www.sharexxx.net - free books & magazines
363_Web_App_FM.qxd 12/19/06 10:46 AM Page ii
www.syngress.com
Syngress is committed to publishing high-quality books for IT Professionals and
delivering those books in media and formats that fit the demands of our cus-
tomers. We are also committed to extending the utility of the book you pur-
chase via additional materials available from our Web site.
SOLUTIONS WEB SITE
To register your book, visit www.syngress.com/solutions. Once registered, you
can access our Web pages. There you may find an assort-
ment of value-added features such as free e-books related to the topic of this
book, URLs of related Web sites, FAQs from the book, corrections, and any
updates from the author(s).
ULTIMATE CDs
Our Ultimate CD product line offers our readers budget-conscious compilations
of some of our best-selling backlist titles in Adobe PDF form. These CDs are the
perfect way to extend your reference library on key topics pertaining to your
area of expertise, including Cisco Engineering, Microsoft Windows System
Administration, CyberCrime Investigation, Open Source Security, and Firewall
Configuration, to name a few.
DOWNLOADABLE E-BOOKS
For readers who can’t wait for hard copy, we offer most of our titles in down-
loadable Adobe PDF form. These e-books are often available weeks before hard
copies, and are priced affordably.
SYNGRESS OUTLET
Our outlet store at syngress.com features overstocked, out-of-print, or slightly
hurt books at significant savings.
SITE LICENSING
Syngress has a well-established program for site licensing our e-books onto
servers in corporations, educational institutions, and large organizations. Contact
us at for more information.

CUSTOM PUBLISHING
Many organizations welcome the ability to combine parts of multiple Syngress
books, as well as their own content, into a single volume for their own internal
use. Contact us at for more information.
Visit us at
402_Snort2.6_FM.qxd 1/26/07 2:57 PM Page i
402_Snort2.6_FM.qxd 1/26/07 2:57 PM Page ii
Jay Beale’s Open Source Security Series
Foreword by Stephen Northcutt,
President, The SANS Technology Institute
Toby Kohlenberg Technical Editor
Raven Alder • Dr. Everett F. (Skip) Carter, Jr •
James C. Foster • Matt Jonkman •
Raffael Marty • Eric Seagren
Snort
®
IDS and IPS Toolkit
Featuring Jay Beale
and Members of the Snort Team
Andrew R. Baker
Joel Esler
NETWORK
ATTACK
EXAMPLES
402_Snort2.6_FM.qxd 1/26/07 2:57 PM Page iii
Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production
(collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from
the Work.
There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS
IS and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other inci-
dental or consequential damages arising out from the Work or its contents. Because some states do not allow the
exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to
you.
You should always use reasonable care, including backup and other appropriate precautions, when working with
computers, networks, data, and files.
Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,”“Ask the Author
UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc.“Syngress:The
Definition of a Serious Security Library”™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to
Think Like One™” are trademarks of Elsevier, Inc. Brands and product names mentioned in this book are trade-
marks or service marks of their respective companies.
Snort and the Snort logo are registered trademarks of Sourcefire, Inc.
KEY SERIAL NUMBER
001 HJIRTCV764
002 PO9873D5FG
003 829KM8NJH2
004 854HLM329D
005 CVPLQ6WQ23
006 VBP965T5T5
007 HJJJ863WD3E
008 2987GVTWMK
009 629MP5SDJT
010 IMWQ295T6T
PUBLISHED BY
Syngress Publishing, Inc.
Elsevier, Inc.
30 Corporate Dr.
Burlington, MA 01803
Snort Intrusion Detection and Prevention Toolkit
Copyright © 2007 by Syngress Publishing, Inc.All rights reserved. Except as permitted under the Copyright Act

