427 Botnet fm qxd

Installation
To install Snort on Windows, you need to install the open-source packet-cap-
ture driver WinPCap (Windows Packet Capture Library). Snort can’t function
without it, since it needs the driver to capture packets for analysis. However,
beware: Compatibility and synchronization between Snort and WinPCap
(www.winpcap.org) versions has not always been perfect.You can use
SnortReport to query the raw logs, but for far more flexibility, use BASE
(Base Analysis and www.engagesecurity.com/products/idscenter/). Linux
installations require Pcap (Packet Capture Tool) and Pcre (Perl Compatible
Regular Expression Tool) as well as MySQL.
For more information on installation and on Snort in general, check out
Snort 2.1 Intrusion Detection,
Second Edition, published by Syngress (ISBN 1-
931836-04-3).You might also find Jeff Richard’s article at www.giac.org/
practical/gsec/Jeff_Richard_GSEC.pdf useful for Windows installations, or
one by Patrick Harper at www.internetsecurityguru.com/documents/
snort_acid_rh9.pdf could help with Linux.
Roles and Rules
You can use Snort as a packet sniffer somewhat comparable to tcpdump
(www.tcpdump.org), allowing you to capture and display whole packets or
selected header information, or as a packet logger, but its principle attraction
is its robust and flexible rule-based intrusion detection.This extends its capa-
bilities far beyond simple logging; its protocol analysis and content-filtering
capabilities enable it to detect buffer overflows, port scans, SMB probes, and
so on.
Snort rules are by no means rocket science, but most administrators will
want to tap into the wider (much wider!) Snort community of security pro-
fessionals and benefit from their collective input into the development of cus-
tomized rules, rather than spending 24 hours a day “rolling their own” rules.
The Sourcefire Vulnerability Research Team (VRT) certifies rules for
Sourcefire customers and registered Snort users (www.snort.org/rules/),
though unregistered users only get a static rule set at the time of each major
Snort release. VRT also maintains a community rule set containing rules sub-
mitted by the open-source Snort community.These rules are supplied as is,

Download 6,98 Mb.

Do'stlaringiz bilan baham: