Intrusion Detection Systems with Snort Advanced IDS Techniques Using Snort, Apache, Mysql, PHP, and ACID

Total Page:16

File Type:pdf, Size:1020Kb

Intrusion Detection Systems with Snort Advanced IDS Techniques Using Snort, Apache, Mysql, PHP, and ACID Intrusion Detection Systems with Snort Advanced IDS Techniques Using Snort, Apache, MySQL, PHP, and ACID perens_series.fm Page 1 Thursday, April 10, 2003 1:43 AM BRUCE PERENS’ OPEN SOURCE SERIES ◆ Managing Linux Systems with Webmin: System Administration and Module Development Jamie Cameron ◆ Implementing CIFS: The Common Internet File System Christopher R. Hertel ◆ Embedded Software Development with eCos Anthony J. Massa ◆ The Linux Development Platform: Configuring, Using, and Maintaining a Complete Programming Environment Rafeeq Ur Rehman, Christopher Paul ◆ Intrusion Detection Systems with Snort: Advanced IDS Techniques with Snort, Apache, MySQL, PHP, and ACID Rafeeq Ur Rehman Intrusion Detection Systems with Snort Advanced IDS Techniques Using Snort, Apache, MySQL, PHP, and ACID Rafeeq Ur Rehman Prentice Hall PTR Upper Saddle River, New Jersey 07458 www.phptr.com Library of Congress Cataloging-in-Publication Data A CIP catalog record for this book can be obtained from the Library of Congress. Editorial/production supervision: Mary Sudul Cover design director: Jerry Votta Cover design: DesignSource Manufacturing manager: Maura Zaldivar Acquisitions editor: Jill Harry Editorial assistant: Noreen Regina Marketing manager: Dan DePasquale © 2003 Pearson Education, Inc. Publishing as Prentice Hall PTR Upper Saddle River, New Jersey 07458 This material may be distributed only subject to the terms and conditions set forth in the Open Publication License, v1.0 or later (the latest version is presently available at <http://www.opencontent.org/openpub/>). Prentice Hall books are widely used by corporations and government agencies for training, marketing, and resale. The publisher offers discounts on this book when ordered in bulk quantities. For more information, contact Corporate Sales Department, Phone: 800-382-3419; FAX: 201-236-7141; E-mail: [email protected] Or write: Prentice Hall PTR, Corporate Sales Dept., One Lake Street, Upper Saddle River, NJ 07458. Other product or company names mentioned herein are the trademarks or registered trademarks of their respective owners. Printed in the United States of America 1st Printing ISBN 0-13-140733-3 Pearson Education LTD. Pearson Education Australia PTY, Limited Pearson Education Singapore, Pte. Ltd. Pearson Education North Asia Ltd. Pearson Education Canada, Ltd. Pearson Educación de Mexico, S.A. de C.V. Pearson Education — Japan Pearson Education Malaysia, Pte. Ltd. To open source and free software developers C ONTENTS Chapter 1 Introduction to Intrusion Detection and Snort 1 1.1 What is Intrusion Detection? 5 1.1.1 Some Definitions 6 1.1.2 Where IDS Should be Placed in Network Topology 8 1.1.3 Honey Pots 9 1.1.4 Security Zones and Levels of Trust 10 1.2 IDS Policy 10 1.3 Components of Snort 12 1.3.1 Packet Decoder 13 1.3.2 Preprocessors 13 1.3.3 The Detection Engine 14 1.3.4 Logging and Alerting System 15 1.3.5 Output Modules 15 1.4 Dealing with Switches 16 1.5 TCP Stream Follow Up 18 1.6 Supported Platforms 18 1.7 How to Protect IDS Itself 19 1.7.1 Snort on Stealth Interface 20 1.7.2 Snort with no IP Address Interface 20 1.8 References 21 vii viii Contents Chapter 2 Installing Snort and Getting Started 23 2.1 Snort Installation Scenarios 24 2.1.1 Test Installation 24 2.1.2 Single Sensor Production IDS 24 2.1.3 Single Sensor with Network Management System Integration 25 2.1.4 Single Sensor with Database and Web Interface 25 2.1.5 Multiple Snort Sensors with Centralized Database 26 2.2 Installing Snort 28 2.2.1 Installing Snort from the RPM Package 28 2.2.2 Installing Snort from Source Code 29 2.2.3 Errors While Starting Snort 43 2.2.4 Testing Snort 43 2.2.5 Running Snort on a Non-Default Interface 51 2.2.6 Automatic Startup and Shutdown 52 2.3 Running Snort on Multiple Network Interfaces 54 2.4 Snort Command Line Options 55 2.5 Step-By-Step Procedure to Compile and Install Snort From Source Code 56 2.6 Location of Snort Files 56 2.7 Snort Modes 58 2.7.1 Network Sniffer Mode 58 2.7.2 Network Intrusion Detection Mode 65 2.8 Snort Alert Modes 66 2.8.1 Fast Mode 67 2.8.2 Full Mode 68 2.8.3 UNIX Socket Mode 68 2.8.4 No Alert Mode 69 2.8.5 Sending Alerts to Syslog 69 2.8.6 Sending Alerts to SNMP 69 2.8.7 Sending Alerts to Windows 70 2.9 Running Snort in Stealth Mode 71 2.10 References 73 Chapter 3 Working with Snort Rules 75 3.1 TCP/IP Network Layers 76 3.2 The First Bad Rule 77 3.3 CIDR 78 3.4 Structure of a Rule 79 Contents ix 3.5 Rule Headers 81 3.5.1 Rule Actions 81 3.5.2 Protocols 83 3.5.3 Address 84 3.5.4 Port Number 86 3.5.5 Direction 88 3.6 Rule Options 88 3.6.1 The ack Keyword 89 3.6.2 The classtype Keyword 89 3.6.3 The content Keyword 93 3.6.4 The offset Keyword 94 3.6.5 The depth Keyword 95 3.6.6 The content-list Keyword 95 3.6.7 The dsize Keyword 95 3.6.8 The flags Keyword 96 3.6.9 The fragbits Keyword 97 3.6.10 The icmp_id Keyword 98 3.6.11 The icmp_seq Keyword 98 3.6.12 The itype Keyword 98 3.6.13 The icode Keyword 99 3.6.14 The id Keyword 100 3.6.15 The ipopts Keyword 100 3.6.16 The ip_proto Keyword 101 3.6.17 The logto Keyword 102 3.6.18 The msg Keyword 103 3.6.19 The nocase Keyword 103 3.6.20 The priority Keyword 103 3.6.21 The react Keyword 104 3.6.22 The reference Keyword 104 3.6.23 The resp Keyword 105 3.6.24 The rev Keyword 107 3.6.25 The rpc Keyword 107 3.6.26 The sameip Keyword 108 3.6.27 The seq Keyword 108 3.6.28 The flow Keyword 108 3.6.29 The session Keyword 109 3.6.30 The sid Keyword 110 3.6.31 The tag Keyword 110 3.6.32 The tos Keyword 111 3.6.33 The ttl Keyword 111 x Contents 3.6.34 The uricontent Keyword 111 3.7 The Snort Configuration File 112 3.7.1 Using Variables in Rules 112 3.7.2 The config Directives 114 3.7.3 Preprocessor Configuration 116 3.7.4 Output Module Configuration 116 3.7.5 Defining New Action Types 117 3.7.6 Rules Configuration 117 3.7.7 Include Files 117 3.7.8 Sample snort.conf File 118 3.8 Order of Rules Based upon Action 119 3.9 Automatically Updating Snort Rules 120 3.9.1 The Simple Method 120 3.9.2 The Sophisticated and Complex Method 122 3.10 Default Snort Rules and Classes 125 3.10.1 The local.rules File 127 3.11 Sample Default Rules 127 3.11.1 Checking su Attempts from a Telnet Session 127 3.11.2 Checking for Incorrect Login on Telnet Sessions 128 3.12 Writing Good Rules 128 3.13 References 129 Chapter 4 Plugins, Preprocessors and Output Modules 131 4.1 Preprocessors 132 4.1.1 HTTP Decode 133 4.1.2 Port Scanning 134 4.1.3 The frag2 Module 135 4.1.4 The stream4 Module 136 4.1.5 The spade Module 137 4.1.6 ARP Spoofing 138 4.2 Output Modules 139 4.2.1 The alert_syslog Output Module 140 4.2.1 The alert_full Output Module 143 4.2.1 The alert_fast Output Module 143 4.2.1 The alert_smb Module 143 4.2.1 The log_tcpdump Output Module 144 4.2.1 The XML Output Module 146 4.2.1 Logging to Databases 150 4.2.1 CSV Output Module 151 Contents xi 4.2.1 Unified Logging Output Module 153 4.2.1 SNMP Traps Output Module 154 4.2.1 Log Null Output Module 155 4.3 Using BPF Fileters 155 4.4 References 156 Chapter 5 Using Snort with MySQL 