Writing Good Rules Prentice.Hall – Intrusion.Detection.Systems.with.Snort
4.1 Preprocessors
When a packet is received by Snort, it may not be ready for processing by the main Snort detection engine and application of Snort rules. For example, a packet may be fragmented. Before you can search a string within the packet or determine its exact size, you need to defragment it by assembling all fragments of the data packet. The job of a preprocessor is to make a packet suitable for the detection engine to apply different rules to it. In addition, some preprocessors are used for other tasks such as detection of Figure 4-1 Simplified block diagram for Snort. Preprocessors 133 anomalies and obvious errors in data packets. A detailed description of available pre- processors will show how they work. During the installation process, you can compile support of different preproces- sors into Snort. Configuration parameters for different preprocessors also called input plug-ins and input modules are present in the snort.conf file. Using the file, you can enable or disable different preprocessors. All enabled preprocessors operate on each packet. There is no way to bypass some of the preprocessors based upon some criteria. If you have enabled a large number of preprocessors, you may slow down Snort detection process. Therefore you should be careful when enabling preprocessors. All preprocessors are enabled in the Snort configuration file using the preproces- sor keyword. The general format of enabling a preprocessor is as follows: preprocessor name of preprocessor[: parameters] The name of the preprocessor follows the preprocessor keyword. For example, the following line in snort.conf file enables frag2 preprocessor: preprocessor frag2 Usually preprocessors also accept parameters to configure different options for the preprocessors. These parameters are usually optional. Mandatory parameters will be specified explicitly in this text. Widely used preprocessors are discussed next. You can write your own preprocessors. The information is available in README.PLUGINS in the doc directory of Snort source code. You can also find sam- ple code in the templates directory of the source code tree.4.1.1 HTTP Decode
The Hyper Text Transfer Protocol HTTP allows intrusion detection systems to use hexadecimal characters in URI to defeat known attacks. For example, this can be done by inserting something like 3A2F2F in the URI to replace : characters. The HTTP decode preprocessor normalizes the HTTP requests so that they can be processed properly by the detection engine. You can use a list of ports used by HTTP servers or proxy servers as an argument to the preprocessor. The following line in the configura- tion file will apply HTTP decode for packets coming to ports 80, 8080, 443. preprocessor http_decode: 80 8080 443 A large number of attacks on web servers are carried by obfuscating URI charac- ters using hexadecimal numbers in the URI. The HTTP decode blocks any such attempts by converting them to the actual URI. For example, if you have written a SnortParts
» Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» Logs False Alarms Some Definitions
» Where IDS Should be Placed in Network Topology
» Honey Pots What is Intrusion Detection?
» Security Zones and Levels of Trust
» IDS Policy Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» Packet Decoder Preprocessors Components of Snort
» The Detection Engine Components of Snort
» Dealing with Switches Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» TCP Stream Follow Up Supported Platforms
» Snort on Stealth Interface Snort with no IP Address Interface
» References Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» Test Installation Snort Installation Scenarios
» Single Sensor Production IDS
» Multiple Snort Sensors with Centralized Database
» Download Install Installing Snort from the RPM Package
» Unpacking Installing Snort from Source Code
» Running the configure script. Running the
» Running the make install command.
» Create or copy the Snort configuration file in
» Create a directory After Installation Processes
» Generating Test Alerts Testing Snort
» Generating Test Alerts with Automatic Snort Startup
» Errors While Starting Snort Running Snort on a Non-Default Interface
» Automatic Startup and Shutdown
» Running Snort on Multiple Network Interfaces
» Logging Snort Data in Text Format
» Logging Snort in Binary Format
» Network Intrusion Detection Mode
» UNIX Socket Mode Snort Alert Modes
» Running Snort in Stealth Mode
» TCPIP Network Layers Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» CIDR Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» User Defined Actions Rule Actions
» Well-Known Port Numbers Port Number
» The ack Keyword The classtype Keyword
» The content Keyword Rule Options
» The offset Keyword Rule Options
» The depth Keyword The content-list Keyword
» The dsize Keyword Rule Options
» The flags Keyword Rule Options
» The fragbits Keyword Rule Options
» The itype Keyword Rule Options
» The icode Keyword Rule Options
» The id Keyword The ipopts Keyword
» The logto Keyword Rule Options
» The reference Keyword Rule Options
» The resp Keyword Rule Options
» The rev Keyword The rpc Keyword
» The session Keyword Rule Options
» The sid Keyword Rule Options
» The tag Keyword Rule Options
» The tos Keyword Rule Options
» The ttl Keyword Rule Options
» The uricontent Keyword Rule Options
» Using a List of Networks in Variables Using Interface Names in Variables
» The config Directives The Snort Configuration File
» Preprocessor Configuration Output Module Configuration
» Include Files The Snort Configuration File
» Order of Rules Based upon Action
» The Simple Method Automatically Updating Snort Rules
» The Sophisticated and Complex Method
» Writing Good Rules Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» The frag2 Module Preprocessors
» The stream4 Module Preprocessors
» The spade Module Preprocessors
» The alert_syslog Output Module
» The alert_smb Module The log_tcpdump Output Module
» Examples The XML Output Module
» Logging to Databases Output Modules
» CSV Output Module Output Modules
» Unified Logging Output Module SNMP Traps Output Module
» Using BPF Fileters Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» Creating Extra Tables Step 5: Creating Tables in the Snort Database
» Secure Logging to Remote Databases Securely Using Stunnel
» Archiving the Database Snort Database Maintenance
» Using Sledge Hammer: Drop the Database
» What is ACID? Installation and Configuration
» Listing Protocol Data Alert Details Searching
» Generating Graphs Archiving Snort Data
» SnortSnarf Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» Barnyard References Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» SnortSam Prentice.Hall – Intrusion.Detection.Systems.with.Snort
» IDS Policy Manager Prentice.Hall – Intrusion.Detection.Systems.with.Snort
Show more