of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in
a database or retrieval system, without the prior written permission of the publisher, with the exception that the
program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for
publication.
1 2 3 4 5 6 7 8 9 0
ISBN-10: 1-59749-099-7
ISBN-13: 978-1-59749-099-3
Sourcefire is a registered trademark of Sourcefire, Inc.
Publisher: Andrew Williams Page Layout and Art: Patricia Lupien
Acquisitions Editor: Erin Heffernan Copy Editor: Audrey Doyle
Technical Editor:Toby Kohlenburg Indexer: Julie Kawabata
Cover Designer: Michael Kavish
For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director, at
Syngress Publishing; email m.peder
or call 781-359-2450.
402_Snort2.6_FM.qxd 1/26/07 2:57 PM Page iv
Acknowledgments
v
A special thanks to Marty Roesch and the rest of the Snort developers for all
their efforts to maintain Snort: Erek Adams, Andrew R. Baker, Brian Caswell,
Roman D., Chris Green, Jed Haile, Jeremy Hewlett, Jeff Nathan, Marc Norton,
Chris Reid, Daniel Roelker, Marty Roesch, Dragos Ruiu, JP Vossen. Daniel
Wittenberg, and Fyodor Yarochkin.
Thank you to Mike Guiterman, Michele Perry, and Joseph Boyle at Sourcefire
for making this book possible.
402_Snort2.6_FM.qxd 1/26/07 2:57 PM Page v
402_Snort2.6_FM.qxd 1/26/07 2:57 PM Page vi
vii
Technical Editor
Toby Kohlenberg is a Senior Information Security Specialist for

Intel Corporation. He does penetration testing, incident response,
malware analysis, architecture design and review, intrusion analysis,
and various other things that paranoid geeks are likely to spend time
dealing with. In the last two years he has been responsible for devel-
oping security architectures for world-wide deployments of IDS
technologies, secure WLANs, Windows 2000/Active Directory, as
well as implementing and training a security operations center. He is
also a handler for the Internet Storm Center, which provides plenty
of opportunity to practice his analysis skills. He holds the CISSP,
GCFW, GCIH, and GCIA certifications. He currently resides in
Oregon with his wife and daughters, where he enjoys the 9 months
of the year that it rains much more than the 3 months where it’s too
hot.
Raven Alder is a Senior Security Engineer for IOActive, a con-
sulting firm specializing in network security design and implemen-
tation. She specializes in scalable enterprise-level security, with an
emphasis on defense in depth. She designs large-scale firewall and
IDS systems, and then performs vulnerability assessments and pene-
tration tests to make sure they are performing optimally. In her
copious spare time, she teaches network security for LinuxChix.org
and checks cryptographic vulnerabilities for the Open Source
Vulnerability Database. Raven lives in Seattle, WA. Raven was a
contributor to Nessus Network Auditing (Syngress Publishing, ISBN:
1931836086).
Raven Alder is the author of Chapters 1 and 2.
Contributing Authors
402_Snort2.6_FM.qxd 1/26/07 2:57 PM Page vii
viii
Andrew R. Baker is the Product Maintenance Manager for
Sourcefire, Inc. His work experience includes the development and

use of intrusion detection systems, security event correlation, as well
as the use of vulnerability scanning software, network intrusion anal-
ysis, and network infrastructure management. Andrew has been
involved in the Snort project since 2000. He is the primary devel-
oper for Barnyard, which he started working on in 2001 to address
performance problems with the existing output plugins.
Andrew has instructed and developed material for the SANS
Institute, which is known for providing information security
training and GIAC certifications. He has an MBA from the R.H.
Smith School of Business at the University of Maryland and a
Bachelors of Science in Computer Science from the University of
Alabama at Birmingham.
Andrew R. Baker is the author of Chapters 5 and 13.
Dr. Everett F. (Skip) Carter, Jr. is President of Taygeta Network
Security Services (a division of Taygeta Scientific Inc.).Taygeta
Scientific Inc. provides contract and consulting services in the areas
of scientific computing, smart instrumentation, and specialized data
analysis.Taygeta Network Security Services provides security ser-
vices for real-time firewall and IDS management and monitoring,
passive network traffic analysis audits, external security reviews,
forensics, and incident investigation.
Skip holds a Ph.D. and an M.S. in Applied Physics from Harvard
University. In addition he holds two Bachelor of Science degrees
(Physics and Geophysics) from the Massachusetts Institute of
Technology. Skip is a member of the American Society for
Industrial Security (ASIS). He was contributing author of Syngress
Publishing’s book, Hack Proofing XML (ISBN: 1931836507). He has
authored several articles for Dr. Dobbs Journal and Computer Language
as well as numerous scientific papers and is a former columnist for
Forth Dimensions magazine. Skip resides in Monterey, CA, with his

wife,Trace, and his son, Rhett.
Dr. Everett F. (Skip) Carter, Jr. is the author of Chapter 12.
402_Snort2.6_FM.qxd 1/26/07 2:57 PM Page viii
ix
Joel Esler (GCIA, SnortCP, SFCP, SFCE) is a Senior Security
Consultant at Sourcefire. He began his post-school career in the
Army and was honorably discharged in 2003.After 6 years of ser-
vice, Joel continued to work for the Department of Defense as a
Security Analyst for the Regional Computer Emergency Response
Team — South, contracted through Lockheed Martin Professional
Services. Starting out as a Network Security Analyst, Joel developed
and deployed his own IDS system, based on Snort, tcpdump, p0f,
and pads throughout the Army’s networks. With successful results, he
quickly advanced to be the Director of Computer Defense and
Information Assurance Branch of the RCERT-S, which held him
responsible for many aspects of Vulnerability Scanning, IDS
Deployment, and Snort Rule creation for the Army. In August of
2005, Joel left the RCERT-S to work for Sourcefire, Inc. His duties
currently include installing and configuring Sourcefire and Snort
deployments for customers nation wide, in addition to teaching
three different Sourcefire and Snort classes. On occasion, you might
even see him speaking at various user groups and conventions. In an
effort to continue his growth and development, Joel recently
became an Incident Handler for SANS at the Internet Storm
Center, as well as a GIAC Gold Advisor responsible for assisting
people through the SANS Gold certification process.
Joel would like to thank the professionals who wrote much of
the Snort documentation on which a significant part of this chapter
is based.
Joel Esler is the author of Chapter 6.

James C. Foster currently heads the secure development practice
for a large firm near Washington D.C. Prior to this, James was the
Deputy Director of Global Security Solution Development for
Computer Sciences Corporation where he was responsible for the
global service architecture and operations for CSC managed infor-
mation security services and solutions. Additionally, he is a Fellow at
the Wharton School of Business, a contributing Editor at
Information Security Magazine and SearchSecurity.com. He also sits
402_Snort2.6_FM.qxd 1/26/07 2:57 PM Page ix
x
on the Mitre OVAL Board of Directors. Preceding CSC, James was
the Director of Research and Development for Foundstone Inc.
(acquired by McAfee) and was responsible for all aspects of product,
consulting, and corporate R&D initiatives. Prior to joining
Foundstone, James was the Chief Scientist and Executive Advisor
with Guardent Inc. (acquired by Verisign) and an adjunct author at
Information Security Magazine (acquired by TechTarget).This was
all subsequent to working as Security Research Specialist for the
Department of Defense. With his core competencies residing in
high-tech remote management, international expansion, and product
prototype development, James has helped three security companies
successfully launch new commercial product offerings and reach
their go-to-market strategy. James has experience in application
security testing, protocol analysis, and search algorithm technology;
he has conducted numerous code reviews for commercial OS com-
ponents, Win32 application assessments, and reviews on commer-
cial-grade cryptography implementations.
James is a seasoned speaker and has presented throughout North
America at conferences, technology forums, security summits, and
research symposiums with highlights at the Microsoft Security

Summit, BlackHat USA, BlackHat Windows, MIT Wireless
Research Forum, SANS, MilCon,TechGov, InfoSec World 2001,
and the Thomson Security Conference. He also is commonly asked
to comment on pertinent security issues and has been cited in
USAToday, Information Security Magazine, Baseline, Computer
World, Secure Computing, and the M IT Technologist. He holds an
A.S., B.S., MBA and numerous technology and management certifi-
cations.
James C. Foster is the author of Chapters 8 and 10.
Matt Jonkman has been involved in Information Technology since
the late 1980s. He has a strong background in banking and network
security, network engineering, incident response, and Intrusion
Detection. Matt is founder of Bleeding Edge Threats
(www.bleedingedgethreats.net), formerly Bleeding Snort.
402_Snort2.6_FM.qxd 1/26/07 2:57 PM Page x
xi
Bleeding Edge Threats is an open-source research community for
Intrusion Detection Signatures and much more. Matt spent 5 years
serving abroad in the Army before attending Indiana State
University and the Rose-Hulman Institute. After several years as a
general consultant he became Lead Technician for Sprint’s Internal
and Managed Security division. Matt then moved to the financial
sector as Senior Security Engineer for a major bank and financial
services corporation.Then, he worked to build Infotex, a security
firm focused on Managed IPS and Vulnerability Assessment. Matt
currently is the Director of Intelligence Gathering for GNTC, the
Global Network Threat Center. GNTC focuses on Open Research
and collaboration of many open-source projects to mitigate and dis-
cover the complex threats facing today’s information systems and
organizations.

Matt Jonkman is the author of Chapter 7.
Chad Keefer is the founder of Solirix, a computer network secu-
rity company specializing in Information Assurance. Chad is a
former developer of Sourcefire’s RNA product team. Chad has over
13 years of industry experience in security, networking, and software
engineering. He has worked extensively with the federal govern-
ment and in a wide range of commercial industries to redefine and
sharpen the current perception of security. He has also been a lead
architect in this space, overseeing initiatives to redesign and build
many security infrastructures. Chad holds a B.S. in Computer
Science from the University of Maryland. He currently lives in
Annapolis, MD with his wife and daughter.
Chad Keefer is the author of Chapter 3.
Raffael Marty (GCIA, CISSP) is the manager of ArcSight’s
Strategic Application Solution Team, where he is responsible for
delivering industry solutions that address the security needs of
Fortune 500 companies, ranging from regulatory compliance to
insider threat. Raffael initiated ArcSight’s Content Team, which
402_Snort2.6_FM.qxd 1/26/07 2:57 PM Page xi
xii
holds responsibility for all of the product’s content, ranging from
correlation rules, dashboards and visualizations, to vulnerability map-
pings and categorization of security events. Before joining ArcSight,
Raffael worked as an IT security consultant for PriceWaterhouse
Coopers and previously was a member of the Global Security
Analysis Lab at IBM Research.There, he participated in various
intrusion detection related projects. His main project,Thor, was the
first approach to testing intrusion detection systems by means of
correlation tables.
Raffael is a log analysis and correlation expert. He has a passion

for visualization of security event data and is the author of an open
source visualization tool. He has been presenting on a number of
security topics at various conferences and occasions. Raffael also
serves on the MITRE OVAL (Open Vulnerability and Assessment
Language) advisory board, is involved in the Common Vulnerability
Scoring System (CVSS) standard, and participates in various other
security standards and organizations.
Raffael Marty is the author of Chapter 9.
Eric S. Seagren (CISA, CISSP-ISSAP, SCNP, CCNA, CNE-4,
MCP+I, MCSE-NT) has 10 years of experience in the computer
industry, with the last eight years spent in the financial services
industry working for a Fortune 100 company. Eric started his com-
puter career working on Novell servers and performing general net-
work troubleshooting for a small Houston-based company. Since he
has been working in the financial services industry, his position and
responsibilities have advanced steadily. His duties have included
server administration, disaster recovery responsibilities, business con-
tinuity coordinator,Y2K remediation, network vulnerability assess-
ment, and risk management responsibilities. He has spent the last
402_Snort2.6_FM.qxd 1/26/07 2:57 PM Page xii
xiii
few years as an IT architect and risk analyst, designing and evalu-
ating secure, scalable, and redundant networks.
Eric has worked on several books as a contributing author or
technical editor.These include Hardening Network Security (McGraw-
Hill), Hardening Network Infrastructure (McGraw-Hill), Hacking
Exposed: Cisco Networks (McGraw-Hill), Configuring Check Point
NGX VPN-1/FireWall-1 (Syngress), Firewall Fundamentals (Cisco
Press), and Designing and Building Enterprise DMZs (Syngress). He has
also received a CTM from Toastmasters of America.

