Visit us at w w w . s y n g r e s s . c o m

  Syngress is committed to publishing high-quality books for IT Professionals and deliv- ering those books in media and formats that fit the demands of our customers. We are also committed to extending the utility of the book you purchase via additional mate- rials available from our Web site.

  SOLUTIONS WEB SITE

  To register your book, visit www.syngress.com/solutions. Once registered, you can access our solutions@syngress.com Web pages. There you may find an assortment of value- added features such as free e-books related to the topic of this book, URLs of related Web sites, FAQs from the book, corrections, and any updates from the author(s).

  ULTIMATE CDs

  Our Ultimate CD product line offers our readers budget-conscious compilations of some of our best-selling backlist titles in Adobe PDF form. These CDs are the perfect way to extend your reference library on key topics pertaining to your area of expertise, including Cisco Engineering, Microsoft Windows System Administration, CyberCrime Investigation, Open Source Security, and Firewall Configuration, to name a few.

  DOWNLOADABLE E-BOOKS

  For readers who can’t wait for hard copy, we offer most of our titles in downloadable Adobe PDF form. These e-books are often available weeks before hard copies, and are priced affordably.

  SYNGRESS OUTLET

  Our outlet store at syngress.com features overstocked, out-of-print, or slightly hurt books at significant savings.

  SITE LICENSING

  Syngress has a well-established program for site licensing our e-books onto servers in corporations, educational institutions, and large organizations. Contact us at sales@syn- gress.com for more information.

  CUSTOM PUBLISHING

  Many organizations welcome the ability to combine parts of multiple Syngress books, as well as their own content, into a single volume for their own internal use. Contact us at sales@syngress.com for more information.

  

How to Cheat at

Configuring Raven Alder Josh Burke Chad Keefer Angela Orebaugh Larry Pesce Eric S. Seagren

  Elsevier, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work.

There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS

and WITHOUT WARRANTY.You may have other legal rights, which vary from state to state.

In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or

consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or

limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files.

Syngress Media®, Syngress®, “Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,”

and “Hack Proofing®,” are registered trademarks of Elsevier, Inc. “Syngress:The Definition of a Serious Security Library” ™, “Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of

Elsevier, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective

companies.

KEY SERIAL NUMBER

  001 HJIRTCV764 002 PO9873D5FG 003 829KM8NJH2 004 BPOQ48722D 005 CVPLQ6WQ23 006

  VBP965T5T5 007 HJJJ863WD3E 008 2987GVTWMK 009 629MP5SDJT 010

  IMWQ295T6T PUBLISHED BY Syngress Publishing, Inc.

  Elsevier, Inc.

  30 Corporate Drive Burlington, MA 01803 How to Cheat at Configuring Open Source Security Tools

Copyright © 2007 by Elsevier, Inc. All rights reserved. Printed in the United States of America. Except as permitted

under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0

ISBN-10: 1-59749-170-5

  ISBN-13: 978-1-59749-170-9 Publisher: Amorette Pedersen Acquisitions Editor: Andrew Williams Page Layout and Art: Patricia Lupien Cover Designer: Michael Kavish Indexer: Richard Carlson For information on rights, translations, and bulk sales, contact Matt Pedersen, Commercial Sales Director and Rights, at Syngress Publishing; email m.pedersen@syngress.com .

  Contributing Authors Raven Alder is a Senior Security Engineer for IOActive, a consulting firm specializing in network security design and implementation. She specializes in scalable enterprise-level security, with an emphasis on defense in depth. She designs large-scale firewall and IDS systems, and then performs vulner- ability assessments and penetration tests to make sure they are performing

optimally. In her copious spare time, she teaches network security for

LinuxChix.org and checks cryptographic vulnerabilities for the Open

Source Vulnerability Database. Raven lives in Seattle, WA. Raven was a contributor to Nessus Network Auditing (Syngress Publishing, ISBN: 1- 931836-08-6).

  Josh Burke (CISSP) is an independent information security consultant in Seattle, Washington. He has held positions in networking, systems, and secu- rity over the past seven years in the technology, financial, and media sectors.

  A graduate of the business school at the University of Washington, Josh concentrates on balancing technical and business needs for companies in the many areas of information security. He also promotes an inclusive, positive security philosophy for companies, which encourages communicating the merits and reasons for security policies, rather than educating only on what the policies forbid.

  Josh is an expert in open-source security applications such as Snort, Ethereal, and Nessus. His research interests include improving the security and resilience of the Domain Name System (DNS) and the Network Time Protocol (NTP). He also enjoys reading about the mathematics and history of cryptography, but afterward often knows less about the subject than when he started.

