammer, 607 Snort and, 40–42 thresholding and, 172 write speed, of hard drives, 476 writing rules See rules, writing WWWBoard passwd.txt access attack Fwsnort and, 643–650 overview of, 613–616 Snort_inline and, 660–663 Snortsam and, 626–643 X X, 150 X Windows, 132–133 Xcriptd, 416 XML (Extensible Markup Language), 322, 370–371 Y y, 150 yacc, 61, 62 Yet Another Setup Tool (YaST) adding tools in GUI-free environment, 117–118 adding tools with, 114–116 Linux stripping with, 106–107 Snort installation from RPM, 132–133 SQL installation with, 124–126 YOU (Online Update tool), 111 Z z, 150 -z option, 246 GNU GENERAL PUBLIC LICENSE Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed Preamble The licenses for most software are designed to take away your freedom to share and change it By contrast, the GNU General Public License is intended to guarantee your freedom to share and change free software—to make sure the soft­ ware is free for all its users.This General Public License applies to most of the Free Software Foundation’s software and to any other program whose authors commit to using it (Some other Free Software Foundation software is covered by the GNU Library General Public License instead.) You can apply it to your programs, too When we speak of free software, we are referring to freedom, not price Our General Public Licenses are designed to make sure that you have the freedom to distribute copies of free software (and charge for this service if you wish), that you receive source code or can get it if you want it, that you can change the software or use pieces of it in new free programs; and that you know you can these things To protect your rights, we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights.These restrictions translate to certain responsibilities for you if you distribute copies of the software, or if you modify it For example, if you distribute copies of such a program, whether gratis or for a fee, you must give the recipients all the rights that you have.You must make sure that they, too, receive or can get the source code And you must show them these terms so they know their rights We protect your rights with two steps: (1) copyright the software, and (2) offer you this license which gives you legal per­ mission to copy, distribute and/or modify the software Also, for each author’s protection and ours, we want to make certain that everyone understands that there is no warranty for this free software If the software is modified by someone else and passed on, we want its recipients to know that what they have is not the original, so that any problems introduced by others will not reflect on the original authors’ reputa­ tions Finally, any free program is threatened constantly by software patents We wish to avoid the danger that redistributors of a free program will individually obtain patent licenses, in effect making the program proprietary.To prevent this, we have made it clear that any patent must be licensed for everyone’s free use or not licensed at all The precise terms and conditions for copying, distribution and modification follow TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION This License applies to any program or other work which contains a notice placed by the copyright holder saying it may be distributed under the terms of this General Public License.The “Program”, below, refers to any such program or work, and a “work based on the Program” means either the Program or any derivative work under copyright law: that is to say, a work containing the Program or a portion of it, either verbatim or with modifications and/or translated into another lan­ guage (Hereinafter, translation is included without limitation in the term “modification”.) Each licensee is addressed as “you” Activities other than copying, distribution and modification are not covered by this License; they are outside its scope.The act of running the Program is not restricted, and the output from the Program is covered only if its contents constitute a work based on the Program (independent of having been made by running the Program) Whether that is true depends on what the Program does You may copy and distribute verbatim copies of the Program’s source code as you receive it, in any medium, provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty; keep intact all the notices that refer to this License and to the absence of any warranty; and give any other recipients of the Program a copy of this License along with the Program You may charge a fee for the physical act of transferring a copy, and you may at your option offer warranty protection in exchange for a fee You may modify your copy or copies of the Program or any portion of it, thus forming a work based on the Program, and copy and distribute such modifications or work under the terms of Section above, provided that you also meet all of these conditions: a) You must cause the modified files to carry prominent notices stating that you changed the files and the date of any change Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com b) You must cause any work that you distribute or publish, that in whole or in part contains or is derived from the Program or any part thereof, to be licensed as a whole at no charge to all third parties under the terms of this License c) If the modified program normally reads commands interactively when run, you must cause it, when started running for such interactive use in the most ordinary way, to print or display an announcement including an appropriate copyright notice and a notice that there is no warranty (or else, saying that you provide a warranty) and that users may redistribute the program under these conditions, and telling the user how to view a copy of this License (Exception: if the Program itself is interactive but does not normally print such an announcement, your work based on the Program is not required to print an announcement.) These requirements apply to the modified work as a whole If identifiable sections of that work are not derived from the Program, and can be reasonably considered independent