Eric is the author of Chapter 4.
402_Snort2.6_FM.qxd 1/26/07 2:57 PM Page xiii
xiv
Stephen Northcutt, SANS Institute (Fellow), founded the GIAC
certification and currently serves as President of the SANS
Technology Institute, a post graduate level IT Security College,
www.sans.edu. Stephen is author/coauthor of Incident Handling Step-
by-Step, Intrusion Signatures and Analysis, Inside Network Perimeter
Security, Second Edition, IT Ethics Handbook, SANS Security Essentials,
SANS Security Leadership Essentials and Network Intrusion Detection,
Third Edition. He was the original author of the Shadow Intrusion
Detection system before accepting the position of Chief for
Information Warfare at the Ballistic Missile Defense Organization.
Stephen is a graduate of Mary Washington College. Before entering
the field of computer security, he worked as a Navy helicopter
search and rescue crewman, white water raft guide, chef, martial arts
instructor, cartographer, and network designer.
Foreword
402_Snort2.6_FM.qxd 1/26/07 2:57 PM Page xiv
Jay Beale is an information security specialist, well known for his
work on mitigation technology, specifically in the form of operating
system and application hardening. He’s written two of the most
popular tools in this space: Bastille Linux, a lockdown tool that
introduced a vital security-training component, and the Center for
Internet Security’s Unix Scoring Tool. Both are used worldwide
throughout private industry and government.Through Bastille and
his work with CIS, Jay has provided leadership in the Linux system
hardening space, participating in efforts to set, audit, and implement
standards for Linux/Unix security within industry and government.
He also focuses his energies on the OVAL project, where he works

with government and industry to standardize and improve the field
of vulnerability assessment. Jay is also a member of the Honeynet
Project, working on tool development.
Jay has served as an invited speaker at a variety of conferences
worldwide, as well as government symposia. He’s written for
Information Security Magazine, SecurityFocus, and the now-defunct
SecurityPortal.com. He has worked on four books in the informa-
tion security space.Three of these, including the best-selling Snort
2.1 Intrusion Detection (Syngress, ISBN: 1931836043) make up his
Open Source Security Series, while one is a technical work of fic-
tion entitled Stealing the Network: How to Own a Continent (Syngress,
ISBN: 1931836051).
Jay makes his living as a security consultant with the firm
Intelguardians, which he co-founded with industry leaders Ed
Skoudis, Eric Cole, Mike Poor, Bob Hillery and Jim Alderson,
where his work in penetration testing allows him to focus on attack
as well as defense.
xv
Series Editor
402_Snort2.6_FM.qxd 1/26/07 2:57 PM Page xv
Prior to consulting, Jay served as the Security Team Director for
MandrakeSoft, helping set company strategy, design security prod-
ucts, and pushing security into the third largest retail Linux
distribution.
xvi
402_Snort2.6_FM.qxd 1/26/07 2:57 PM Page xvi
xvii
Contents
Foreword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxxiii
Chapter 1 Intrusion Detection Systems. . . . . . . . . . . . . . 1

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
What Is Intrusion Detection? . . . . . . . . . . . . . . . . . . . . . . . .2
Network IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Host-Based IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Distributed IDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
How an IDS Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Where Snort Fits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Intrusion Detection and Network Vulnerabilities . . . . . .11
Identifying Worm Infections with IDS . . . . . . . . . . . . . .11
Identifying Server Exploit Attempts with IDS . . . . . . . . .12
Decisions and Cautions with IDS . . . . . . . . . . . . . . . . .13
Why Are Intrusion Detection Systems Important? . . . . . . . .15
Why Are Attackers Interested in Me? . . . . . . . . . . . . . . .16
What Will an IDS Do for Me? . . . . . . . . . . . . . . . . . . .17
What Won’t an IDS Do for Me? . . . . . . . . . . . . . . . . . .18
Where Does an IDS Fit with
the Rest of My Security Plan? . . . . . . . . . . . . . . . . . . . .20
Doesn’t My Firewall Serve As an IDS? . . . . . . . . . . . . . .20
Where Else Should I Be Looking for Intrusions? . . . . . .21
Backdoors and Trojans . . . . . . . . . . . . . . . . . . . . . . .21
Physical Security . . . . . . . . . . . . . . . . . . . . . . . . . . .22
Application and Data Integrity . . . . . . . . . . . . . . . . .22
What Else Can You Do with Intrusion Detection Systems? . .23
Monitoring Database Access . . . . . . . . . . . . . . . . . . . . .24
Monitoring DNS Functions . . . . . . . . . . . . . . . . . . . . .24
E-Mail Server Protection . . . . . . . . . . . . . . . . . . . . . . . .25
Using an IDS to Monitor My Company Policy . . . . . . .25
What About Intrusion Prevention? . . . . . . . . . . . . . . . . . . .25
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27

Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .30
402_Snort2.6_TOC.qxd 1/25/07 12:52 PM Page xvii
xviii Contents
Chapter 2 Introducing Snort 2.6 . . . . . . . . . . . . . . . . . . 31
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
What Is Snort? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .33
What’s New in Snort 2.6 . . . . . . . . . . . . . . . . . . . . . . . . . .35
Engine Improvements . . . . . . . . . . . . . . . . . . . . . . . . . .35
Preprocessor Improvements . . . . . . . . . . . . . . . . . . . . . .36
Rules Improvements . . . . . . . . . . . . . . . . . . . . . . . . . . .36
Snort System Requirements . . . . . . . . . . . . . . . . . . . . . . . .37
Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37
Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Other Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . .38
Exploring Snort’s Features . . . . . . . . . . . . . . . . . . . . . . . . .39
Packet Sniffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Preprocessor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41
Detection Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42
Alerting/Logging Component . . . . . . . . . . . . . . . . . . . .44
Using Snort on Your Network . . . . . . . . . . . . . . . . . . . . . . .47
Snort’s Uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .49
Using Snort as a Packet Sniffer and Logger . . . . . . . .50
Using Snort as an NIDS . . . . . . . . . . . . . . . . . . . . . .55
Snort and Your Network Architecture . . . . . . . . . . . . . .55
Snort and Switched Networks . . . . . . . . . . . . . . . . . .59
Pitfalls When Running Snort . . . . . . . . . . . . . . . . . . . .60
False Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Upgrading Snort . . . . . . . . . . . . . . . . . . . . . . . . . . .61
Security Considerations with Snort . . . . . . . . . . . . . . . . . . .62
Snort Is Susceptible to Attacks . . . . . . . . . . . . . . . . . . . .62

Securing Your Snort System . . . . . . . . . . . . . . . . . . . . . .63
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . .67
Chapter 3 Installing Snort 2.6 . . . . . . . . . . . . . . . . . . . . 69
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .70
Choosing the Right OS . . . . . . . . . . . . . . . . . . . . . . . . . . .70
Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
The Operating System and the CPU . . . . . . . . . . . . .71
402_Snort2.6_TOC.qxd 1/25/07 12:52 PM Page xviii
Contents xix
The Operating System and the NIC . . . . . . . . . . . . .75
Stability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .76
Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .77
Stripping It Down . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Removing Nonessential Items . . . . . . . . . . . . . . . . . .80
Debian Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .81
CentOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
Gentoo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .82
The BSDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
OpenBSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .84
Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
Bootable Snort Distros . . . . . . . . . . . . . . . . . . . . . . . . .88
The Network Security Toolkit As a Snort Sensor . . . .89
Hardware Platform Considerations . . . . . . . . . . . . . . . . . . .90
The CPU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .91
Memory’s Influence on System Performance . . . . . . .93

Virtual Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
The System Bus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .93
PCI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94
PCI-X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
PCI-Express . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Theoretical Peak Bandwidth . . . . . . . . . . . . . . . . . . .96
Dual vs. Single Bus . . . . . . . . . . . . . . . . . . . . . . . . . .96
The NIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Disk Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Installing Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98
Prework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Installing pcap . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Installing/Preparing Databases . . . . . . . . . . . . . . . . . .99
Time Synchronization (NTP) . . . . . . . . . . . . . . . . .101
Installing from Source . . . . . . . . . . . . . . . . . . . . . . . . .102
Benefits and Costs . . . . . . . . . . . . . . . . . . . . . . . . .102
Compile-Time Options . . . . . . . . . . . . . . . . . . . . .103
Installing Binaries . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
402_Snort2.6_TOC.qxd 1/25/07 12:52 PM Page xix
xx Contents
Apt-get . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104
RPM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105
Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
General Principles . . . . . . . . . . . . . . . . . . . . . . . . . .106
Configuring Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108
The snort.conf File . . . . . . . . . . . . . . . . . . . . . . . . . . .108
Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
Using Variables in snort.conf and in Rules . . . . . . . .110
Command-Line Switches . . . . . . . . . . . . . . . . . . . . . .110

