firestorm-doc.xml

Firestorm NIDS是一个性能非常高的网络入侵检测系统 (NIDS)。目前

<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook V3.1//EN"[]>

<book id="firestorm">
<bookinfo>
<title>Firestorm Network Intrustion Detection System</title>
  
<authorgroup>
	<author>
		<firstname>John</firstname>
		<surname>Leach</surname>
		<affiliation>
			<address>
				<email>john@ecsc.co.uk</email>
			</address>
		</affiliation>
	</author>
	<author>
		<firstname>Gianni</firstname>
		<surname>Tedesco</surname>
		<affiliation>
			<address>
				<email>gianni@scaramanga.co.uk</email>
			</address>
		</affiliation>
	</author>
</authorgroup>
    
<copyright>
	<year>2002</year>
	<year>2003</year>
	<holder>John Leach</holder>
	<holder>Gianni Tedesco</holder>
</copyright>

</bookinfo>

<toc></toc>

<!-- Introduction ================================================== -->
<chapter id="introduction">

<title>Introduction</title>
<para>
 Firestorm is an extremely high performance network intrusion detection
 system (NIDS). At the moment it just a sensor but plans are to include
 real support for analysis, reporting, remote console and on-the-fly
 sensor configuration. It is fully pluggable and hence extremely
 flexible.
</para>
<para>
 At the moment firestorm is still in early development, but a lot of the
 features you would expect of a sensor are already there.
</para>
<para>
 This guide aims to help you configure and use the firestorm intrusion
 detection system. It is the official and definitive source of firestorm
 documentation. Accept no substitutes!
</para>

<sect1>
<title>Installation</title>

<sect2 id="download">
<title>How Can I Get Firestorm?</title>
<para>
 Firestorm source code and pre-compiled binaries are available as free
 software (under the GNU GPL) and can be downloaded from:
<itemizedlist>
 <listitem>
	<para>Source Code:
	<screen>http://www.scaramanga.co.uk/firestorm/vX.Y.Z/firestorm-X.Y.Z.tar.gz</screen>
	</para>
 </listitem>
 <listitem>
	<para>Source RPM:
	<screen>http://www.scaramanga.co.uk/firestorm/vX.Y.Z/firestorm-X.Y.Z-1.src.rpm</screen>
	</para>
 </listitem>
 <listitem>
	<para>i386 RPM (for Linux on PCs):
	<screen>http://www.scaramanga.co.uk/firestorm/vX.Y.Z/firestorm-X.Y.Z-1.i386.rpm</screen>
	</para>
 </listitem>
 <listitem>
	<para>PowerPC RPM (for Linux on power-macintosh)
	<screen>http://www.scaramanga.co.uk/firestorm/vX.Y.Z/firestorm-X.Y.Z-1.ppc.rpm</screen>
	</para>
 </listitem>
</itemizedlist>
</para>
</sect2>
</sect1>

<sect1 id="architecture">
<title>Architecture</title>
<sect2>
<title>Sensor</title>
<para>
 The sensor component is called 'firestorm-nids', it sniffs traffic on
 your network, analyses it (usually using snort signatures) and spools
 the alerts in extended log (elog) format.
</para>
<sect3>
<title>Stateful Analysis</title>
<para>
 Firestorm can analyse state information on the network. For now just IP
 fragements and TCP streams are analysed. Application layer state
 tracking, TCP stream reassembly and related stream tracking (eg:
 ftp-data connections) are planned for the near future.
</para>
</sect3>
<sect3>
<title>Snort Compatibility</title>
<para>
 Snort rule compatibility is fairly extensive. We aim to track the
 default signature set that ships with snort 1.9. As far as we know
 snort 1.8 rules should work also. More information can be found in
 the <emphasis>snort.compatibility</emphasis> document.
</para>
</sect3>
<sect3>
<title>Rate-Limiting of Alerts</title>
<para>
 Firestorm features the ability to rate-limit alert output to protect
 itself from DoS attacks. This feature is rather unique. Built-in alerts
 (such as state tracking violations) are rate-limited by default and
 snort rules have two new keywords 'rate' and 'burst' for configuring on
 a rule-by-rule basis.
</para>
</sect3>
<sect3>
<title>Anomaly Detection</title>
<para>
 Firestorm has infrastructure for supporting anomaly detection modules,
 however at this time, no such modules have yet been written.
</para>
</sect3>
</sect2>
<sect2>
<title>Extended Logs</title>
<para>
 Extended logs (or elogs for short) are a new format for transporting
 alert data. They contain not only the packet data but also the alert
 information, decode information, state-tracking information, and any
 other packet meta-data. The advantage of using extended log format
 is the ability to keep all data in one file (unlike some other
 *cough* systems).
</para>
<para>
 Firestorm (unlike other systems) can usually achieve full disk
 throughput when alerting. Future versions will allow you to saturate
 many spindles simultaneously, providing multi-gigabit alert rates.
</para>
<para>
 Be aware that the elog format is not yet finalised (and won't be until
 version 1.0.0) and is likely to change at any point in time. The files
 are versioned so you shouldn't experience data corruption. If you would
 like to be able to convert from one version or the other, you can pay
 me to write a conversion tool ;)
</para>
</sect2>
<sect2>
<title>Stormwall</title>
<para>
 Stormwall is as yet unfinished. Its purpose is to monitor alert spools
 and perform actions when new elog files appear. The firestorm sensor
 notifies stormwall of changes to the spool. This program will
 facilitate push-style remote logging. Both push and pull logging will
 be supported by version 1.0.0.
</para>
</sect2>
<sect2>
<title>Console</title>
<para>
 The console is planned, but not started. Version 0.6.0 will have a
 usable console allowing the analyst to search, sort, filter, correlate
 and extract data from his sensors. The console will be a GNOME2
 application.
</para>
</sect2>
</sect1>