and separate works in themselves, then this License, and its terms, not apply to those sections when you distribute them as separate works But when you distribute the same sections as part of a whole which is a work based on the Program, the distribution of the whole must be on the terms of this License, whose permissions for other licensees extend to the entire whole, and thus to each and every part regardless of who wrote it Thus, it is not the intent of this section to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works based on the Program In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License You may copy and distribute the Program (or a work based on it, under Section 2) in object code or executable form under the terms of Sections and above provided that you also one of the following: a) Accompany it with the complete corresponding machine-readable source code, which must be distributed under the terms of Sections and above on a medium customarily used for software interchange; or, b) Accompany it with a written offer, valid for at least three years, to give any third party, for a charge no more than your cost of physically performing source distribution, a complete machine-readable copy of the corresponding source code, to be distributed under the terms of Sections and above on a medium customarily used for software interchange; or, c) Accompany it with the information you received as to the offer to distribute corresponding source code (This alterna­ tive is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it For an executable work, complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable However, as a special exception, the source code dis­ tributed need not include anything that is normally distributed (in either source or binary form) with the major components (compiler, kernel, and so on) of the operating system on which the executable runs, unless that component itself accompanies the executable If distribution of executable or object code is made by offering access to copy from a designated place, then offering equiv­ alent access to copy the source code from the same place counts as distribution of the source code, even though third par­ ties are not compelled to copy the source along with the object code You may not copy, modify, sublicense, or distribute the Program except as expressly provided under this License Any attempt otherwise to copy, modify, sublicense or distribute the Program is void, and will automatically terminate your rights under this License However, parties who have received copies, or rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance You are not required to accept this License, since you have not signed it However, nothing else grants you permission to modify or distribute the Program or its derivative works.These actions are prohibited by law if you not accept this License.Therefore, by modifying or distributing the Program (or any work based on the Program), you indicate your acceptance of this License to so, and all its terms and conditions for copying, distributing or modifying the Program or works based on it Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions.You may not impose any further restrictions on the recipients’ exercise of the rights granted herein.You are not responsible for enforcing compliance by third parties to this License If, as a consequence of a court judgment or allegation of patent infringement or for any other reason (not limited to patent issues), conditions are imposed on you (whether by court order, agreement or otherwise) that contradict the condi­ tions of this License, they not excuse you from the conditions of this License If you cannot distribute so as to satisfy simultaneously your obligations under this License and any other pertinent obligations, then as a consequence you may not distribute the Program at all For example, if a patent license would not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and this Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com License would be to refrain entirely from distribution of the Program If any portion of this section is held invalid or unenforceable under any particular circumstance, the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances It is not the purpose of this section to induce you to infringe any patents or other property right claims or to contest validity of any such claims; this section has the sole purpose of protecting the integrity of the free software distribution system, which is implemented by public license practices Many people have made generous contributions to the wide range of software distributed through that system in reliance on consistent application of that system; it is up to the author/donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License If the distribution and/or use of the Program is restricted in certain countries either by patents or by copyrighted inter­ faces, the original copyright holder who places the Program under this License may add an explicit geographical distribu­ tion limitation excluding those countries, so that distribution is permitted only in or among countries not thus excluded In such case, this License incorporates the limitation as if written in the body of this License The Free Software Foundation may publish revised and/or new versions of the General Public License from time to time Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns Each version is given a distinguishing version number If the Program specifies a version number of this License which applies to it and “any later version”, you have the option of following the terms and conditions either of that version or of any later version published by the Free Software Foundation If the Program does not specify a version number of this License, you may choose any version ever published by the Free Software Foundation 10 If you wish to incorporate parts of the Program into other free programs whose distribution conditions are different, write to the author to ask for permission For software which is copyrighted by the Free Software