  Chad Keefer is the founder of Solirix, a computer network security com- pany specializing in Information Assurance. Chad is a former developer of Sourcefire’s RNA product team. Chad has over 13 years of industry experi- ence in security, networking, and software engineering. He has worked

  v

  

extensively with the federal government and in a wide range of commercial

industries to redefine and sharpen the current perception of security. He has

also been a lead architect in this space, overseeing initiatives to redesign and

build many security infrastructures. Chad holds a B.S. in Computer Science

from the University of Maryland. He currently lives in Annapolis, MD with

his wife and daughter.

  

Angela Orebaugh is an industry-recognized security technology visionary

and scientist, with over 12 years hands-on experience. She currently per-

forms leading-edge security consulting and works in research and develop-

ment to advance the state of the art in information systems security. Angela

currently participates in several security initiatives for the National Institute

of Standards and Technology (NIST). She is the lead scientist for the National Vulnerability Database and author of several NIST Special Publications on security technologies. Angela has over a decade of experi-

ence in information technology, with a focus on perimeter defense, secure

network design, vulnerability discovery, penetration testing, and intrusion

detection systems. She has a Masters in Computer Science, and is currently

pursuing her Ph.D. with a concentration in Information Security at George

Mason University. Angela is the author of the Syngress best seller Ethereal Packet Sniffing (ISBN: 1932266828). She has also co-authored the Snort

Cookbook and Intrusion Prevention and Active Response: Deploying Network and

Host IPS (Syngress; ISBN: 193226647X). Angela is a researcher, writer, and

speaker for SANS Institute and faculty for The Institute for Applied Network Security and George Mason University. Angela has a wealth of knowledge from industry, academia, and government from her consulting experience with prominent Fortune 500 companies, the Department of Defense, dot-com startups, and universities. She is a frequently invited speaker at a variety of conferences and security events.

  Current research interests: intrusion detection, intrusion prevention, data mining, attacker profiling, user behavior analysis, network forensics

  vi

  Larry Pesce (CCNA, GCFA Silver, GAWN Silver) is the Manager for

Information Services Security at Care New England, a mid-sized healthcare

organization in New England. In the last 13 years in the computer industry,

Larry has become a jack of all trades; PC repair, Network Engineering, Web

Design, Non-Linear Audio and Video production, and Computer Security.

  Larry is also gainfully employed as a Penetration Tester / Ethical Hacker with Defensive Intuition, a Rhode Island-based security consulting com- pany. A graduate of Roger Williams University in Compute Information Systems, Larry is currently exploring his options for graduate education.

  In addition to his industry experience, Larry is also a Security Evangelist for the PaulDotCom Security Weekly podcast at www.pauldotcom.com. Larry is currently completing a work with his PaulDotCom Security Weekly co-host, Paul Asadoorian on hacking the

Linksys WRT54G. More of Larry’s writing, guides, and rants can be found

on his blog at www.haxorthematrix.com.

  Eric S. Seagren (CISA, CISSP-ISSAP, SCNP, CCNA, CNE-4, MCP+I,

MCSE-NT) has 10 years of experience in the computer industry, with the

last eight years spent in the financial services industry working for a

Fortune 100 company. Eric started his computer career working on Novell

servers and performing general network troubleshooting for a small Houston-based company. Since he has been working in the financial ser- vices industry, his position and responsibilities have advanced steadily. His

duties have included server administration, disaster recovery responsibilities,

business continuity coordinator,Y2K remediation, network vulnerability

assessment, and risk management responsibilities. He has spent the last few

years as an IT architect and risk analyst, designing and evaluating secure, scalable, and redundant networks.

  

Eric has worked on several books as a contributing author or technical

editor.These include Hardening Network Security (McGraw-Hill), Hardening Network Infrastructure (McGraw-Hill), Hacking Exposed: Cisco Networks

(McGraw-Hill), Configuring Check Point NGX VPN-1/FireWall-1 (Syngress),

Firewall Fundamentals (Cisco Press), and Designing and Building Enterprise DMZs (Syngress). He has also received a CTM from Toastmasters of America.

  vii

  Contents

  Chapter 1 Testing and Auditing Your Systems . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Taking Inventory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

Locating and Identifying Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2

Nmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Super Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 Angry IP Scanner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12 Scanline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12 Special-Purpose Enumerators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .15

Locating Wireless Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .16

Network Stumbler . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .17

Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

Network Topology Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20 Access Request Forms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .21 Business Continuity and Disaster Recovery Plans . . . . . . . . . . . . . . . . . .22 IT Security Policies / Standards / Procedures . . . . . . . . . . . . . . . . . . . . .22 Vulnerability Scanning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

Nessus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

Running Nessus on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .24 Running Nessus on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26

X-Scan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .29

Microsoft Baseline Security Analyzer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32

OSSTMM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .34 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .36 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .37 Chapter 2 Protecting Your Perimeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40 Firewall Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .40 Firewall Architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .41

Screened Subnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42

One-Legged . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43

True DMZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .44

Implementing Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45

Hardware versus Software Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45

Configuring netfilter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46

Choosing a Linux Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46 Choosing Installation Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .46 Linux Firewall Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48 Configuration Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53 GUIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .62 Smoothwall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78

Configuring Windows Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85

Providing Secure Remote Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85

Providing VPN Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86

Using Windows as a VPN Concentrator . . . . . . . . . . . . . . . . . . . . . . . .87 iPIG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90 OpenSSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .94

  ix

  x Contents Providing a Remote Desktop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101 Windows Terminal Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101

  VNC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .104 Using the X Window System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109 Providing a Remote Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113 Using Secure Shell . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .114

  Using a Secure Shell GUI Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . .115 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119

  Chapter 3 Protecting Network Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122 Performing Basic Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122 Defining Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .122 Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124 Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124 Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124 Auditing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125 Hardening Windows Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125 General Hardening Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .125 Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127 File-Level Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131 Additional Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .135 Using Microsoft Group Policy Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . .135 Account Lockout Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .139 Audit Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140 User Rights Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140 Hardening Linux Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142 General Hardening Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143 Users and Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143 File-Level Access Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .145 Using the Bastille Hardening Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .148 Using SELinux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149 Hardening Infrastructure Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .151 Patching Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152 Patching Windows Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .152 Patching Linux Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154 Personal Firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .154 Windows Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155 Netfilter Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160 Configuring TCP Wrappers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .160 Providing Antivirus and Antispyware Protection . . . . . . . . . . . . . . . . . . . . . . . . .161 Antivirus Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161 Clam AntiVirus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162 Using Online Virus Scanners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166 Antispyware Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167 Microsoft Windows Defender . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .167 Microsoft Malicious Software Removal Tool . . . . . . . . . . . . . . . . . . . .170 Encrypting Sensitive Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .170 EFS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .171 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .176 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178 Chapter 4 Introducing Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .182

  Contents xi How an IDS Works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183 What Will an IDS Do for Me? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184 What Won’t an IDS Do for Me? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185

  Where Snort Fits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185 Snort System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186 Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .186 Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187

  Other Software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .187 Exploring Snort’s Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .188 Packet Sniffer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .189 Preprocessor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190 Detection Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .190 Alerting/Logging Component . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192

  Using Snort on Your Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .195 Snort’s Uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .196 Using Snort as a Packet Sniffer and Logger . . . . . . . . . . . . . . . . . . . . .196 Using Snort as an NIDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .201

  Snort and Your Network Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . .201 Snort and Switched Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .204 Pitfalls When Running Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .206 False Alerts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207

  Upgrading Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207 Security Considerations with Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .207 Snort Is Susceptible to Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .208 Securing Your Snort System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .209

  Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .210 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .211

Chapter 5 Installing Snort 2.6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214 Choosing the Right OS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .214 Performance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .215 The Operating System and the CPU . . . . . . . . . . . . . . . . . . . . . . . . . .215 The Operating System and the NIC . . . . . . . . . . . . . . . . . . . . . . . . . .218 Stability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .219 Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220 Stripping It Down . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .220 Removing Nonessential Items . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222 Debian Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222 CentOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .223 Gentoo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .224 The BSDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225 OpenBSD . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .225 Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228 Bootable Snort Distros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .228 The Network Security Toolkit As a Snort Sensor . . . . . . . . . . . . . . . . .229 Hardware Platform Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230 The CPU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230 Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230 Memory’s Influence on System Performance . . . . . . . . . . . . . . . . . . . .231 Virtual Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .232 The System Bus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .232 PCI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .232 PCI-X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233

  xii Contents PCI-Express . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233 Theoretical Peak Bandwidth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .233 Dual vs. Single Bus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234 The NIC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .234

  Disk Drives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .235 Installing Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .235 Prework . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236 Installing pcap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236

  Installing/Preparing Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .236 Time Synchronization (NTP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238 Installing from Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238 Benefits and Costs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .238

  Compile-Time Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240 Installing Binaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240 Apt-get . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241 RPM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241 Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .241 Hardening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242 General Principles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .242 Configuring Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243

  The snort.conf File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243 Variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .244 Using Variables in snort.conf and in Rules . . . . . . . . . . . . . . . . . . . . . .244 Command-Line Switches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .245

  Configuration Directives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248 Snort.conf –dynamic- * Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248 Ruletype . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248 Plug-In Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .248 Preprocessors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .249 Output Plug-Ins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251

  Included Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251 Rules Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .251 sid-msg.map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252 threshold.conf . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .252 gen-msg.map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253 classification.config . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .253

  Thresholding and Suppression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254 Testing Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .254 Testing within Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .255 Small Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .256

  Large Organizations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .257 Maintaining Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .257 Updating Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .258 How Can Updating Be Easy? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259

  Updating Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259 Upgrading Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259 Monitoring Your Snort Sensor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .259 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .260

  Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .260 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .262

Chapter 6 Configuring Snort and Add-Ons . . . . . . . . . . . . . . . . . . . . . . . . . . . 263 Placing Your NIDS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .264 Configuring Snort on a Windows System . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266 Installing Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266 Configuring Snort Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .269 Using a Snort GUI Front End . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273

  Contents xiii Configuring IDS Policy Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . .274 Configuring Snort on a Linux System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280 Configuring Snort Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .280

  Using a GUI Front-End for Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .284 Basic Analysis and Security Engine . . . . . . . . . . . . . . . . . . . . . . . . . . .284 Other Snort Add-Ons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291 Using Oinkmaster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .291

  Additional Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293 Demonstrating Effectiveness . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .293 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .294 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .295 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296

Chapter 7 Introducing Wireshark: Network Protocol Analyzer . . . . . . . . . . . 297 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298 What is Wireshark? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .298 History of Wireshark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .299 Compatibility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300 Supported Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .301 Wireshark’s User Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .303 Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .305 Great Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .309 Supporting Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310 Tshark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .310 Editcap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .312 Mergecap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .313 Text2pcap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .314 Using Wireshark in Your Network Architecture . . . . . . . . . . . . . . . . . . . . . . . . .315 Using Wireshark for Network Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . .317 Using Wireshark for System Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . .320 Checking for Network Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . .320 Checking for Application Network Availability . . . . . . . . . . . . . . . . . . . . . .321 Scenario 1: SYN no SYN+ACK . . . . . . . . . . . . . . . . . . . . . . . . . . . . .321 Scenario 2: SYN immediate response RST . . . . . . . . . . . . . . . . . . . . .321 Scenario 3: SYN SYN+ACK ACK . . . . . . . . . . . . . . . . . . . . . . . . . . .322 Connection Closed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .322 Using Wireshark for Security Administration . . . . . . . . . . . . . . . . . . . . . . . . . . .322 Detecting Internet Relay Chat Activity . . . . . . . . . . . . . . . . . . . . . . . .322 Wireshark As a Network Intrusion Detection System . . . . . . . . . . . . . . . . .323 Wireshark as a Detector

  for Proprietary Information Transmission . . . . . . . . . . . . . . . . . . . . . . . . . .323 Securing Ethereal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .323 Optimizing Wireshark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .324 Network Link Speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .324

  Minimizing Wireshark Extras . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .324 CPU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .324 Memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .324 Advanced Sniffing Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325 Dsniff . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .325 Ettercap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327 MITM Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327 Cracking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327 Switch Tricks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327 ARP Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .327 MAC Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .328 Routing Games . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .328

  Securing Your Network from Sniffers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .328

  xiv Contents Using Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .328 SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329

  SSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .329 Pretty Good Protection and Secure/ Multipurpose Internet Mail Extensions . . . . . . . . . . . . . . . . . . . . . . . . . . .329 Switching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330

  Employing Detection Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330 Local Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .330 DNS Lookups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331 Latency . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331

  Driver Bugs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331 NetMon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .331 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .332 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .334

  Chapter 8 Getting and Installing Wireshark . . . . . . . . . . . . . . . . . . . . . . . . . . 337 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338 Getting Wireshark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .338 Platforms and System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . .339 Packet Capture Drivers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .340 Installing libpcap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .341 Installing libpcap Using the RPMs . . . . . . . . . . . . . . . . . . . . . . . . . . . .341 Installing libpcap from the Source Files . . . . . . . . . . . . . . . . . . . . . . . .343 Installing WinPcap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .345 Installing Wireshark on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .346 Installing Wireshark on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347 Installing Wireshark from the RPMs . . . . . . . . . . . . . . . . . . . . . . . . . . . . .347 Installing Wireshark on Mac OSX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .349 Installing Wireshark on Mac OSX from Source . . . . . . . . . . . . . . . . . . . . .349 Installing Wireshark on Mac OSX Using DarwinPorts . . . . . . . . . . . . . . . .353 Installing Wireshark on Mac OSX Using Fink . . . . . . . . . . . . . . . . . . . . . .354 Installing Wireshark from Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .355 Enabling and Disabling Features via configure . . . . . . . . . . . . . . . . . . . . . .358 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .360 Solutions Fast Track . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .360 Frequently Asked Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .362 Chapter 9 Using Wireshark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .364 Getting Started with Wireshark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .364 Exploring the Main Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .365 Summary Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .366 Protocol Tree Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .367 Data View Window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .369 Other Window Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .371 Filter Bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .371 Information Field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .373 Display Information Field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .373 Exploring the Menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .373 File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .373 Open . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .374 Save As . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .376 Print . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .376 Edit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .381 Find Packet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382 Set Time Reference (toggle) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .384

  Contents xv Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .384 View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .385 Time Display Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .387