 |
Duration 10 Hours |
|
This Course is for those who want to learn how to build a Snort IDS/IPS from scratch using many of the open source tools and plug-ins available to help manage, tune and deliver feedback on suspicious activity in your networks. Hands-on labs with fully documented instructions help students construct solid, secure Snort installations and understand the inner workings of the premier open source IDS/IPS available today. Students will also learn how to fine tune and configure Snort in addition to creating custom rules and learning techniques for optimizing rules.
Can you really trust your security framework to a single component, say a firewall? Also, is it good enough to know only what you want to protect?
How about the awareness on the threats to your environment, do you consider it important? Can you possibly build defenses to protect against attacks without knowing the nature and methods of your enemy? |
| |
| How can you detect signs of an intrusion to your network before damage is done? |
| Before you fall for Snort and then get stuck on deployment, you may want to consider the following as guidelines: |
-
To start with, what do you consider an Intrusion?
-
We do agree that the benefits of detecting an intrusion early enough are undeniable.
However, there may be some real challenges. Any clue?
-
You know what; exploits on the internet are real.
If your thoughts are, “what is the anatomy of an attack, and how can you possibly use that knowledge to your Network’s advantage”, then, your must be a clever chap.
-
Does it really matter to know how systems on a network communicate, the make-up of a packet, interpreting logs and/or possibly identifying suspicious packets?
-
Why should you consider Snort as the right candidate for your NIDS?
-
Having snort installed and running may not be much of an issue but how do you tailor it to suit your environment, assess its intelligence and even more?
-
Being able to detect an exploit early enough with the help of Snort as your NIDS sounds great for a start, but can you have Snort do more? Say, function as Intrusion Prevention System (IPS). If so, how?
-
The promise of an IPS is very attractive, but there are some risks that may not be obvious at first glance. Are those risks worth considering when planning the deployment of Snort as an IPS?
|
| |
| Target Audience |
| Network Administrators, security administrators, security consultants and others that are responsible for deploying open source intrusion prevention and detection sensors in their organizations. |
| |
| Prerequisites |
| This course assumes that students have a technical understanding of TCP/IP networking and network architecture. Proficiency with Linux and UNIX text editing tools (vi editor) is suggested, not required. |
| |
| Course Outline |
UNIT 1: Installation
Peruse the LinuxCBT Security Edition classroom network topology
Download Snort
Import G/PGP public key and verify package integrity
Identify & download key Snort dependencies
Install current libpcap - Packet Capture Library
Establish security configuration baseline |
| |
UNIT 2: Sniffer Mode
Discuss sniffer mode concepts & applications
Sniff IP packet headers - layer-3/4
Sniff data-link headers - layer-2
Sniff application payload - layer-7
Sniff application/ip packet headers/data-link headers - all layers except physical
Examine packets & packet loss
Sniff traffic traversing interesting interfaces
Sniff clear-text traffic
Sniff encrypted streams |
| |
UNIT 3: Logging Mode
Discuss logging mode concepts & applications
Log traffic using default PCAP/TCPDump format
Log traffic using ASCII mode & examine output
Discuss directory structure created by ASCII logging mode
Control verbosity of ASCII logging mode & examine output
Enhance packet logging analysis by defaulting to binary logging
Discuss default nomenclature for binary/TCPDump files
Alter binary output options
Use Snort NIDS to read binary/TCPDump files |
| |
UNIT 4: Berkeley Packet Filters (BPFs)
Explain the advantages to utilizing BPFs
Discuss BPF directional, type, and protocol qualifiers
Identify clear-text based network applications and define appropriate BPFs
Execute Snort NIDS in sniffer mode with BPFs enabled to match interesting traffic
Log to the active pseudo-terminal console and examine the packet flows
Combine BPF qualifiers to increase packet-matching capabilities
Use logical operators to define more flexible BPFs
Read binary TCPDump files using Snort & BPFs
Execute Snort NIDS in logging/daemon mode |
| |
UNIT 5: Network Intrusion Detection System (NIDS) Mode
Discuss NIDS concepts & applications
Prepare /etc/snort - configuration directory for NIDS operation
Explore the snort.conf NIDS configuration file
Discuss all snort.conf sections
Download & install community rules
Execute Snort in NIDS mode with TCPDump compliant output plugin
Download & install Snort Vulnerability Research Team (VRT) rules
Compare & contrast community rules to VRT rules |
| |
UNIT 6: Output Plugin - Barnyard Configuration
Discuss features & benefits
Configure Syslog based logging and examine results
Configure Snort to log sequentially to multiple output locations
Implement unified binary output logging to enhance performance
Discuss concepts & features associated with post-processing Snort logs
Download and install current barnyard post-processor
Use barnyard to post-process logs to multiple output destinations |
| |
UNIT 7: BASE - MySQL® Implementation
Discuss benefits of centralized console reporting for 1 or more Snort sensors
Re-compile Snort on both sensors to support MySQL logging
Configure MySQL on Database Management System (DBMS) Host
Implement Snort database schema on DBMS Host
Configure Snort to log output to MySQL DBMS Host
Confirm output logging to the MySQL DBMS Host
Prepare DBMS Host for BASE console installation
Install BASE and complete schema extension
Peruse BASE interface |
| |
UNIT 8: Rules Configuration & Updates
Discuss the concept of rules as related to Snort NIDS
Examine Snort rule syntax
Peruse pre-defined Snort rules
Download & configure oinkmaster to automatically update Snort rules
Confirm oinkmaster operation
Labs you can’t possibly wait to have your hand-on |
| |
| Practice LABS |
Installing snort from source on Linux
Generating Real-Time Alerts
Logging Snort logs to MySQL
Managing Snort Sensors with ACID
Setting up Snort as an IPS using flexible response, SnortSAM and snort Inline patch plug-ins
Detecting Stateless Attacks and Stream Reassembly
Detecting Fragmentation attacks and Fragmentation Reassembly
Detecting HTTP evasion attacks
Decoding Application Traffic
Getting Performance Metrics
How to build snort rules and tips on writing effective snort rules.
Testing snort rules |