Foundation, write to the Free Software Foundation; we sometimes make exceptions for this Our decision will be guided by the two goals of pre­ serving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally NO WARRANTY 11 BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE,THERE IS NO WARRANTY FOR THE PROGRAM,TO THE EXTENT PERMITTED BY APPLICABLE LAW EXCEPT WHEN OTHER WISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIM­ ITED TO,THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU SHOULD THE PROGRAM PROVE DEFECTIVE,YOU ASSUME THE COST OF ALL NECESSARY SER­ VICING, REPAIR OR CORRECTION 12 IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES END OF TERMS AND CONDITIONS How to Apply These Terms to Your New Programs If you develop a new program, and you want it to be of the greatest possible use to the public, the best way to achieve this is to make it free software which everyone can redistribute and change under these terms To so, attach the following notices to the program It is safest to attach them to the start of each source file to most effectively convey the exclusion of warranty; and each file should have at least the “copyright” line and a pointer to where the full notice is found one line to give the program’s name and an idea of what it does Copyright (C) yyyy name of author This program is free software; you can redistribute it and/or Simpo PDF Merge and Split Unregistered Version - http://www.simpopdf.com modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version of the License, or (at your option) any later version This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE See the GNU General Public License for more details You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA Also add information on how to contact you by electronic and paper mail If the program is interactive, make it output a short notice like this when it starts in an interactive mode: Gnomovision version 69, Copyright (C) year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w’ This is free software, and you are welcome to redistribute it under certain conditions; type `show c’ for details The hypothetical commands ‘show w’ and ‘show c’ should show the appropriate parts of the General Public License Of course, the commands you use may be called something other than ‘show w’ and ‘show c’; they could even be mouse-clicks or menu items—whatever suits your program You should also get your employer (if you work as a programmer) or your school, if any, to sign a “copyright disclaimer” for the program, if necessary Here is a sample; alter the names: Yoyodyne, Inc., hereby disclaims all copyright interest in the program `Gnomovision’ (which makes passes at compilers) written by James Hacker signature of Ty Coon, April 1989 Ty Coon, President of Vice This General Public License does not permit incorporating your program into proprietary programs If your program is a subroutine library, you may consider it more useful to permit linking proprietary applications with the library If this is what you want to do, use the GNU Library General Public License instead of this License SYNGRESS PUBLISHING LICENSE AGREEMENT THIS PRODUCT (THE “PRODUCT”) CONTAINS PROPRIETARY SOFTWARE, DATA AND INFORMATION (INCLUDING DOCUMENTATION) OWNED BY SYNGRESS PUBLISHING, INC (“SYNGRESS”) AND ITS LICENSORS.YOUR RIGHT TO USE THE PRODUCT IS GOVERNED BY THE TERMS AND CONDITIONS OF THIS AGREEMENT LICENSE: Throughout this License Agreement,“you” shall mean either the individual or the entity whose agent opens this package.You are granted a limited, non-exclusive and non-transferable license to use the Product subject to the following terms: (i) If you have licensed a single user version of the Product, the Product may only be used on a single computer (i.e., a single CPU) If you licensed and paid the fee applicable to a local area network or wide area network version of the Product, you are subject to the terms of the following subparagraph (ii) (ii) If you have licensed a local area network version, you may use the Product on unlimited workstations located in one single building selected by you that is served by such local area network If you have licensed a wide area network version, you may use the Product on unlimited workstations located in multiple buildings on the same site selected by you that is served by such wide area network; provided, however, that any building will not be considered located in the same site if it is more than Simpo PDF any building included in such site In addition, you may only use a local area or wide area network version five (5) miles away from Merge and Split Unregistered Version - http://www.simpopdf.com of the Product on one single server If you wish to use the Product on more than one server, you must obtain written authorization from Syngress and pay additional fees (iii) You may make one copy of the Product for back-up purposes only and you must maintain an accurate record as to the location of the back-up at all times PROPRIETARY RIGHTS; RESTRICTIONS ON USE AND TRANSFER: All rights (including patent and copyright) in and to the Product are owned by Syngress and its licensors.You are the owner of the enclosed disc on which the Product is recorded.You may not use, copy, decompile, disassemble, reverse engineer, modify, reproduce, create derivative works, transmit, distribute, sublicense, store in a database or retrieval system of any kind, rent or transfer the Product, or any portion thereof, in any form or by any means (including electronically or otherwise) except as expressly provided for in this License Agreement.You must reproduce the copyright notices, trademark notices, legends and logos of Syngress and its licensors that appear on the Product on the back-up copy of the Product which you are permitted to make hereunder All rights in the Product not expressly granted herein are reserved by Syngress and its licensors TERM: This License Agreement is effective until terminated It will terminate if you fail to comply with any term or condition of this License Agreement Upon termination, you are obligated