Hackers

PRACTICAL PROTECTION

IT SECURITY MAGAZINE

team
Editor in Chief: Amalia Leitner amalia.leitner@software.com.pl Executive Editor: Karolina Lesińska karolina.lesinska@software.com.pl Editorial Advisory Board: Rebecca Wynn, Michael Munt DTP: Ireneusz Pogroszewski Art Director: Ireneusz Pogroszewski ireneusz.pogroszewski@software.com.pl Proofreaders: Barry McClain, Mark Lohman, Graham Hili TopBetatesters: Rebecca Wynn, Bob Folden, Carlos Ayala, Steve Hodge, Nick Baronian, Matthew Sabin, Laszlo Acs, Jac van den Goor, Matthew Dumas, Andy Alvarado Special Thanks to the Beta testers and Proofreaders who helped us with this issue. Without their assistance there would not be a Hakin9 magazine. Senior Consultant/Publisher: Paweł Marciniak CEO: Ewa Łozowicka ewa.lozowicka@software.com.plProduction Director: Andrzej Kuca andrzej.kuca@hakin9.org Marketing Director: Karolina Lesińska karolina.lesinska@hakin9.org Subscription: Iwona Brzezik Email: iwona.brzezik@software.com.pl Publisher: Software Press Sp. z o.o. SK 02-682 Warszawa, ul. Bokserska 1 Phone: 1 917 338 3631 www.hakin9.org/en Whilst every effort has been made to ensure the high quality of the magazine, the editors make nowarranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them. program To create graphs and diagrams we used by The editors use automatic DTP system Mathematical formulas created by Design Science MathType™

DearReaders,
As you already know Snort is the most widely deployed IDS/IPS technology worldwide. Developed by Sourcefire, Snort combines the benefits of signature, protocol, and anomaly – based inspection. In Snort Special Issue Leon Ward, Joel Elser, Kishin Fatnani, Shivang Bhagat and Rishita Anubhai provide insight into writing Snort rules and into deployment of this IDS/IPS. With the end of theyear inevitably approaching, it’s high time to briefly reflect on 2010 and enter 2011 with new solutions and ideas for the foreseeable future. Some of them are provided by KK Mookhey in “How to get the most out of your IPS?” And annual Conference on Nagios and OSS Monitoring is to be looked forward too. Wishing you wonderful Christmas, Hakin9 Team

TOOLS
4 Uptime IT Systems Management Review
byMichael Munt

BASICS
by Doug Chick

6 Notes of the Network Administrator
I recently used SNORT and another program I like EtherApe to detect a major intrusion on my network. Within minutes millions of people were on my private fiber network. Once I isolated the problem I immediately connected my Internet provider. Like with many ISPs they denied it and recommended I look at my routingtables. If you are a network manager then you know in very many cases you must provide proof to your ISP before they are willing to provide you with support. In this case I recorded the event showing that there was hundreds of thousands, perhaps even a million people was passing traffic on my network. I sent the logs, and a video of my SNORT and EtherApe displays and emailed them to the ISP. I thenshutdown the two interfaces on my router and waited for a return call. The call came quickly too.
www.hakin9.org

DISCLAIMER!

The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

2

SNORT

CONTENTS

8 Writing Snort Rules
by Kishin Fatnani
Though Snortcan also be used for packet logging, sniffing or as an IPS, however in this article we will look more into the concept of rules by which Snort detects interesting traffic for us, basically the kind of traffic we are looking for, like a network attack, a policy violation or may be traffic from a network application or device that you are troubleshooting.

30 Content Modifiers: Keep it Specific...