Managing Security with Snort & IDS Tools (Paperback) - Common
Format: PDF / Kindle (mobi) / ePub
This practical guide to managing network security covers reliable methods for detecting network intruders, from using simple packet sniffers to more sophisticated IDS (Intrusion Detection Systems) applications and the GUI interfaces for managing them.
comes with ethereal and includes many of the same features. The manpages for the two programs are nearly identical. Tethereal captures and reads data the same way as ethereal, but can be run remotely on any machine, including machines without an X Window interface. Like ethereal, Tethereal must be run as root in order to have access to all command-line functions. Here is the output from a Tethereal packet capture session: # tethereal Capturing on eth0 0.000000 00:d0:bc:ed:15:e4 ->
machine, in turn, infects other systems. Many times the inconvenience is not the impact on the infected systems, but the impact on the network. The SQL Slammer worm caused many networks to become completely saturated with the 404-byte UDP packets (the entire worm was contained in a single UDP packet!). The worms are getting faster, too. The Code Red worm took about 13 hours to infect 90 percent of the hosts it would eventually affect. SQL Slammer took 10 minutes to do the same thing! This speed
Secure/Rabid 80/tcp open http Apache httpd 1.3.28 ((Unix) PH 168 110/tcp open pop3 UW Imap pop3 server 2001.78rh 6000/tcp open X11 (access denied) Device type: general purpose Running: Linux 2.4.X|2.5.X OS details: Linux Kernel 2.4.0 - 2.5.20 Uptime 9.486 days (since Mon Sep 8 07:56:31 2003) Nmap run completed -- 1 IP address (1 host up) scanned in Nmap scans are useful for testing Snort installations. By default, Nmap is fairly noisy and easily detectable. Most Nmap scans readily show up in
that calls back to an attacker, giving the attacker a point of presence inside your network. An entire class of rules exist to watch for Trojan horse traffic. 184 Some of the most useful Snort signatures do not actually trigger on an attack attempt, but on the traffic generated by a successfully attacked host. For instance, an attack is launched against a Windows web server that attempts to trick it into returning a directory listing of the web root. One Snort rule watches for the string "The
system watches for unauthorized activity on an individual system. If someone manages to compromise the same server using a fragmentation attack, you might be able to figure out what happened after the fact by looking at logs, but you might not—and at that point, it is too late. While it is too optimistic to talk about "real-time" intrusion detection, it is extremely important that an IDS detect attacks early, before any damage can be done, and that it send notifications to you and to a secure