206 lines
3.9 KiB
HTML
206 lines
3.9 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Technical Overview</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
|
|
"><LINK
|
|
REL="HOME"
|
|
TITLE="Snort-Setup for Statistics HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Structure"
|
|
HREF="structure.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Configuration"
|
|
HREF="configuration.html"></HEAD
|
|
><BODY
|
|
CLASS="SECT1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Snort-Setup for Statistics HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="structure.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
></TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="configuration.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="TECHNICALOVERVIEW">3. Technical Overview</H1
|
|
><P
|
|
> Snort is mainly a so called Network Intrusion Detection System (NIDS), it is
|
|
Open Source and available for a variaty of unices as well as Microsoft
|
|
Windows (R).
|
|
</P
|
|
><P
|
|
> A NIDS cares for a whole network segment in contrast to a host based IDS
|
|
which only cares for the host it is running on.
|
|
</P
|
|
><P
|
|
> Since NIDS are mostly used in conjunction with firewalls it is vital to not
|
|
being vulnerable for attacks itself. Therefor all interfaces used with snort
|
|
bound to should be set up without ip addresses. Since this can not be achieved
|
|
in every configuration, e.g. if you want to bind snort on an isdn interface
|
|
ippp0, it should be considered to use a standalone computer for snort and set
|
|
it up as a firewall and router for the dial-up connection too.
|
|
</P
|
|
><P
|
|
> For more information on that topic see the
|
|
<A
|
|
HREF="http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html"
|
|
TARGET="_top"
|
|
><EM
|
|
>Firewall-HOWTO</EM
|
|
></A
|
|
> or my
|
|
<A
|
|
HREF="http://www.lug-burghausen.org/projects/firewall/firewall-masq-diald.html"
|
|
TARGET="_top"
|
|
><EM
|
|
>Firewalling+Masquerading+Diald+dynamic IP-HOWTO</EM
|
|
></A
|
|
>.
|
|
</P
|
|
><P
|
|
> Snort can be used to care for more than one network segment which we will
|
|
discuss later.
|
|
</P
|
|
><P
|
|
> Snort also can be used as a sniffer to troubleshoot network problems, but
|
|
that's not a topic in this document.
|
|
</P
|
|
><P
|
|
> ACID, the Analysis Console for Intrusion Databases, is part of the AIR-CERT
|
|
project. It makes use of PHPlot, a library for creating nice graphs in PHP,
|
|
and ADODB, an abstraction library for combining PHP and various database
|
|
systems like MySQL and PostgreSQL. The ACID homepage says:
|
|
</P
|
|
><P
|
|
> <EM
|
|
>"The Analysis Console for Intrusion Databases (ACID) is a PHP-based
|
|
analysis engine to search and process a database of incidents generated by
|
|
security-related software such as IDSes and firewalls."</EM
|
|
>
|
|
</P
|
|
><P
|
|
> Max Vision's IDS rules (referred to as <EM
|
|
>vision.rules</EM
|
|
>
|
|
because this is the name of the downloadable file) are used to complete the
|
|
rules shipped with snort.
|
|
</P
|
|
><P
|
|
> arachnids_upd is a small but fine perl script which downloads the actual
|
|
<EM
|
|
>vision.rules</EM
|
|
> using <EM
|
|
>wget</EM
|
|
> and optionally deletes
|
|
single rules given in an ASCII file.
|
|
</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="structure.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="configuration.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Structure</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
> </TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Configuration</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |