What capabilities does Snort have that might surprise or be underused by IT managers?
Angela Orebaugh: Snort has some powerful functionality built into the pre-processors. These include the ability to maintain state, fragmented packet reassembly, stream reassembly, HTTP normalization, application decoders, portscan detectors and performance monitoring.
Several of the pre-processors have anti-evasion techniques built in. Since enabling the preprocessors creates an additional load on the system, it is best to dedicate specific stand-alone Snort sensors for some of these features.
What is the most common mistake admins make in handling intrusion detection systems (IDS)?
Orebaugh: The biggest problem with any IDS is the fact that many organizations deploy it and forget about it. An IDS needs a lot of care and feeding on a daily basis.
IDS alerts do you no good if you are not actively looking at them. It is optimal to have an individual (or more staff, depending on the size of the organization) dedicated to intrusion detection as his/her sole responsibility. This person will actively review the logs on a daily basis, update rules as needed and perform more in-depth analysis looking for long term trending, low and slow attacks and even ways to improve network performance.
What do IT shops use instead of Snort, and why might Snort be a better option?
Orebaugh: From my experience, I have seen either a lot of the high-end commercial appliance products deployed or Snort.
Organizations with budget issues will choose Snort because it is free, and it has a lot of features and add-on tools to make it very usable. However, if you are looking to monitor high-bandwidth networks, Snort is not the best choice; that is where the appliance option would work better. Snort is not very optimized for that type of environment.
I have also seen a number of organizations deploy Snort in addition to the commercial product, just as a [system of] checks and balances and for additional monitoring.
What tools, particularly open source tools, work well in conjunction with Snort?
Orebaugh: My first and foremost recommendation is Barnyard.
Barnyard takes the output processing load off of Snort to let Snort do what it does best, capture and process packets. ACID/BASE is another great tool that allows you to view, analyze and graph Snort logs. A few others that I recommend are Snortsnarf, SWATCH, SnortCenter, IDS (intrusion detection system) Policy Manager and Snort Alert Monitor.
What's tricky about installing Snort in heterogeneous environments?
Orebaugh: As with installing any IDS, you must know your network very thoroughly. You need to know the devices, the architecture, the protocols and the traffic. This helps you not only deploy your sensors optimally, but also to tune your rules adequately.
You mentioned ACID/BASE and SnortCenter as complementary tools for Snort users. Could you tell us more about them?
Orebaugh: ACID/BASE is a PHP-based web GUI for log analysis. Its features include a search engine, packet viewer, alert management and graphing and statistics generation. Its Web front end is easy to use and makes the administrator's job of managing alerts and logs a lot easier.
The SnortCenter management console allows you to build configuration files and then send them to remote sensors. SnortCenter has several useful features, including encryption of client-server traffic, authentication, the ability to push new configurations and the ability to update and import new Snort signatures automatically.
Orebaugh: Snort and Barnyard both have built-in functionality to log to MySQL and Postgres databases. Add-on tools such as ACID/BASE also work with these databases. There is a lot of documentation on integrating Snort and its add-on tools with MYSQL and Postgres. Once again, the fact that these are free doesn't hurt!
Would Snort also work well with commercial databases?
Orebaugh: Yes, currently Snort also has plugins for Microsoft SQL, Oracle and Open Database Connectivity (ODBC).
Why should a company run Snort as a Linux daemon?
Orebaugh: Some administrators wish to run Snort in the background and start it up at boot time. Snort can be run in the background as a daemon process using the -D command line option. The Snort command can be added to the /etc/rc.d/rc.local script to run at boot time. This will run Snort in continual-processing mode; however, it is useful only if you are getting good notifications from Snort; otherwise you are effectively ignoring it.
One of your book's topics is "basic rules you shouldn't leave home without." Could you describe two or three of those rules and make some generalizations about choosing rules?
Orebaugh: Rulesets should be customized to each network in order to minimize false positives and false negatives. However, some rules can apply to almost any organization. These typically include rules to alert on worm activity and malware.
Another rule to detect potential reconnaissance is the 403 rule, which triggers when someone is denied access to a Web page. This could alert you to a directory traversal attempt.
The Bleeding Snort site has some great leading-edge rules, but they are considered beta, so be careful when deploying them.
The bottom line is there is no silver bullet to configuring rules. You must tune them to your network, traffic and protocols.