Shining light into the "now what" arena of IDS and IPS tuning, I'll talk about what the next steps should be with the alerts, tuning, and maintenance of the ruleset and configuration deployed into an IDS or an IPS. General guidelines will be provided, however, all guidelines must be adapted to your specific environment.
OpenFPC is a set of tools that combine to provide a lightweight full-packet network traffic recorder & buffering system. It's design goal is to allow non-expert users to deploy a distributed network traffic recorder on COTS hardware while integrating into existing alert and log management tools.OpenFPC is described as lightweight because it follows a different design model to other FPC/Network traffic forensic tools that I have seen. It doesn't provide a user with the ability to trigger automatic events (IDS-like functions), or set watch events for anomalous traffic changes (NBA-like functions) as it is assumed external open source, or comercial tools already provide this detection capability. OpenFPC fits in as a companion to provide extra (full packet/traffic stream) data as a bolt-on to these tools allowing deeper analysis of event data where required.
POLICY Adobe FLV file transfer* Feature rich IPS mode including improvements to Stream for inline deployments. A common active response API is used for all packet responses, including those from Stream, Respond, or React. A new response module, respond3, supports the syntax of both resp & resp2, including strafing for passive deployments. When Snort is deployed inline, a new preprocessor has been added to handle packet normalization to allow Snort to interpret a packet the same way as the receiving host.
* Use of a Data Acquisition API (DAQ) that supports many different
packet access methods including libpcap, netfilterq, IPFW, and
afpacket. For libpcap, version 1.0 or higher is now required.
The DAQ library can be updated independently from Snort and is
a separate module that Snort links. See README.daq for details
on using Snort and the new DAQ.
* Updates to HTTP Inspect to extract and log IP addresses from
X-Forward-For and True-Client-IP header fields when Snort generates
events on HTTP traffic.
* A new rule option 'byte_extract' that allows extracted values to
be used in subsequent rule options for isdataat, byte_test,
byte_jump, and content distance/within/depth/offset.
* Updates to SMTP preprocessor to support MIME attachment decoding
across multiple packets.
* Ability to "test" drop rules using Inline Test Mode. Snort will
indicate a packet would have been dropped in the unified2 and console event log if policy mode was set to inline.
* Two new rule options to support base64 decoding of certain pieces
of data and inspection of the base64 data via subsequent rule
options.
* Updates to the Snort packet decoders for IPv6 for improvements to
anomaly detection.
* Added a new pattern matcher that supports Intel's Quick Assist
Technology for improved performance on supported hardware
platforms. Visit http://www.intel.com to find out more about
Intel Quick Assist. The following document describes Snort's
integration with the Quick Assist Technology
http://download.intel.com/embedded/applications/networksecurity/324029.pdf
