Snort: Planning IDS for Your Enterprise
Snort can be run as a packet sniffer, packet logger and as an NIDS. When Snort is run as a packet sniffer, TCP/UDP/ICMP header information and application data is dumped on the standard output:
# Snort -vd
As a packet logger, Snort logs application and protocol header information to /var/log/today.log:
# Snort -dev -l /var/log/today.log
As an NIDS, Snort listens on the le0 interface and uses /etc/Snort.rules as its configuration file and runs Snort in dæmon mode:
# Snort -D -i le0 -c /etc/Snort.rules
Snort does not evaluate the rules in the order that they appear in the Snort rules file. All actions specified in the Snort rules file are evaluated in the order of Alert, Pass and Log by default. If you wish to change this order to Pass, Alert, Log, use the -o command-line flag. The -A option specifies the alert mode. There are four choices here: full, fast, none and unsock. The full, fast and none options are rather obvious. The unsock option provides Snort the ability to write to UNIX sockets where a program listening on that socket may process the alerts. Details of these options are available in the Snort man pages. With Snort alert modes, you will have the ability to specify the detail that you wish to view in your alert messages.
Be sure to validate your snort configuration. To validate, we must revisit the IDS policy. A few rules of thumb to validate your IDS are provided. Based on the IDS policy, you could launch specific tests and observe logs and alerts. For our policy listed above, we could launch Telnet, FTP and finger. You could use tools such as a scanner. Publicly available scanners, such as nmap, are good ones. Commercial scanners such as Cybercop from Network Associates and ISS scanner from Internet Security Systems can help you automate the process as well. Netcat, available from www.atstake.com/researchtools/, is another great utility. Finally, you could use several scripts written for script kiddies to launch attacks against your own infrastructure. However, tread cautiously, as running those scripts implies that you trust those scripts. Listing 2 shows a few sample alerts. It shows three common attacks: IIS Unicode attack, SYN/FIn Scan and a portscan.
First it was the sophisticated hacker, then came the script kiddy and distributed denial of service (DOS) attacks. Today's IT infrastructure and business assets are under constant threat of unauthorized access. Firewalls were the primary mechanism to shield against attacks on corporate assets during the early 1990s. Modern security architectures are increasingly including IDSes. Snort provides a very cost effective alternative to commercial IDSes.
Once compiled and installed, Snort can be run as a sniffer, packet logger and a network based IDS. Snort is easy to configure and provides multiple output modules for alerting and logging. Plugin modules developed by the Snort community further enhance Snort's ability. If you were able to get Snort up and running, watch your logs and alerts to gain insight into the type of traffic captured by Snort!
Nalneesh Gaur is a Technical Solutions Engineer with Digital Island in Dallas, Texas. He works with Fortune 500 companies to provide them with solutions in the area of content delivery and web hosting.
Practical Task Scheduling Deployment
July 20, 2016 12:00 pm CDT
One of the best things about the UNIX environment (aside from being stable and efficient) is the vast array of software tools available to help you do your job. Traditionally, a UNIX tool does only one thing, but does that one thing very well. For example, grep is very easy to use and can search vast amounts of data quickly. The find tool can find a particular file or files based on all kinds of criteria. It's pretty easy to string these tools together to build even more powerful tools, such as a tool that finds all of the .log files in the /home directory and searches each one for a particular entry. This erector-set mentality allows UNIX system administrators to seem to always have the right tool for the job.
Cron traditionally has been considered another such a tool for job scheduling, but is it enough? This webinar considers that very question. The first part builds on a previous Geek Guide, Beyond Cron, and briefly describes how to know when it might be time to consider upgrading your job scheduling infrastructure. The second part presents an actual planning and implementation framework.
Join Linux Journal's Mike Diehl and Pat Cameron of Help Systems.
Free to Linux Journal readers.Register Now!
- SUSE LLC's SUSE Manager
- My +1 Sword of Productivity
- Murat Yener and Onur Dundar's Expert Android Studio (Wrox)
- Managing Linux Using Puppet
- Non-Linux FOSS: Caffeine!
- Doing for User Space What We Did for Kernel Space
- SuperTuxKart 0.9.2 Released
- Parsing an RSS News Feed with a Bash Script
- Google's SwiftShader Released
- SourceClear Open