hakin9_StarterKit_04.pdf

(10487 KB) Pobierz
SNORT Exposed Hakin9 StarterKit 01/2010
429846206.012.png
PRACTICAL PROTECTION IT SECURITY MAGAZINE
team
Dear Readers,
Editor in Chief: Amalia Leitner
amalia.leitner@software.com.pl
As you already know Snort is the most widely
deployed IDS/IPS technology worldwide.
Developed by Sourcefire, Snort combines the
benefits of signature, protocol, and anomaly
– based inspection.
Executive Editor: Karolina Lesińska
karolina.lesinska@software.com.pl
Editorial Advisory Board: Rebecca Wynn, Michael Munt
DTP: Ireneusz Pogroszewski
Art Director: Ireneusz Pogroszewski
ireneusz.pogroszewski@software.com.pl
In Snort Special Issue Leon Ward, Joel Elser,
Kishin Fatnani, Shivang Bhagat and Rishita
Anubhai provide insight into writing Snort rules
and into deployment of this IDS/IPS.
Proofreaders: Barry McClain, Mark Lohman, Graham Hili
Top Betatesters: Rebecca Wynn, Bob Folden, Carlos Ayala, Steve
Hodge, Nick Baronian, Matthew Sabin, Laszlo Acs, Jac van den
Goor, Matthew Dumas, Andy Alvarado
Special Thanks to the Beta testers and Proofreaders who helped
us with this issue. Without their assistance there would not be a
Hakin9 magazine.
With the end of the year inevitably
approaching, it’s high time to briefly reflect on
2010 and enter 2011 with new solutions and ideas
for the foreseeable future.
Senior Consultant/Publisher: Paweł Marciniak
Some of them are provided by KK Mookhey in
“How to get the most out of your IPS?” And annual
Conference on Nagios and OSS Monitoring is to
be looked forward too.
CEO: Ewa Łozowicka
ewa.lozowicka@software.com.pl
Production Director: Andrzej Kuca
andrzej.kuca@hakin9.org
Marketing Director: Karolina Lesińska
karolina.lesinska@hakin9.org
Wishing you wonderful Christmas,
Hakin9 Team
Subscription: Iwona Brzezik
Email: iwona.brzezik@software.com.pl
Publisher: Software Press Sp. z o.o. SK
02-682 Warszawa, ul. Bokserska 1
Phone: 1 917 338 3631
www.hakin9.org/en
Whilst every effort has been made to ensure the high quality of
the magazine, the editors make no warranty, express or implied,
concerning the results of content usage.
All trade marks presented in the magazine were used only for
informative purposes.
All rights to trade marks presented in the magazine are
reserved by the companies which own them.
To create graphs and diagrams we used program
by
BASICS
6 Notes of the Network Administrator
by Doug Chick
I recently used SNORT and another program I like EtherApe
to detect a major intrusion on my network. Within minutes
millions of people were on my private fiber network.
Once I isolated the problem I immediately connected my
Internet provider. Like with many ISPs they denied it and
recommended I look at my routing tables. If you are a network
manager then you know in very many cases you must provide
proof to your ISP before they are willing to provide you with
support. In this case I recorded the event showing that there
was hundreds of thousands, perhaps even a million people
was passing traffic on my network. I sent the logs, and a video
of my SNORT and EtherApe displays and emailed them to
the ISP. I then shutdown the two interfaces on my router and
waited for a return call. The call came quickly too.
The editors use automatic DTP system
Mathematical formulas created by Design Science MathType™
DISCLAIMER!
The techniques described in our articles may only
be used in private, local networks. The editors
hold no responsibility for misuse of the presented
techniques or consequent data loss.
2
SNORT
www.hakin9.org
2
429846206.013.png 429846206.014.png 429846206.015.png 429846206.001.png 429846206.002.png 429846206.003.png 429846206.004.png 429846206.005.png
 
CONTENTS
8 Writing Snort Rules
by Kishin Fatnani
Though Snort can also be used for packet logging, sniffing
or as an IPS, however in this article we will look more into
the concept of rules by which Snort detects interesting traffic
for us, basically the kind of traffic we are looking for, like a
network attack, a policy violation or may be traffic from a
network application or device that you are troubleshooting.
30 Content Modifiers: Keep it Specific
by Joel Esler
Without going off the deep-end here and discussing every
single Snort rule keyword, I just wanted to touch on a few
modifiers that people sometimes misunderstand. These
modifiers are not keywords of themselves, but rather they
apply as modifiers to another keyword. That keyword is
content. The content keyword is one of the easiest pieces of
the Snort rules language as all it does is look for a particular
string. The modifiers that I am talking about are: 1. Offset,
2. Depth, 3. Distance, 4. Within, 5. nocase, 6. http_uri 7.
rawbytes.
by Luca Deri
Collecting and exploring monitoring data is becoming
increasingly challenging as networks become larger
and faster. Solutions based on both SQL-databases and
specialized binary formats do not scale well as the amount
of monitoring information increases. In this article I would
like to approach to the problem by using a bitmap database
that allows to implementation of an efficient solution for both
data collection and retrieval. NetFlow and sFlow are the
current standards for building traffic monitoring applications.
Both are based on the concept of a traffic probe (or agent
in the sFlow parlance) that analyses network traffic and
produces statistics, known as flows, which are delivered to a
central data collector. As the number of flows can be pretty
extremely high, both standards use sampling mechanisms
in order to reduce the workload on both of the probe and
collectors.
DEFENSE
34 Deploying Snort as WAF
(Web Application Firewall)
by Shivang Bhagat and Rishita Anubhai
In today’s environment, web applications are becoming a
popular attack point with attack agents. Attack agent can
be a human attacker or an automated worm. It tries to
explore vulnerabilities over HTTP(S) and exploit it for a given
opportunity. The web application landscape is also changing
and more complexities are getting added, it provides
openings for vulnerabilities and possible exploitations.
HTTP traffic is no longer restricted to name-value pairs and
traditional HTML only. It has evolved with Web 2.0 and RIA,
it allows JSON, AMF, XML and various other structures. It
has become a platform for robust and advanced business
application hosting and usage. It is imperative to secure
business applications against all possible attack vectors
and to maintain security of information and access. In this
article we will try to understand Snort from HTTP standpoint
and how we can protect applications for some of the popular
attack vectors like XSS or SQL injections by using it.
ADVANCED
18 Improving your custom Snort rules
by Leon Ward
While it is easy to create a custom Snort rule, do you know
if you are actually making a good one or not? This article
introduces some common mistakes I find in custom Snort
rules and the potential implications of those mistakes.
The Snort IPS engine has changed substantially over the
last ten years. Packet processing speed has improved,
IP defragmentation and stream reassembly functions
have evolved, the connection and state tracking engine
has matured, but there is one thing that keeps getting left
behind.Custom rule-sets. With each revision of Snort new
features are added that enhance the detection capability and
aid in packet processing performance of the Snort engine.
by K. K Mookhey
Picture this: a multi-billion dollar global telecom giant has
invested millions of dollars into building a state-of-the-art
Security Operations Center. They have a huge display
screen being monitored 24/7 by a team of specialists who
– so we are told – have received extensive training in the
specific technologies used, as well as in the overall incident
management framework. They’ve deployed a high-end
intrusion prevention system (IPS) which feeds into their
Security Incident Management (SIM) system. A review of
the procedures and Service Level Agreement (SLA) of the
SOC team signed with the rest of the business reveals that
they are ready to respond 24/7 and have committed that
within 2 hours of a serious attack they will respond to any
serious attacks. On paper it all looks impressive and too
good to be true.
24 An Unsupervised IDS False Alarm
Reduction System – SMART
by Gina Tjhai and Maria Papadaki
Signature-based (or rule-based) network IDSs are widely used
in many organisations to detect known attacks (Dubrawsky,
2009). A common misconception about IDSs is that they are
Plug-and-Play devices that can be installed and then allowed
to run autonomously. In reality, this is far from the truth.
www.hakin9.org
SNORT
3
3
429846206.006.png 429846206.007.png 429846206.008.png
 
TOOLS
up.time IT Systems
Management Review
When it comes to the performance and availability of your
IT infrastructure and applications, deep, and easy-to-use
monitoring is a must.
than ever, as applications and services span many
environments (cloud, virtual and physical) and
infrastructures (Windows, UNIX, Linux, VMware, etc).
