Table Of Content01_568353 ffirs.qxd 6/3/04 10:07 AM Page i
Snort
™
FOR
DUMmIES
‰
01_568353 ffirs.qxd 6/3/04 10:07 AM Page ii
01_568353 ffirs.qxd 6/3/04 10:07 AM Page iii
Snort
™
FOR
DUMmIES
‰
by Charlie Scott,Paul Wolfe,and Bert Hayes
01_568353 ffirs.qxd 6/3/04 10:07 AM Page iv
Snort™For Dummies®
Published by
Wiley Publishing, Inc.
111 River Street
Hoboken, NJ 07030-5774
Copyright ©2004 by Wiley Publishing, Inc., Indianapolis, Indiana
Published by Wiley Publishing, Inc., Indianapolis, Indiana
Published simultaneously in Canada
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or
by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted
under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permis-
sion of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright
Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to
the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475
Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4355, e-mail: brandreview@
wiley.com.
Trademarks:Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the
Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com, and related trade
dress are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United
States and other countries, and may not be used without written permission. All other trademarks are the
property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor
mentioned in this book.
GENERAL DISCLAIMER: THE PUBLISHER AND THE AUTHOR MAKE NO REPRESENTATIONS OR WAR-
RANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS WORK
AND SPECIFICALLY DISCLAIM ALL WARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES
OF FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY
SALES OR PROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT
BE SUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THE
PUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERV-
ICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL
PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHOR SHALL BE LIABLE FOR
DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATION OR WEBSITE IS REFERRED TO
IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCE OF FURTHER INFORMATION DOES NOT
MEAN THAT THE AUTHOR OR THE PUBLISHER ENDORSES THE INFORMATION THE ORGANIZATION
OR WEBSITE MAY PROVIDE OR RECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD
BE AWARE THAT INTERNET WEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED
BETWEEN WHEN THIS WORK WAS WRITTEN AND WHEN IT IS READ.
For general information on our other products and services or to obtain technical support, please contact
our Customer Care Department within the U.S. at 800-762-2974, outside the U.S. at 317-572-3993, or fax
317-572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may
not be available in electronic books.
Library of Congress Control Number: 2004102600
ISBN: 0-7645-6835-3
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
1O/SS/QW/QU/IN
01_568353 ffirs.qxd 6/3/04 10:07 AM Page v
About the Authors
Charlie Scottis an Information Security Analyst for the City of Austin, where
he helps maintain the City’s network security infrastructure and helps analyze
intrusion detection data. He has nearly ten years of experience in the Internet
industry and has been an avid user of open source security software that entire
time. Charlie is a Certified Information Systems Security Professional (CISSP)
and a Cisco Certified Network Professional (CCNP).
Bert Hayesis a Security Technical Analyst for the State of Texas, where he
maintains network security for a medium sized agency. In Bert’s ten years
of IT industry experience, he has done everything from managing a corporate
IT shop during a successful IPO to performing white hat penetration tests for
corporate and government offices. He has long been a proponent of open
source solutions, and is a Red Hat Certified Engineer (RHCE).
Paul Wolfeis an independent information security consultant and author,
specializing in open source security.
01_568353 ffirs.qxd 6/3/04 10:07 AM Page vi
01_568353 ffirs.qxd 6/3/04 10:07 AM Page vii
Authors’ Acknowledgments
This book benefited greatly from the research and writing contribution of
Mike Erwin, an early collaborator on this project. Mike is the president and
CEO of Symbiot, Inc., a developer of intelligent security infrastructure man-
agement system designed to interoperate with intrusion detection systems
and other pieces of security infrastructure. Mike has fifteen years of experi-
ence in network operations and security, has co-authored over a half-dozen
books, and is a Certified Information Systems Security Professional (CISSP).
The authors collectively bow to the developers of the myriad of security
tools covered in this book, especially Marty Roesch, for answering our ques-
tions and creating Snort in the first place!
The authors also thank Melody Layne, Pat O’Brien, and the rest of the Wiley
team for their hard work and prodding, and our agent Carole McClendon of
Waterside Productions. They also thank Jamie Pugh of Symbiot for his inci-
sive technical review.
Bert dedicates his portion of the book to everyone who would rather build
his or her own system than buy one off the shelf. He also acknowledges the
unwavering love and support of his wife Kate, the loyalty of his pets, and the
wisdom of his parents.
Paul thanks Nikolaus, Lukas, Rayna, Jesse and Brenda, whose support make
his work possible (and necessary . . .). And finally, thanks to Charlie for ruling
this project with the iron grip of a dictator. Bastard.
Charlie dedicates his portion of the book to everyone who has ever had to
clean up a cracked system — may it never happen again. He thanks his won-
derful wife, Mary, and his co-workers at the City of Austin for their support.
01_568353 ffirs.qxd 6/3/04 10:07 AM Page viii
Publisher’s Acknowledgments
We’re proud of this book; please send us your comments through our online registration form
located at www.dummies.com/register/.
Some of the people who helped bring this book to market include the following:
Acquisitions, Editorial, and Composition
Media Development
Project Coordinator: Courtney MacIntyre
Project Editor:Pat O’Brien
Layout and Graphics: Andrea Dahl,
Acquisitions Editor:Melody Layne Stephanie D. Jumper, Lynsey Osborn,
Heather Ryan
Copy Editor:Barry Childs-Helton
Proofreaders: Laura Albert,David Faust,
Technical Editor:Jamie Pugh
Andy Hollandbeck, Brian H. Walls,
Editorial Manager:Kevin Kirschner TECHBOOKS Production Services
Media Development Manager: Indexer:TECHBOOKS Production Services
Laura VanWinkle
Media Development Supervisor:
Richard Graves
Editorial Assistant:Amanda Foxworth
Cartoons:Rich Tennant (www.the5thwave.com)
Publishing and Editorial for TechnologyDummies
Richard Swadley,Vice President and Executive Group Publisher
Andy Cummings,Vice President and Publisher
Mary C. Corder,Editorial Director
Publishing for Consumer Dummies
Diane Graves Steele,Vice President and Publisher
Joyce Pepple,Acquisitions Director
Composition Services
Gerry Fahey,Vice President of Production Services
Debbie Stailey,Director of Composition Services
02_568353 ftoc.qxd 6/2/04 9:17 AM Page ix
Contents at a Glance
Introduction.................................................................1
Part I: Getting to Know Snort and Intrusion Detection.....5
Chapter 1: Looking Up Snort’s Nose................................................................................7
Chapter 2: Fitting In Snort...............................................................................................19
Chapter 3: Readying Your Preflight Checklist...............................................................29
Chapter 4: Makin’ Bacon: Installing Snort for Linux....................................................41
Chapter 5: Installing Snort and MySQL for Windows...................................................77
Part II: Administering Your Snort Box.........................105
Chapter 6: Snorting Through Logs and Alerts............................................................107
Chapter 7: Adding Visuals and Getting Reports.........................................................133
Chapter 8: Making Your Own Rules..............................................................................175
Chapter 9: What, Me Worry?.........................................................................................199
Chapter 10: Dealing with the Real Thing.....................................................................217
Part III: Moving Beyond the Basics............................241
Chapter 11: Reacting in Real Time...............................................................................243
Chapter 12: Keeping Snort Up to Date.........................................................................263
Chapter 13: Filling Your Farm with Pigs......................................................................275
Chapter 14: Using the Barnyard Output Tool.............................................................295
Part IV: The Part of Tens...........................................317
Chapter 15: Ten Cool Tools for Snort...........................................................................319
Chapter 16: Ten Snort Information Resources...........................................................327
Appendix A: What’s On the CD-ROM..........................331
Index.......................................................................337