157 5.1 Making Snort Work with MySQL 160 5.1.1 Step 1: Snort Compilations with MySQL Support 161 5.1.1 Step 2: Install MySQL 161 5.1.1 Step 3: Creating Snort Database in MySQL 161 5.1.1 Step 4: Creating MySQL User and Granting Permissions to User and Setting Password 163 5.1.1 Step 5: Creating Tables in the Snort Database 164 5.1.1 Step 6: Modify snort.conf Configuration File 170 5.1.1 Step 7: Starting Snort with Database Support 171 5.1.1 Step 8: Logging to Database 172 5.2 Secure Logging to Remote Databases Securely Using Stunnel 174 5.3 Snort Database Maintenance 175 5.3.1 Archiving the Database 175 5.3.2 Using Sledge Hammer: Drop the Database 176 5.4 References 176 Chapter 6 Using ACID and SnortSnarf with Snort 177 6.1 What is ACID? 178 6.2 Installation and Configuration 179 6.3 Using ACID 184 6.3.1 ACID Main Page 188 6.3.2 Listing Protocol Data 189 6.3.3 Alert Details 191 6.3.4 Searching 192 6.3.5 Searching whois Databases 197 6.3.6 Generating Graphs 198 6.3.7 Archiving Snort Data 198 6.3.8 ACID Tables 201 6.4 SnortSnarf 202 6.5 Barnyard 207 6.6 References 207 xii Contents Chapter 7 Miscellaneous Tools 209 7.1 SnortSam 210 7.2 IDS Policy Manager 212 7.3 Securing the ACID Web Console 217 7.3.1 Using a Private Network 217 7.3.2 Blocking Access to the Web Server on the Firewall 218 7.3.3 Using iptables 218 7.4 Easy IDS 218 7.5 References 219 Appendix A Introduction to tcpdump 221 Appendix B Getting Started with MySQL 223 Appendix C Packet Header Formats 237 Appendix D Glossary 243 Appendix E SNML DTD 245 Index 251 C HAPTER 1 Introduction to Intrusion Detection and Snort ecurity is a big issue for all networks in today’s enterprise environ- Sment.
Recommended publications
  • Intrusion Detection Systems for Smart Home Iot Devices: Experimental Comparison Study
    Intrusion Detection Systems for Smart Home IoT Devices: Experimental Comparison Study Faisal Alsakran1, Gueltoum Bendiab1, Stavros Shiaeles2, and Nicholas Kolokotronis3 1 CSCAN, University of Plymouth, PL4 8AA, Plymouth, UK [email protected], [email protected] 2 School of Computing, University of Portsmouth, PO1 2UP, Portsmouth, UK [email protected] 3 Department of Informatics and Telecommunications, University of Peloponnese, 22131 Tripolis, Greece [email protected] ABSTRACT Smart homes are one of the most promising applications of the 1 INTRODUCTION emerging Internet of Things (IoT) technology. With the growing Smart home technology also often referred to as home automation number of IoT related devices such as smart thermostats, smart allows the entire home to be automated and therefore, the connected fridges, smart speaker, smart light bulbs and smart locks, smart smart home devices can be remotely controlled and operated, from any homes promise to make our lives easier and more comfortable. location in the world, through a smartphone app, iPads or other network However, the increased deployment of such smart devices brings an devices [13]. In recent years, smart home technology is gaining increase in potential security risks and home privacy breaches. In tremendous ground at all levels. Economic reports affirm that connected order to overcome such risks, Intrusion Detection Systems are home market becomes the largest IoT segment at seven billion related presented as pertinent tools that can provide network-level smart devices in 2018, which present 26% of the global IoT devices protection for smart devices deployed in home environments. These market [14]. According to Gartner [32] this segment is expected to grow systems monitor the network activities of the smart home-connected to 20.4 billion devices by 2020.
    [Show full text]
  • Effective Implementation of Dynamic Classification for Network Forensic and Traffic Analysis
    International Journal of Computing and Business Research (IJCBR) ISSN (Online) : 2229-6166 Volume 6 Issue 2 March 2015 EFFECTIVE IMPLEMENTATION OF DYNAMIC CLASSIFICATION FOR NETWORK FORENSIC AND TRAFFIC ANALYSIS Manu Bansal Assistant Professor Department of IT University Institute of Engineering & Technology Panjab University, Sector 25, Chandigarh ABSTRACT Packet capturing is one of classical and most frequently used task performed by the network administrators. This is done to fetch the packets traveling in the network and finally detect any suspicious activity in the network. Finally, any out of the way activity or abnormal activity is analyzed by the intrusion detection system (IDS) tools for classification of attacks or type of the traffic. Enormous IDS tools are available including open source products which can classify the attacks or traffic from the PCAP (Packet Capture) Files fetched from honeypots or servers. This article explains about various aspects of PCAP and the detailed process of analyzing the PCAP using Snort IDS Tool for classification of traffic. Keywords – Network Forensic using Data Mining, PCAP Analysis, Honeypot and Honeynets International Journal of Computing and Business Research (IJCBR) ISSN (Online) : 2229-6166 Volume 6 Issue 2 March 2015 INTRODUCTION Network administrators generally face the regular issues of intrusion in their network by different media. To cope up with such issues, they make use of pcap (packet capture) that is having the application programming interface (API) for capturing the network traffic from different dimensions including ports, IP Addresses and associated parameters. In case of Unix- like systems, pcap is implemented in libpcap library. In case of Windows, it implements a port of libpcap that is known as WinPcap.
    [Show full text]
  • Snort for Dummies.Pdf
    01_568353 ffirs.qxd 6/3/04 10:07 AM Page i Snort ™ FOR DUMmIES‰ 01_568353 ffirs.qxd 6/3/04 10:07 AM Page ii 01_568353 ffirs.qxd 6/3/04 10:07 AM Page iii Snort ™ FOR DUMmIES‰ by Charlie Scott, Paul Wolfe, and Bert Hayes 01_568353 ffirs.qxd 6/3/04 10:07 AM Page iv Snort™ For Dummies® Published by Wiley Publishing, Inc. 111 River Street Hoboken, NJ 07030-5774 Copyright © 2004 by Wiley Publishing, Inc., Indianapolis, Indiana Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permis- sion of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, e-mail: brandreview@ wiley.com. Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, and related trade dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be used without written permission.
    [Show full text]
  • Intrusion Detection System and Intrusion Prevention System with Snort Provided by Security Onion
    Bezborodov Sergey Intrusion Detection System and Intrusion Prevention System with Snort provided by Security Onion. Bachelor’s Thesis Information Technology May 2016 DESCRIPTION Date of the bachelor's thesis 06.05.2016 Author(s) Degree programme and option Bezborodov Sergey Information Technology Name of the bachelor's thesis Intrusion Detection Systems and Intrusion Prevention System with Snort provided by Security Onion. Abstract In this thesis I wanted to get familiar with Snort IDS/IPS. I used the Security Onion distribution with a lot of security tools, but I concentrated on Snort. Also I needed to evaluate Security Onion environment and check what features it provides for processing with Snort. During the work I needed to figure out the pros and cons of using Security Onion with Snort as a security system for network. I compared it with alternatives and briefly describe it. As result I installed Security Onion, work with the environment, configured different features, created and modified rules and so on. I think this thesis will be helpful for people who want to use IDS/IPS for their network, it should help them to choose IDS/IPS vendor, make Security Onion and Snort installation, make comparison with another one and just get familiar with the network security tools. Also, this thesis can be a part of big research of network security tools, because now is impossible to find such detailed guides and literatures about any IDS/IPS tools. It is a good idea to combine many researches about it and make a good library. This thesis can be used for further development of Snort and Security Onion as it only on the development phase now, it will provide base for new researching with new versions.
