December 11, 2000, 4:07 PM —
I'm going to assume that after reading
of this series, you have a working lightweight intrusion detection system in place. Now
it's time to start getting useful data from it.
By default, Snort stores
logged data for each IP address it captures in a separate directory. In a typical
installation, the number of directories can quickly grow into the hundreds, making for
an unwieldy collection of data.
Luckily, Snort provides an easy fix. Simply use the
command-line option and store the captured data in
href="http://tcpdump.org/">tcpdump format. This method has the added benefit of
being much faster, decreasing the likelihood of dropped packets or missed intrusion
Now it's analysis time. Getting useful data from that 25 MB log file could be an
overwhelming task. But don't worry; two user-contributed Perl scripts will make your
life much easier.
Snortlog, written by
href="mailto:firstname.lastname@example.org">Angelos Karageorgiou, looks up the hostnames of
flagged machines -- Snort outputs only the IP address -- and writes them to a list. href="http://www.snort.org/snort-files.htm">snort_stat.pl, by href="mailto:email@example.com">Yen-Ming Chen, uses the logs to generate a
good selection of statistics about current alerts. I highly recommend that you download
and use both.
As we wrap up this series on intrusion detection, it's time to start thinking about the
best place to deploy your new system. Don't forget that Ethernet switches block all
traffic that isn't specifically destined for the host on a given port. If you connect a
probe to a switch port, you'll see only broadcasts and packets addressed to the probe --
not very useful for intrusion detection.
You have a couple of options. Most switch vendors allow their hardware to take packets
received on one port and copy them to another -- a technique called port
mirroring. This is a low-cost way to get started, but it can place an unwelcome
burden on the switch CPU if used on a busy network.
I recommend buying an inexpensive four-port repeater. Insert the repeater between the
backbone switch and the segment of the network you're interested in monitoring, plug
the probe into an empty port on the repeater, and you're set.
Next time, I'll talk about ways you can get a handle on network bandwidth hogs.