to return to Syngress the Product together with all copies thereof and to purge and destroy all copies of the Product included in any and all systems, servers and facilities DISCLAIMER OF WARRANTY: THE PRODUCT AND THE BACK-UP COPY OF THE PRODUCT ARE LICENSED “AS IS” SYNGRESS, ITS LICENSORS AND THE AUTHORS MAKE NO WARRANTIES, EXPRESS OR IMPLIED, AS TO RESULTS TO BE OBTAINED BY ANY PERSON OR ENTITY FROM USE OF THE PRODUCT AND/OR ANY INFORMATION OR DATA INCLUDED THEREIN SYNGRESS, ITS LICENSORS AND THE AUTHORS MAKE NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT TO THE PRODUCT AND/OR ANY INFORMATION OR DATA INCLUDED THEREIN IN ADDITION, SYNGRESS, ITS LICENSORS AND THE AUTHORS MAKE NO WARRANTY REGARDING THE ACCURACY, ADEQUACY OR COMPLETENESS OF THE PRODUCT AND/OR ANY INFORMATION OR DATA INCLUDED THEREIN NEITHER SYNGRESS, ANY OF ITS LICENSORS, NOR THE AUTHORS WARRANT THAT THE FUNCTIONS CONTAINED IN THE PRODUCT WILL MEET YOUR REQUIREMENTS OR THAT THE OPERATION OF THE PRODUCT WILL BE UNINTERRUPTED OR ERROR FREE.YOU ASSUME THE ENTIRE RISK WITH RESPECT TO THE QUALITY AND PERFORMANCE OF THE PRODUCT LIMITED WARRANTY FOR DISC: To the original licensee only, Syngress warrants that the enclosed disc on which the Product is recorded is free from defects in materials and workmanship under normal use and service for a period of ninety (90) days from the date of purchase In the event of a defect in the disc covered by the foregoing warranty, Syngress will replace the disc LIMITATION OF LIABILITY: NEITHER SYNGRESS, ITS LICENSORS NOR THE AUTHORS SHALL BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, CONSEQUENTIAL OR SIMILAR DAMAGES, SUCH AS BUT NOT LIMITED TO, LOSS OF ANTICIPATED PROFITS OR BENEFITS, RESULTING FROM THE USE OR INABILITY TO USE THE PRODUCT EVEN IF ANY OF THEM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES THIS LIMITATION OF LIABILITY SHALL APPLY TO ANY CLAIM OR CAUSE WHATSOEVER WHETHER SUCH CLAIM OR CAUSE ARISES IN CONTRACT,TORT, OR OTHER WISE Some states not allow the exclusion or limitation of indirect, special or consequential damages, so the above limitation may not apply to you U.S GOVERNMENT RESTRICTED RIGHTS If the Product is acquired by or for the U.S Government then it is provided with Restricted Rights Use, duplication or disclosure by the U.S Government is subject to the restrictions set forth in FAR 52.227-19.The contractor/manufacturer is Syngress Publishing, Inc at 800 Hingham Street, Rockland, MA 02370 GENERAL: This License Agreement constitutes the entire agreement between the parties relating to the Product The terms of any Purchase Order shall have no effect on the terms of this License Agreement Failure of Syngress to insist at any time on strict compliance with this License Agreement shall not constitute a waiver of any rights under this License Agreement This License Agreement shall be construed and governed in accordance with the laws of the Commonwealth of Massachusetts If any provision of this License Agreement is held to be contrary to law, that provision will be enforced to the maximum extent permissible and the remaining provisions will remain in full force and effect *If you not agree, please return this product to the place of purchase for a refund Simpo PDF Merge and Split Unregistered Syngress: The Definition ofVersion - http://www.simpopdf.com a Serious Security Library Syn•gress (sin-gres): noun, sing Freedom from risk or danger; safety See security AVAILABLE NOW Ethereal Packet Sniffing order @ www.syngress.com Ethereal offers more protocol decoding and reassembly than any free sniffer out there and ranks well among the commercial tools You’ve all used tools like tcpdump or windump to examine indi­ vidual packets, but Ethereal makes it easier to make sense of a stream of ongoing network communications Ethereal not only makes network troubleshooting work far easier, but also aids greatly in network forensics, the art of finding and exam­ ining an attack, by giving a better “big picture” view Ethereal Packet Sniffing will show you how to make the most out of your use of Ethereal ISBN: 1-932266-82-8 Price: $49.95 U.S $77.95 CAN Nessus Network Auditing AVAILABLE JUNE, 2004 order @ Crackers constantly probe machines looking for www.syngress.com both old and new vulnerabilities In order to avoid becoming a casualty of a casual cracker, savvy sys admins audit their own machines before they're probed by hostile outsiders (or even hostile insiders) Nessus is the premier Open Source vulnerability assessment tool, and was recently voted the “most popular” open source security tool of any kind This is the first book available on Nessus and it is written by the world's premier Nessus developers led by the creator of Nessus, Renaud Deraison ISBN: 1-931836-08-6 Price: $49.95 U.S $69.95 CAN AVAILABLE NOW order @ www.syngress.com Stealing the Network: How to Own a Continent Last year, Stealing the Network: How to Own the Box became a blockbuster bestseller and garnered universal acclaim as a techno-thriller firmly rooted in reality and technical accuracy Now, the sequel is available and it's even more contro­ versial than the original Stealing the Network: How to Own a Continent does for cyber-terrorism buffs what “Hunt for Red October” did for cold-war era military buffs, it develops a chillingly realistic plot that taps into our sense of dread and fascination with the terrible possibilities of man's inventions run amuck ISBN: 1-931836-05-1 Price: $49.95 U.S $69.95 CAN ... Figure 12.27 Snort_ Inline Network Architecture evilhost (207.174.x.x) NFS server (1 92.16 8 .10. 30) firewall (68.48.x.x) switch Intnernet 1 92.16 8 .10. 1 Snort_ inline Web server (1 92.16 8 .10. 20) Web Server... honeypots and Snort, dealing with law enforcement, policy-based intrusion detection, and inline intrusion detection. These additional functions work alongside Snort? ??s normal intrusion detection capabilities... response to intrusion detection events We presented three software applications—Snortsam, Fwsnort, and Snort_ inline—that employ a different strategy for reacting to Snort IDS events Snortsam is