LinuxCBT - NIDS Edition

Network Intrusion Detection System (NIDS) Security - Module V

Snort NIDS - Installation
Peruse the LinuxCBT Security Edition classroom network topology
Download Snort
Import G/PGP public key and verify package integrity
Identify & download key Snort dependencies
Install current libpcap - Packet Capture Library
Establish security configuration baseline

Snort NIDS - Sniffer Mode
Discuss sniffer mode concepts & applications
Sniff IP packet headers - layer-3/4
Sniff data-link headers - layer-2
Sniff application payload - layer-7
Sniff application/ip packet headers/data-link headers - all layers except physical
Examine packets & packet loss
Sniff traffic traversing interesting interfaces
Sniff clear-text traffic
Sniff encrypted streams

Snort NIDS - Logging Mode
Discuss logging mode concepts & applications
Log traffic using default PCAP/TCPDump format
Log traffic using ASCII mode & examine output
Discuss directory structure created by ASCII logging mode
Control verbosity of ASCII logging mode & examine output
Enhance packet logging analysis by defaulting to binary logging
Discuss default nomenclature for binary/TCPDump files
Alter binary output options
Use Snort NIDS to read binary/TCPDump files

Snort NIDS - Berkeley Packet Filters (BPFs)
Explain the advantages to utilizing BPFs
Discuss BPF directional, type, and protocol qualifiers
Identify clear-text based network applications and define appropriate BPFs
Execute Snort NIDS in sniffer mode with BPFs enabled to match interesting traffic
Log to the active pseudo-terminal console and examine the packet flows
Combine BPF qualifiers to increase packet-matching capabilities
Use logical operators to define more flexible BPFs
Read binary TCPDump files using Snort & BPFs
Execute Snort NIDS in logging/daemon mode

Snort NIDS - Cisco Switch Configuration
Examine the current network configuration
Identify Snort NIDS sensors and centralized DBMS Server
Create multiple VLANs on the Cisco Switch
Secure the Cisco Switch configuration
Isolate internal and external hosts, sensors and DBMS systems
Configure SPAN - Port Mirroring for internal and external Snort NIDS Sensors
Examine internal and external packet flows

Snort NIDS - Network Intrusion Detection System (NIDS) Mode
Discuss NIDS concepts & applications
Prepare /etc/snort - configuration directory for NIDS operation
Explore the snort.conf NIDS configuration file
Discuss all snort.conf sections
Download & install community rules
Execute Snort in NIDS mode with TCPDump compliant output plugin
Download & install Snort Vulnerability Research Team (VRT) rules
Compare & contrast community rules to VRT rules

Snort NIDS - Output Plugin - Barnyard Configuration
Discuss features & benefits
Configure Syslog based logging and examine results
Configure Snort to log sequentially to multiple output locations
Implement unified binary output logging to enhance performance
Discuss concepts & features associated with post-processing Snort logs
Download and install current barnyard post-processor
Use barnyard to post-process logs to multiple output destinations

Snort NIDS - BASE - MySQL® Implementation
Discuss benefits of centralized console reporting for 1 or more Snort sensors
Re-compile Snort on both sensors to support MySQL logging
Configure MySQL on Database Management System (DBMS) Host
Implement Snort database schema on DBMS Host
Configure Snort to log output to MySQL DBMS Host
Confirm output logging to the MySQL DBMS Host
Prepare DBMS Host for BASE console installation
Install BASE and complete schema extension
Peruse BASE interface

Snort® NIDS - Rules Configuration & Updates
Discuss the concept of rules as related to Snort NIDS
Examine Snort rule syntax
Peruse pre-defined Snort rules
Download & configure oinkmaster to automatically update Snort rules
Confirm oinkmaster operation