Configuration Directives . . . . . . . . . . . . . . . . . . . . . . .114
Snort.conf –dynamic-* Options . . . . . . . . . . . . . . .114
Ruletype . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114
Plug-In Configuration . . . . . . . . . . . . . . . . . . . . . . . . .115
Preprocessors . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115
Output Plug-Ins . . . . . . . . . . . . . . . . . . . . . . . . . . .117
Included Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118
Rules Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .118
sid-msg.map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119
threshold.conf . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119
gen-msg.map . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
classification.config . . . . . . . . . . . . . . . . . . . . . . . . .120
Thresholding and Suppression . . . . . . . . . . . . . . . . . . .121
Testing Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
Testing within Organizations . . . . . . . . . . . . . . . . . . .123
Small Organizations . . . . . . . . . . . . . . . . . . . . . . . .123
Large Organizations . . . . . . . . . . . . . . . . . . . . . . . .125
Maintaining Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
Updating Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
How Can Updating Be Easy? . . . . . . . . . . . . . . . . . . .127
Updating Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127
Upgrading Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . .128
Monitoring Your Snort Sensor . . . . . . . . . . . . . . . . . . .128
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .131
402_Snort2.6_TOC.qxd 1/25/07 12:52 PM Page xx
Contents xxi
Chapter 4 Configuring Snort and Add-Ons. . . . . . . . . 133
Placing Your NIDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134

Configuring Snort on a Windows System . . . . . . . . . . . . .136
Installing Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
Configuring Snort Options . . . . . . . . . . . . . . . . . . . . .140
Using a Snort GUI Front End . . . . . . . . . . . . . . . . . . .146
Configuring IDS Policy Manager . . . . . . . . . . . . . .146
Configuring Snort on a Linux System . . . . . . . . . . . . . . . .153
Configuring Snort Options . . . . . . . . . . . . . . . . . . . . .153
Using a GUI Front-End for Snort . . . . . . . . . . . . . . . .158
Basic Analysis and Security Engine . . . . . . . . . . . . .159
Other Snort Add-Ons . . . . . . . . . . . . . . . . . . . . . . . . . . . .166
Using Oinkmaster . . . . . . . . . . . . . . . . . . . . . . . . . . . .166
Additional Research . . . . . . . . . . . . . . . . . . . . . . . . . .168
Demonstrating Effectiveness . . . . . . . . . . . . . . . . . . . . . . .169
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .173
Chapter 5 Inner Workings . . . . . . . . . . . . . . . . . . . . . . 175
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176
Snort Initialization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176
The Command Line . . . . . . . . . . . . . . . . . . . . . . . . . .176
Parsing the Config File . . . . . . . . . . . . . . . . . . . . . . . .177
Parsing Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177
Housekeeping (i.e., Signal Handling) . . . . . . . . . . . . . .178
Snort Packet Processing . . . . . . . . . . . . . . . . . . . . . . . . . . .179
Packet Acquisition . . . . . . . . . . . . . . . . . . . . . . . . . . . .180
Decoding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183
Analyzing in the Preprocessors . . . . . . . . . . . . . . . . . . .185
Evaluating against the Detection Engine . . . . . . . . . . . .185
Logging and Alerting . . . . . . . . . . . . . . . . . . . . . . . . . .186
The Event Queue . . . . . . . . . . . . . . . . . . . . . . . . . .186

Thresholds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187
Suppression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188
Tagging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188
Inside the Detection Engine . . . . . . . . . . . . . . . . . . . . . . .189
402_Snort2.6_TOC.qxd 1/25/07 12:52 PM Page xxi
xxii Contents
Rule Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189
The Content Option . . . . . . . . . . . . . . . . . . . . . . .190
The bytejump and bytetest Options . . . . . . . . . . . . .190
The PCRE Option . . . . . . . . . . . . . . . . . . . . . . . .191
The flowbits Option . . . . . . . . . . . . . . . . . . . . . . . .191
The Pattern-Matching Engine . . . . . . . . . . . . . . . . . . .192
Building the Pattern Matcher . . . . . . . . . . . . . . . . .192
Performance of the Different Algorithms . . . . . . . . .193
The Dynamic Detection Engine . . . . . . . . . . . . . . . . . . . .196
Using the Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . .196
Configuring the Engine . . . . . . . . . . . . . . . . . . . .197
Stub Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .198
The Dynamic Detection API . . . . . . . . . . . . . . . . . . . .198
The Rule Structure . . . . . . . . . . . . . . . . . . . . . . . .198
The Rule Options . . . . . . . . . . . . . . . . . . . . . . . . .200
Dynamic Detection Functions . . . . . . . . . . . . . . . . .209
Writing a Shared Object Rule . . . . . . . . . . . . . . . . . . .210
Creating the Module Framework . . . . . . . . . . . . . .211
A Simple Shared Object Rule . . . . . . . . . . . . . . . . .214
The Rule Evaluation Function . . . . . . . . . . . . . . . .219
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221
Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . .221
Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . .223
Chapter 6 Preprocessors . . . . . . . . . . . . . . . . . . . . . . . 225

