% $Id: faq.tex,v 1.11 2007/04/30 18:32:03 ssturges Exp $%latex2html -info 0 -local_icons -show_section_numbers -link 2 -split +1 faq.tex\documentclass{article}\usepackage{html}\usepackage{graphicx}\usepackage{fancyheadings}\usepackage{makeidx}%% Margins\oddsidemargin 0in\evensidemargin 0in\textwidth 6.5in\topmargin 0in\textheight 8in\setlength{\parindent}{0in}\setlength{\parskip}{.5\baselineskip}\pagestyle{fancy}\lhead{ {\sc Snort FAQ} }\cfoot{ {\sc feed the pig}}\rhead{Page \thepage}\newcommand{\myref}[1]{(see FAQ \ref{#1})}\newcommand{\myquote}[1]{\begin{quote}#1\end{quote}}%\label{key} assign current counter value to key%\myref{key}{print value assigned to key}% To emphasise% {\em blah}% To bold% {\bf bold face }% The following characters are special characters and need to be backslashed% before use:%    $ & % # _ { }%% To get a backslash, try $\backslash$\makeindex\begin{document}\title{ The Snort FAQ }\author{ The Snort Core Team }\date{ }% Title Page\maketitle\newpageSuggestions for enhancements of this document are always welcome.  Please email them to the \htmladdnormallink{Snort-Users}{mailto:snort-users@lists.sourceforge.net} mailing list. Many people have contributed to this FAQ:\begin{center}\begin{tabular}{llll} Marty Roesch   &  Fyodor Yarochkin    &   Dragos Ruiu      &     Jed Pickel\\    Max Vision   &    Michael Davis     &   Joe McAlerney    &      Joe Stewart\\    Erek Adams    &   Roman Danyliw   &   Christopher Cramer  &    Frank Knobbe\\     Phil Wood     & Toby Kohlenberg   &   Ramin Alidousti     &    Jim Hankins\\Dennis Hollingworth &  Paul Howell      &      Stef Mit         &   Ofir Arkin\\    Jason Haar       & Blake Frantz &  Lars Norman S?ndergaard  & Brent Erickson\\   Brian Caswell  &  Scot Wiedenfeld &       Chris Green        &   Jeff Wirth\\  Edin Dizdarevic  &  Detmar Liesen   &         Don Ng       &     Matt Kettler\\     Joe Lyman      &  Jim Burwell     &      Jed Haile      &   Andrew Hutchinson\\    Jeff Nathan   &  Alberto Gonzalez   &     Jason Haar    &    Jeremy Hewlett\end{tabular}\end{center}If you do not see your name on this list and you have contributed to the faq,please email \htmladdnormallink{bmc@snort.org}{mailto:bmc@snort.org}.Dragos Ruiu: This version of this guide has been brought to you by the kindgenerosity and sponsorship of Wiley and Sons publishers whose support letmyself, and other snort developers Jeff Nathan and Jed Haile take the time towork on this document and other tutorials for Snort due out in our upcomingbook. (route++)\newpage\begin{latexonly}\tableofcontents\newpage\end{latexonly}\section{Background}\subsection{How do you pronounce the names of some of these guys who work on Snort?}For the record, `Roesch' is pronounced like `fresh' without the `f.'  Additionally, `Ruiu' is pronounced like `screw you' without the `sc.'  Jed's last name is like `pick-el,' not `pickle.' \subsection{Is Fyodor Yarochkin the same Fyodor who wrote nmap?}Nope. fyodor@insecure.org is the author of nmap, and he uses the same pseudonym as the other Snort Fyodor's real surname. Yeah, it messes up my mailbox too, but I think it's too late to change either of them.\subsection{Where do I get more help on Snort?}Check the website, \htmladdnormallink{http://www.snort.org/}{http://www.snort.org/}.  Other good resources are available in the source distribution, including the \htmladdnormallink{Snort Users Manual}{http://www.snort.org/doc/SnortUsersManual.pdf} and the USAGE file. There is also a excellent mailing list, snort-users. You can findinfo on how to signup at \htmladdnormallink{http://www.snort.org/lists.html}{http://www.snort.org/lists.html}. You can also join \#snort on irc.freenode.net.\subsection{Where can I get more reading and courses about IDS?