Additionally, IT infrastructure is now global and monitoring
from one tool, instead of many point tools, is essential to
drive down costs while increasing performance.
up.time’s Single pane of Glass dashboard provides a
deep, easy-to-use, affordable and complete IT systems
management and monitoring solution designed for
mid-enterprise companies. Every license in up.time’s
comprehensive, cross platform management and
monitoring suite includes unlimited access to:
• Server Monitoring
• Virtual Server Monitoring
• Cloud Monitoring
• Co-Location Monitoring
• Network Monitoring
• SLA Monitoring & Management
• Virtualization & Consolidation
• Capacity Planning
• Application Monitoring
• Application Transaction Monitoring
• Proactive Outage Avoidance
• IT Process Automation
$395 per Windows Server
$695 per UNIX Server
$695 per ESX Server (no charge per instance or VM)
All-in-One: No additional charges for modules or
applications.
URL: http://www.uptimesoftware.com/
One of the highly beneficial capabilities of the up.time
suite is access to Service Level Management. Most
departments require SLA’s ( Service Level Agreement )
for their equipment and applications. up.time makes
it very easy to define and document agreed SLA’s,
then link them through to the appropriate infrastructure
service. up.time also provides the ability to automate
responses to issues, removing the possibility of human
error while greatly decreasing the Mean-Time-To-
Repair. In fact, up.time goes a step further and lets
administrators proactively automate responses based
on thresholds, allowing up.time to solve problems
before they happen. It’s not just physical, virtual and
cloud based servers that up.time monitors, it also
provides application and application transaction
monitoring across Email, CRM, ERP, Web, and even
custom applications (including any 3rd party commercial
software or in-house developed applications).
In addition to all of the above, up.time is extremely
advance with its reporting. This area is a major asset
of the up.time suite and it is immediately apparent that
4
SNORT
www.hakin9.org
T oday, monitoring and reporting is more complex
429846206.009.png 429846206.010.png
up.time IT Systems Management Review
the reporting has had a good deal of thought and time
spent on it. The reporting is both deep and very easy to
create. Administrators can generate and save reports
in different formats and quickly send (or set automated
daily, weekly or monthly sends) via email to a single
user or an entire group.
When we say up.time is easy to use, we really mean
it. Installation of up.time was a dream, very simple,
straightforward and easy to do. The entire process
only takes a few mouse clicks. If you decide to go
with the VMware appliance option, this is even easier
as it comes as a pre-installed appliance that is can be
imported into any virtual infrastructure.
Managing the monitored environment is achieved
through a web portal which is simple, clean and easy
to read (unlike other monitoring solutions that appear
to have far, far too many menu’s and options). Once
you enter a small amount of information, the ‘My Portal’
home page is displayed. This page provides a summary
list of the current alerts that you have configured
together with saved reports and support links. All the
tutorials are web based and, again, very clean and
concise. The end result is that you are up and running
with this product very quickly.
Everything about the product screams simplicity
and yet it’s extremely deep in its monitoring and MICHAEL MUNT
reporting capabilities. Compared to other tools, up.time
is very refreshing. It’s certainly powerful enough
for large enterprises to monitor over 5,000 servers
and applications globally, and yet it’s affordable for
the small and mid enterprise companies to monitor
between 25 and 500 servers and applications. The help
documentation is included and available through your
browser locally on the server.
up.time uses one of the friendliest licensing models
in the industry, with its per-physical-server licensing
across the board, even in virtual environments. All you
need to do is count the number of physical servers you
want to monitor, and that’s it. Everything is included,
no modules, hidden extras, application charges or
management packs.
There is so much depth to this product that I can’t
comment on it all within the scope of this article. If this
sounds interesting, up.time makes trying it for yourself
incredibly easy. I suggest downloading the trial and
taking it for a test drive. I think you’ll be as impressed
as I was. In fact, this product is so good, I’m starting
to recommend that my clients review their monitoring
needs and consider trialing in up.time.
a
d
v
e
r
t
i
s
e
m
e
n
t
429846206.011.png

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin