Snort Intrusion Detection 2.0
- 1st Edition - May 11, 2003
- Latest edition
- Author: Syngress
- Language: English
The incredible low maintenance costs of Snort combined with its powerful security features make it one of the fastest growing IDSs within corporate IT departments. Snort 2.0 Intrus… Read more
The incredible low maintenance costs of Snort combined with its powerful security features make it one of the fastest growing IDSs within corporate IT departments.
Snort 2.0 Intrusion Detection is written by a member of Snort.org. The book provides a valuable insight to the code base of Snort and in-depth tutorials of complex installation, configuration, and troubleshooting scenarios.
The primary reader will be an individual who has a working knowledge of the TCP/IP protocol, expertise in some arena of IT infrastructure, and is inquisitive about what has been attacking their IT network perimeter every 15 seconds.
Snort 2.0 Intrusion Detection is written by a member of Snort.org. The book provides a valuable insight to the code base of Snort and in-depth tutorials of complex installation, configuration, and troubleshooting scenarios.
The primary reader will be an individual who has a working knowledge of the TCP/IP protocol, expertise in some arena of IT infrastructure, and is inquisitive about what has been attacking their IT network perimeter every 15 seconds.
- The most up-to-date and comprehensive coverage for Snort 2.0!
- Expert Advice from the Development Team and Step-by-Step Instructions for Installing, Configuring, and Troubleshooting the Snort 2.0 Intrusion Detection System.
Security conscious or security curious professionals and power users interested in developing a comprehensive intrusion detection system.
Foreword
Chapter 1 Intrusion Detection Systems
Introduction
What Is Intrusion Detection
Network IDS
Host-Based IDS
Distributed IDS
A Trilogy of Vulnerabilities
Directory Traversal Vulnerability
CodeRed Worm
Nimda Worm
What Is an Intrusion
Using Snort to Catch Intrusions
Why Are Intrusion Detection Systems Important
Why Are Attackers Interested in Me
Where Does an IDS Fit with the Rest of My Security Plan
Doesn’t My Firewall Serve as an IDS
Where Else Should I Be Looking for Intrusions
What Else Can Be Done with Intrusion Detection
Monitoring Database Access
Monitoring DNS Functions
E-Mail Server Protection
Using an IDS to Monitor My Company Policy
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 2 Introducing Snort 2.0
Introduction
What Is Snort
Snort System Requirements
Hardware
Exploring Snort’s Features
Packet Sniffer
Preprocessor
Detection Engine
Alerting/Logging Component
Using Snort on Your Network
Snort’s Uses
Snort and Your Network Architecture
Pitfalls When Running Snort
Security Considerations with Snort
Snort Is Susceptible to Attacks
Securing Your Snort System
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 3 Installing Snort
Introduction
A Brief Word about Linux Distributions
Debian
Slackware
Gentoo
Installing PCAP
Installing libpcap from Source
Installing libpcap from RPM
Installing Snort
Installing Snort from Source
Customizing Your Installation: Editing the snort.conf File
Installing Snort from RPM
Installation on the Microsoft Windows Platform
Installing Bleeding-Edge Versions of Snort
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 4 Snort: The Inner Workings
Introduction
Snort Components
Capturing Network Traffic
Packet Sniffing
Decoding Packets
Storage of Packets
Processing Packets 101
Preprocessors
Understanding Rule Parsing and Detection Engines
Rules Builder
Detection Plug-Ins
Output and Logs
Snort as a Quick Sniffer
Intrusion Detection Mode
Snort for Honeypot Capture and Analysis
Logging to Databases
Alerting Using SNMP
Barnyard and Unified Output
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 5 Playing by the Rules
Introduction
Understanding Configuration Files
Defining and Using Variables
Including Rule Files
The Rule Header
Rule Action Options
Supported Protocols
Assigning Source and Destination IP Addresses to Rules
Assigning Source and Destination Ports
Understanding Direction Operators
Activate and Dynamic Rule Characteristics
The Rule Body
Rule Content
Components of a Good Rule
Action Events
Ensuring Proper Content
Merging Subnet Masks
Testing Your Rules
Stress Tests
Individual Snort Rule Tests
Berkeley Packet Filter Tests
Tuning Your Rules
Configuring Rule Variables
Disabling Rules
Berkeley Packet Filters
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 6 Preprocessors
Introduction
What Is a Preprocessor
Preprocessor Options for Reassembling Packets
The stream4 Preprocessor
frag2—Fragment Reassembly and Attack Detection
Preprocessor Options for Decoding and Normalizing Protocols
Telnet Negotiation
HTTP Normalization
rpc_decode
Preprocessor Options for Nonrule or Anomaly-Based Detection
portscan
Back Orifice
General Nonrule-Based Detection
Experimental Preprocessors
arpspoof
asn1_decode
fnord
portscan2 and conversation
perfmonitor
Writing Your Own Preprocessor
Reassembling Packets
Decoding Protocols
Nonrule or Anomaly-Based Detection
Setting Up My Preprocessor
What Am I Given by Snort
Adding the Preprocessor into Snort
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 7 Implementing Snort Output Plug-Ins
Introduction
What Is an Output Plug-In
Key Components of an Output Plug-In
Exploring Output Plug-In Options
Default Logging
Syslog
PCAP Logging
Snortdb
Unified Logs
Writing Your Own Output Plug-In
Why Should I Write an Output Plug-In
Setting Up My Output Plug-In
Dealing with Snort Output
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 8 Exploring the Data Analysis Tools
Introduction
Using Swatch
Performing a Swatch Installation
Configuring Swatch
Using Swatch
Using ACID
Installing ACID
Configuring ACID
Using ACID
Using SnortSnarf
Installing SnortSnarf
Configuring Snort to Work with SnortSnarf
Basic Usage of SnortSnarf
Using IDScenter
Installing IDScenter
Configuring IDScenter
Basic Usage of IDScenter
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 9 Keeping Everything Up to Date
Introduction
Applying Patches
Updating Rules
How Are the Rules Maintained
How Do I Get Updates to the Rules
How Do I Merge These Changes
Testing Rule Updates
Testing the New Rules
Watching for Updates
Mailing Lists and News Services to Watch
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 10 Optimizing Snort
Introduction
How Do I Choose What Hardware to Use
What Constitutes “Good” Hardware
How Do I Test My Hardware
How Do I Choose What
Operating System to Use
What Makes a “Good” OS for a NIDS
What OS Should I Use
How Do I Test My OS Choice
Speeding Up Your Snort Installation
Deciding Which Rules to Enable
Configuring Preprocessors for Speed
Using Generic Variables
Choosing an Output Plug-In
Benchmarking Your Deployment
Benchmark Characteristics
What Options Are Available for Benchmarking
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 11 Mucking Around with Barnyard
Introduction 2
What Is Barnyard
Preparation and Installation of Barnyard
How Does Barnyard Work
Using the Barnyard Configuration File
Barnyard Innards
Create and Display a Binary Log Output File
What Are the Output Options for Barnyard
But I Want My Output Like “This”
An Example Output Plug-In
Summary
Solutions Fast Track
Frequently Asked Questions
Chapter 12 Advanced Snort
Introduction
Policy-Based IDS
Defining a Network Policy for the IDS
An Example of Policy-Based IDS
Policy-Based IDS in Production
Inline IDS
Where Did the Inline IDS for Snort Come From
Installation of Snort in Inline Mode
Using Inline IDS to Protect Your Network
Summary
Solutions Fast Track
Frequently Asked Questions
Index
"I have been a diehard Snort user and member of the community since day one. Snort is awesome and there are so many incredibly talented people involved with it. I always wished that there was a book that documented everything, and gave lots of very cool information on all of the inner workings. I was psyched when I heard this book was being written, and I orderd it before it came out. I got mine on Friday and spent the weekend reading it. Considering the guys (and gal!) who wrote it, I shouldn't be surprised that the book rocks. Everything you ever wanted to know about Snort is in there. And, you know you are getting it from the Pig's mouth—er, or Snout ;)"—Reviewer on Amazon.com
- Edition: 1
- Latest edition
- Published: May 11, 2003
- Language: English
Read Snort Intrusion Detection 2.0 on ScienceDirect