</chapter>

<!-- Firestorm Nids Sensor ========================================= -->
<chapter id="sensor">
<title>Firestorm NIDS Sensor</title>

<sect1>
<title>Configuration File</title>
<para>
 The firestorm-nids program has one optional command line argument to
 specify the path to the configuration file. If firestorm-nids is run
 with no arguments it will default to /etc/firestorm.conf. The firestorm
 configuration file is an ASCII text file with UNIX line terminators. If
 a line is empty of begins with a hash (#) character it is ignored. It
 consists of zero or more lines of the format:
</para>
<screen>
	directive &lt;parameters&gt;...
</screen>
<para>
 Arguments to various directives are usually quite consistent and look
 something like this:
</para>
<screen>
	directive string="hello" str='foobar' int=23 size=48K bigsize=12MB
</screen>
<para>
 The notational convention '&lt;args&gt;...' will be used from now on to
 denote this style of arguments. All configuration directives are
 enumerated in detail below.
</para>

<sect2>
<title>firestorm_root</title>
<para>
 This directive tells firestorm which directory to move to when run.
 All paths mentioned in the config file are relative to this path. You
 shouldn't run firestorm inside some directory which you later hope to
 unmount ;)
</para>
<screen>
	firestorm_root /var/firestorm
</screen>
</sect2>

<sect2>
<title>chroot</title>
<para>
 Firestorm can run inside a so-called <quote>chroot jail</quote>, this
 prevents firestorm from being able to read files located outside the
 jail. You will usually want to say yes to this for security reasons.
 Note that technically it is actually possible for a skilled attacker
 to break out of a chroot jail, nothing can replace code audit...
</para>
<screen>
	chroot yes
	chroot no
</screen>
</sect2>

<sect2>
<title>capture</title>
<para>
 The capture directive instructs firestorm-nids where to capture
 network traffic from. Firestorm is quite unique in the sense that it
 can capture from a variety of sources and a programmer can quite
 easily write extensions to capture from new data sources. Only one
 capture can be used at once. 
</para>
<screen>
	capture type &lt;args&gt;...
</screen>
<para>
 I will briefly enumerate the capture types currently supported by
 firestorm, and the usage of each. Note that although filenames are
 relative to the firestorm_root, you can still access files outside
 of the chroot. Also note that none of these plugins set promiscouous
 mode by themselves. You must enable promiscous mode yourself if you
 require it. This may be as simple as 'ifconfig ifname up promisc',
 see your OS vendors documentation for more details.
</para>
<sect3>
<title>pcap</title>
<para>
Most people will want to capture from the live network with
libpcap.  This plugin has only one option 'if' which is used to specify
which interface to listen on. (eg: if='eth0' or if='any' to listen on
all interfaces).
</para>
</sect3>
<sect3>
<title>pcapfile</title>
<para>
 Firestorm can also capture from libpcap files, such as those created
 by  tcpdump or ethereal. This plugin also has only one argument 'file'
 to specify the filename. (eg: file='./captures/mynetwork.cap').
</para>
</sect3>
<sect3>
<title>linux</title>
<para>
 Firestorm  has the ability to support high-speed OS specific capture
 plugins. Use this plugin if you run a recent Linux kernel with mmap()