    [Show full text]
  • Review on Few Cyber Security Tools
    International Research Journal of Engineering and Technology (IRJET) e-ISSN: 2395 -0056 Volume: 04 Issue: 05 | May -2017 www.irjet.net p-ISSN: 2395-0072 Review on few cyber security tools Sharanya K Rai1, Rampur Srinath2 1M. Tech, Dept of ISE, National Institute of Engineering, Mysuru, Karnataka, India 2Associate Professor, Dept of ISE, National Institute of Engineering, Mysuru, Karnataka, India ---------------------------------------------------------------------***--------------------------------------------------------------------- Abstract - A cyberattack is any type of attempt to destroy, wipe out the data from the hard disk and can uncover, change, disable, steal or gain unauthorized access to create malfunctioning of the attached devices in or make unauthorized use of an asset. Every year the number the system such as modem, CD drive, etc. of cyber security attacks keeps on increasing. Hence there is a c) Crimes targeted at organizations: Attackers use need for strong cyber security measures. Increase in the computer tools and the internet to steal the number of cyberattack is causing damage to companies, private information and also cause damage to the governments and individuals. Hence the organizations need to programs, files or some other data. take proper measures to safeguard themselves against the Eavesdropping, Man in the middle attack are attacks. In this paper I am presenting some cyber security some of the attacks the cyber criminals do. tools which deals with some of the aspects such as malware 1.2 Need for cyber security attack, network security etc. Unfortunately the cybercrimes are growing rapidly across Key Words: Eavesdropping, Network security, Traffic the globe. Attackers make internet as a media to attack the analysis, Intrusion detection, Brute-force attack, File system/data.
    [Show full text]
  • Logging and Monitoring to Detect Network Intrusions and Compliance Violations in the Environment
    Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. Logging and Monitoring to Detect Network Intrusions and Compliance Violations in the Environment Log Management and Intrusion Detection solutions have been evolving for years. Yet, it remains a challenge for organizations of all sizes to meet the operational, audit and security needs using these solutions. This paper presents a solution to bridge logging, log based intrusion detection and network based intrusion detection using well known free open source tools available on the Security Onion Linux Distribution. It walks through the logging, monitoring and alerting approach necessary for security, compliance and q... Copyright SANS Institute Author Retains Full Rights AD Logging and Monitoring to Detect Network Intrusions and Compliance Violations in the Environment . ts h g ri GIAC (GCIA) Gold Certification ll u f Author: Sunil Gupta, [email protected] s Advisor: Dr. Kees Leune in ta re r Accepted: July 4, 2012o th u , A te tu ti Abstract s n Log Management and Intrusion I Detection solutions have been evolving for years. Yet, it remains a challenge for organizationsS of all sizes to meet the operational, audit and security needs using these solutions. ThisN paper presents a solution to bridge logging, log based intrusion detection A and network Sbased intrusion detection using well known free open source tools available on the Security Onion Linux Distribution. It walks through the logging, monitoring and alerting 12 approach0 necessary for security, compliance and quality of service.
    [Show full text]
  • A Modular Architecture for Security Tools (MAST)
    Iowa State University Capstones, Theses and Retrospective Theses and Dissertations Dissertations 1-1-2005 A modular architecture for security tools (MAST) Pascal Openshaw Iowa State University Follow this and additional works at: https://lib.dr.iastate.edu/rtd Recommended Citation Openshaw, Pascal, "A modular architecture for security tools (MAST)" (2005). Retrospective Theses and Dissertations. 19204. https://lib.dr.iastate.edu/rtd/19204 This Thesis is brought to you for free and open access by the Iowa State University Capstones, Theses and Dissertations at Iowa State University Digital Repository. It has been accepted for inclusion in Retrospective Theses and Dissertations by an authorized administrator of Iowa State University Digital Repository. For more information, please contact [email protected]. A Modular Architecture for Security Tools {MAST) by Pascal Openshaw A thesis submitted to the graduate faculty in partial fulfillment of the requirements for the degree of MASTER OF SCIENCE Co-majors: Computer Engineering; Information Assurance Program of Study Committee: Doug Jacobson, Major Professor Yong Guan Adrian Sannier Iowa State University Ames, Iowa 2005 Copyright @Pascal Openshaw, 2005. All rights reserved. ii Graduate College Iowa State University This is to certify that the Master's thesis of Pascal Openshaw has met the thesis requirements of Iowa State University Signatures have been redacted for privacy lll TABLE OF CONTENTS CHAPTER 1. Overview . 1 1.1 Introduction . 1 1.2 History 2 1.2.1 Common areas 2 1.2.2 Additional security tools . 3 1.2.3 Putting them all together 3 1.3 The MAST solution 4 1.3.l A voiding vendor lock-in 6 1.3.2 Tradeoffs 6 1.3.3 Information collection 7 1.4 Sample scenarios 9 1.5 Potential modules 9 1.5.1 Application profiles .
    [Show full text]
  • Open Source Ids/Ips in a Production Environment: Comparing, Assessing and Implementing
    UNIVERSIDADE DE LISBOA FACULDADE DE CIENCIASˆ DEPARTAMENTO DE INFORMATICA´ OPEN SOURCE IDS/IPS IN A PRODUCTION ENVIRONMENT: COMPARING, ASSESSING AND IMPLEMENTING MESTRADO EM SEGURANC¸A INFORMATICA´ Joao˜ Paulo da Costa Calado Trabalho de projeto orientado por: Prof. Doutor Hugo Alexandre Tavares Miranda e co-orientado pelo Lic. Pedro Miguel Raminhos Ribeiro Botas 2018 This page intentionally left blank. Acknowledgments I would like to start by thanking both Pedro and professor Miranda. Thank you for the opportunity of doing something that I like, but most importantly where I find challenge. Thank you for believing in Free/Libre and Open Source Software, I really believe we are making a difference with it. A big ”THANK YOU” to the teachers I found along the way, I don’t think they’ll ever know how they touch our lives and how deeply we keep their teachings with us. I will miss this interaction. Thanks to professor Joao˜ Ascenso, he is definitely the person responsible for the path that my career and studies have taken, the one who awakened my interest for such topics. Would like to thank my colleagues from school, the ones that, for the last couple of years, shared their time, their knowledge, their experiences, their strength in despair, courage and determination. The ones that did not throw in the towel, and the ones that do not dare to consider it. My colleagues at work, with whom I can always count to take the discussion a step further, to keep me challenged and to obtain both personal and professional guidance. I am grateful to everyone who has believed and supported me for the last couple of years and throughout this path.
    [Show full text]
  • Cisco Firepower Application Detector Reference - VDB 303
    Cisco Firepower Application Detector Reference - VDB 303 First Published: 2018-08-09 Last Modified: 2018-08-10 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
    [Show full text]
  • A Performance Analysis of Intru- Sion Detection with Snort and Se
    Linköping University | Department of Computer and Information Science Master’s thesis, 30 ECTS | Datateknik 2021 | LIU-IDA/LITH-EX-A--21/068--SE A Performance Analysis of Intru- sion Detection with Snort and Se- curity Information Management En Prestandaanalys av Intrångsdetektering med Snort och Hantering av Säkerhetsinformation Christian Thorarensen Supervisor : Mohammad Borhani Examiner : Andrei Gurtov External supervisor : Villiam Rydfalk Linköpings universitet SE–581 83 Linköping +46 13 28 10 00 , www.liu.se Upphovsrätt Detta dokument hålls tillgängligt på Internet - eller dess framtida ersättare - under 25 år från publicer- ingsdatum under förutsättning att inga extraordinära omständigheter uppstår. Tillgång till dokumentet innebär tillstånd för var och en att läsa, ladda ner, skriva ut enstaka ko- pior för enskilt bruk och att använda det oförändrat för ickekommersiell forskning och för undervis- ning. Överföring av upphovsrätten vid en senare tidpunkt kan inte upphäva detta tillstånd. All annan användning av dokumentet kräver upphovsmannens medgivande. För att garantera äktheten, säker- heten och tillgängligheten finns lösningar av teknisk och administrativ art. Upphovsmannens ideella rätt innefattar rätt att bli nämnd som upphovsman i den omfattning som god sed kräver vid användning av dokumentet på ovan beskrivna sätt samt skydd mot att dokumentet ändras eller presenteras i sådan form eller i sådant sammanhang som är kränkande för upphovsman- nens litterära eller konstnärliga anseende eller egenart. För ytterligare information om Linköping University Electronic Press se förlagets hemsida http://www.ep.liu.se/. Copyright The publishers will keep this document online on the Internet - or its possible replacement - for a period of 25 years starting from the date of publication barring exceptional circumstances.
    [Show full text]
  • How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
    Interested in learning more about security? SANS Institute InfoSec Reading Room This paper is from the SANS Institute Reading Room site. Reposting is not permitted without express written permission. How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk? Many organizations have deployed Snort sensors at their ingress points. Some may have deployed them between segmented internal networks. Others may have IDS sensors littered throughout the organization. Regardless of how the sensor is placed the IDS can provide a significant view into traffic crossing the network. With this data already being generated, how many organizations create metrics for further analysis? What metrics are valuable to security teams and how are they used? What insights can one gain by good metric... Copyright SANS Institute Author Retains Full Rights AD How!Can!You!Build!and!Leverage!SNORT!IDS!Metrics!to! Reduce!Risk?! GIAC (GCIA) Gold Certification Author:!Tim!Proffitt,[email protected]! Advisor:!David!Shinberg! AccePted:!August!19th!2013!! ! Abstract Many organizations have deployed Snort sensors at their ingress points. Some may have deployed them between segmented internal networks. Others may have IDS sensors littered throughout the organization. Regardless of how the sensor is placed the IDS can provide a significant view into traffic crossing the network. With this data already being generated, how many organizations create metrics for further analysis? What metrics are valuable to security teams and how are they used? What insights can one gain by good metrics and how can that be used to reduce risk to the organization? The paper will cover current technologies and techniques that can be used to create valuable metrics to aide security teams into making informed decisions.
    [Show full text]
  • Network Intrusion Detection, Third Edition by Stephen Northcutt, Judy Novak
    Network Intrusion Detection, Third Edition By Stephen Northcutt, Judy Novak Publisher : New Riders Publishing Pub Date : August 28, 2002 ISBN : 0-73571-265-4 Pages : 512 • Table of Contents The Chief Information Warfare Officer for the entire United States teaches you how to protect your corporate network. This book is a training aid and reference for intrusion detection analysts. While the authors refer to research and theory, they focus their attention on providing practical information. The authors are literally the most recognized names in this specialized field, with unparalleled experience in defending our country's government and military computer networks. New to this edition is coverage of packet dissection, IP datagram fields, forensics, and snort filters. Table of Contents Copyright About the Authors About the Technical Reviewers Acknowledgments Tell Us What You Think Introduction Part I: TCP/IP Chapter 1. IP Concepts The TCP/IP Internet Model Packaging (Beyond Paper or Plastic) Addresses Service Ports IP Protocols Domain Name System Routing: How You Get There from Here Summary Chapter 2. Introduction to TCPdump and TCP TCPdump Introduction to TCP TCP Gone Awry Summary Chapter 3. Fragmentation Theory of Fragmentation Malicious Fragmentation Summary Chapter 4. ICMP ICMP Theory Mapping Techniques Normal ICMP Activity Malicious ICMP Activity To Block or Not to Block Summary Chapter 5. Stimulus and Response The Expected Protocol Benders Abnormal Stimuli Summary Chapter 6. DNS Back to Basics: DNS Theory Using DNS for Reconnaissance Tainting DNS Responses Summary Part II: Traffic Analysis Chapter 7. Packet Dissection Using TCPdump Why Learn to Do Packet Dissection? Sidestep DNS Queries Introduction to Packet Dissection Using TCPdump Where Does the IP Stop and the Embedded Protocol Begin? Other Length Fields Increasing the Snaplen Dissecting the Whole Packet Freeware Tools for Packet Dissection Summary Chapter 8.
    [Show full text]