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .226
What Is a Preprocessor? . . . . . . . . . . . . . . . . . . . . . . . . . . .226
Preprocessor Options for Reassembling Packets . . . . . . . . .227
The frag2 Preprocessor . . . . . . . . . . . . . . . . . . . . . . . .228
Configuring frag2 . . . . . . . . . . . . . . . . . . . . . . . . . .229
frag2 Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230
The frag3 Preprocessor . . . . . . . . . . . . . . . . . . . . . . . .231
Configuring frag3 . . . . . . . . . . . . . . . . . . . . . . . . . .233
frag3 Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236
The flow Preprocessor . . . . . . . . . . . . . . . . . . . . . . . . .236
Configuring flow . . . . . . . . . . . . . . . . . . . . . . . . . .236
The stream4 Preprocessor . . . . . . . . . . . . . . . . . . . . . .237
402_Snort2.6_TOC.qxd 1/25/07 12:52 PM Page xxii
Contents xxiii
TCP Statefulness . . . . . . . . . . . . . . . . . . . . . . . . . .238
Configuring stream4 for Stateful Inspection . . . . . . .241
Session Reassembly . . . . . . . . . . . . . . . . . . . . . . . . .247
A Summary of the State Preprocessors . . . . . . . . . . . . .251
Preprocessor Options for Decoding
and Normalizing Protocols . . . . . . . . . . . . . . . . . . . . . . . .251
The Application Preprocessors . . . . . . . . . . . . . . . . . . .251
Telnet Negotiation . . . . . . . . . . . . . . . . . . . . . . . . . . .252
Configuring the telnet_decode Preprocessor . . . . . .252
telnet_decode Output . . . . . . . . . . . . . . . . . . . . . . .252
HTTP Inspect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253
Hex Encoding (IIS and Apache) . . . . . . . . . . . . . . .254
Double Percent Hex Encoding . . . . . . . . . . . . . . . .254
First Nibble Hex Encoding . . . . . . . . . . . . . . . . . .254
Second Nibble Hex Encoding . . . . . . . . . . . . . . . .254
Double Nibble Hex Encoding . . . . . . . . . . . . . . . .254

UTF-8 Encoding . . . . . . . . . . . . . . . . . . . . . . . . .255
UTF-8 Barebyte Encoding . . . . . . . . . . . . . . . . . .255
Microsoft %U Encoding . . . . . . . . . . . . . . . . . . . . .255
Mismatch Encoding . . . . . . . . . . . . . . . . . . . . . . . .255
Request Pipelining . . . . . . . . . . . . . . . . . . . . . . . .255
Parameter Evasion Using
POST and Content-Encoding . . . . . . . . . . . . . . . .256
Base 36 Encoding . . . . . . . . . . . . . . . . . . . . . . . . . .256
Multislash Obfuscation . . . . . . . . . . . . . . . . . . . . . .256
IIS Backslash Obfuscation . . . . . . . . . . . . . . . . . . . .256
Directory Traversal . . . . . . . . . . . . . . . . . . . . . . . . .256
Tab Obfuscation . . . . . . . . . . . . . . . . . . . . . . . . . . .257
Invalid RFC Delimiters . . . . . . . . . . . . . . . . . . . . .257
Non-RFC Characters . . . . . . . . . . . . . . . . . . . . . . .257
Webroot Directory Transversal . . . . . . . . . . . . . . . . .257
HTTP-Specific IDS Evasion Tools . . . . . . . . . . . . . . .258
Using the http_inspect Preprocessor . . . . . . . . . . . .259
Configuring the http_inspect Preprocessor . . . . . . . .259
http_ Inspect Output . . . . . . . . . . . . . . . . . . . . . . .264
rpc_decode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .265
Configuring rpc_decode . . . . . . . . . . . . . . . . . . . . .265
402_Snort2.6_TOC.qxd 1/25/07 12:52 PM Page xxiii