\label{courses}}All of the following offer courses on Intrusion Detection:\begin{itemize}\item \htmladdnormallink{SANS (http://www.sans.org)}{http://www.sans.org} \item \htmladdnormallink{Usenix (http://www.usenix.org/event/)}{http://www.usenix.org/event/} \item \htmladdnormallink{Networld/Interop (http://www.key3media.com/interop/)}{http://www.key3media.com/interop/}\item \htmladdnormallink{CanSecWest (http://www.cansecwest.com)}{http://www.cansecwest.com} \end{itemize}There are many good books on Intrusion Detection. Here are just a few:\begin{tabular}{|p{2in}|p{1.5in}|l|l|}\hline{\bf Title} & {\bf Author(s)} & {\bf Publisher} & {\bf ISBN}\\\hline\hlineSnort 2.1 Intrusion Detection, Second Edition & Brian Caswell, Jay Beale & 1931836043 \\\hlineTao of Network Security Monitoring, The: Beyond Intrusion Detection & Richard Bejtlich & 0321246772 \\\hlineIntrusion Detection with Snort: Advanced IDS Techniques & Rafeeq Rehman & Prentice Hall & I0131407333\\\hlineSnort Intrusion Detection        &       Ryan Russell        & Syngress Media &  1931836744 \\\hlineSnort Intrusion Detection        &        Jack Koziol        &   New Riders   &  157870281X\\\hlineNetwork Intrusion Detection: An Analyst's Handbook & Stephen Northcutt & New Riders & 0735708681 \\\hlineIntrusion Signatures and Analysis                 & Stephen Northcutt & New Riders & 0735710635 \\\hlineTCP/IP Illustrated, Volume 1 The Protocols        & W. Richard Stevens & Addison-Wesley & 0201633469 \\\hlineIntrusion Detection                               & Rebecca G. Bace    & MacMillan Technical Publishing & 1578701856 \\\hlineThe Tao of Network Security Monitoring: Beyond Intrusion Detection & Richard Bejtlich & Addison-Wesley & 0321246772 \\\hlineSnort 2.1 Intrusion Detection, Second Edition & Brian Caswell \& Jay Beale & Syngress Publishing & 1931836043 \\\hline\end{tabular}	\subsection{Does Snort handle IP defragmentation?}Yes, use {\tt preprocessor frag3}.\subsection{Does Snort perform TCP stream reassembly?}Yes, check out the stream4 preprocessor \myref{stream4} that does stateful analysis session login, TCP reassembly and much, much more.\subsection{Does Snort perform stateful protocol analysis?}Yes. Stream4 does this as well. See \myref{stream4}.\subsection{I'm on a switched network, can I still use Snort?}{\bf Short version:}Being able to sniff on a switched network depends on what type of switch isbeing used. If the switch can mirror traffic, then set the switch to mirror alltraffic to the Snort machine's port.{\bf Extended version:}There are several ways of deploying NIDS in switched environments which allhave their pros and cons. Which method applies to your needs depends on whatkind of segments you want to monitor and on your budget. Here are the mostcommon methods:\begin{enumerate}\item  {\bf Switch mirror:} If the switch can mirror traffic, then set the switch to    mirror all traffic to the Snort machine's port.   \begin{itemize}   	\item Advantages:	      \begin{itemize}              \item Simple method, works with most decent switches.	      \end{itemize}	 \item Drawbacks:	      \begin{itemize}              \item If the switch is a fast Ethernet switch, you can mirror 100Mbit/s	      max. Since each switch port is capable of handling 100Mbit/s for each	      direction, the bandwidth per port sums up to 200Mbit/s, so the switch	      will not be able to mirror all packets at high network utilization.	      \item Some switches suffer from performance degradation through port	      mirroring.	      \end{itemize}    \end{itemize}\item  {\bf Hub:} Insert a hub in line, so you can simply tap all traffic. Works    fine for home networks, will lose data due to collisions at loads greater    than 50\%---so a 10Mbps hub should be fine for T1/E1, DSL or cablemodem. If    you have a DS3 or greater, you should investigate taps.    \begin{itemize}      \item Advantages:      		\begin{itemize}		\item Simple method		\item No impact on switch performance and no config changes		\item Low cost		\end{itemize}      \item Drawbacks:      		\begin{itemize}		\item Loss of full-duplex capabilities		\item Additional single point of failure		\item Collision loss at above 50\% load levels		\end{itemize}    \end{itemize}\item  {\bf Network taps:} Use network taps (e.g. Shomiti/Finisar [\htmladdnormallink{http://www.shomiti.com}{http://www.shomiti.com}] and Netoptics [\htmladdnormallink{http://www.netoptics.com}{http://www.netoptics.com}). You can find some rather good information in the papers by Jeff  Nathan. You can find the papers at     \htmladdnormallink{http://www.snort.org/docs/\#deploy}{http://www.snort.org/docs/\#deploy}.      \begin{itemize}      \item Advantages:      		\begin{itemize}		\item No impact on switch performance and no special configuration		\item Stealth---i.e., sending data back to the switch is disabled		\item No single point of failure, ``fail-open'' if the tap power fails		\end{itemize}      \item Drawbacks:		\begin{itemize}		\item The datastream is split into TX and RX, so you need two NICs		\item The two datastreams have to be recombined, i.e. merged, if you don't		want to lose the capability of doing stateful analysis. This can be		done by using channel bonding. Information can be found at 		\htmladdnormallink{http://sourceforge.net/projects/bonding}{http://sourceforge.net/projects/bonding}.		\item Cost		\end{itemize}      \end{itemize}	\item  {\bf Throw money at it:} Tap switch ports (using the forementioned    network taps) but only tap all incoming packets (RX lines of the switch    ports), connecting those tap ports to a dedicated gigabit switch, which is    capable of mirroring up to ten RX taplines to one single dedicated gigabit    port, which is connected to a gigabit IDS machine.    \begin{itemize}      \item Advantages:      		\begin{itemize}        	\item Maximum coverage (i.e. monitor all switchports)		\item No performance degradation or re-configuration of the switch		\end{itemize}      \item Drawbacks:      		\begin{itemize}		\item Mucho \$\$\$		\end{itemize}    \end{itemize}\end{enumerate}\subsection{Is Snort vulnerable to IDS noise generators like ``Stick'' and ``Snot''?}It is now possible to defeat these kinds of noise generators withthe stream4 preprocessor (see \myref{stream4}).  Even without the stream4 preprocessor enabled, Snort will weather the alert storm without falling over or losing a lot of alerts due to its highly optimized nature.  Using tools that generate huge amounts of alerts will warn a good analyst that someone is trying to sneak by their defenses.  \subsection{Can Snort be evaded by the use of polymorphic mutators on shellcode?}Yes, and this could defeat some of the NOP sled detection signatures,but the ordinary exploit rules should not be affected by this kindof obfuscation.  The fnord preprocessor attempts to detect polymorphicshellcode attempts.\subsection{Does Snort log the full packets when it generates alerts? }Yes, the packets should be in the directory that has the same IP address as thesource host of the packet which generated the alert. If you are using binarylogging, there will be a packet capture file (.pcap) in the logging directoryinstead.  \section{Getting Started}\subsection{Where do I find binary packages for BlueHat BSD-Linux-RT?}Repeat after me:\begin{verbatim}    wget http://www.snort.org/downloads/snort-stable.tgz    tar zxvf snort-stable.tgz    cd snort-stable    ./configure    make    su    make install    mkdir /var/log/snort    cd etc    vi snort.conf    snort -D -c snort.conf    exit\end{verbatim}...and if you want to use our binary package uninstaller :-):\begin{verbatim}    cd snort-stable; make uninstall\end{verbatim}And if you must, you can find some binaries at \htmladdnormallink{http://www.snort.org/dl/binaries/}{http://www.snort.org/dl/binaries/}. You can also find Snort in most BSD ports' trees.\subsection{How do I run Snort?}Run Snort in sniffer mode and make sure it can see the packets.  \begin{verbatim}snort -dv\end{verbatim}