Introduction

You see, but you do not observe.
Sir Arthur Conan Doyle (quoting Sherlock Holmes), A Scandal in Bohemia, 1892

See the traffic. Feel the traffic. Be the traffic. You have instrumented your networks with Snort, capturing attack traffic and sending alerts. Millions of packets and thousands of alerts a day, and you have to make sense of it all.

Snort, at its heart, is a very complex pattern matcher geared toward detecting patterns of network attack traffic. On any given network, on any given day, Snort can fire thousands of alerts. Your task as an intrusion analyst is to sift through the data, extract events of interest, and separate the false positives from the actual attacks. But your job does not stop there. Once you have pruned your data, intrusion analysis begins.

In this chapter, we cover methodology and the tools to help you manage the task of monitoring Snort sensors and analyzing intrusion data. The tools we will cover are:

• ACID

• SGUIL

• SnortSnarf

• Snort_stat.pl

• Swatch

For your convenience, the current versions of these tools (at the time of this writing) are included on this book s companion CD-ROM. You can find these tools in the Chapter 8 directory.

What Is Intrusion Analysis?

Intrusion analysis is an investigation into a network incident. The incident in question might be a compromised host, a denial of service attack, or a port scan. You must assess the risk to your organization as well as evaluate the impact of...