Intrusion Detection with SNORT

Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID

Rafeeq Ur Rehman

Publisher: Prentice Hall, 2003, 263 pages

ISBN: 0-13-140733-3

Keywords: IT Security

Last modified: July 30, 2021, 12:58 a.m.

Synopsis

Protect your network with Snort: the high-performance, open source IDS

Snort gives network administrators an open source intrusion detection system that outperform proprietary alternatives. Now, Rafeeq Ur Rehman explains and simplifies every aspect of deploying and managing Snort in your network. You'll discover how to monitor all your network traffic in real time; update Snort to reflect new security threats; automate and analyze Snort alerts; and more. Best of all, Rehman's custom scripts integrate Snort with Apache, MySQL, PHP, and ACID — so you can build and optimize a complete IDS solution more quickly than ever before.

  • An expert introduction to intrusion detection and the role of Snort
  • Writing and updating Snort rules to reflect the latest attacks and exploits
  • Contains detailed coverage of Snort plug-ins, preprocessors, and output modules
  • Logging alerts to a MySQL database
  • Using ACID to search, process, and analyze Snort log files
  • XML support for Snort via the Simple Network Markup Language (SNML)

Table of Contents

  1. Introduction to Intrusion Detection and Snort
    1. What is Intrusion Detection?
      1. Some Definitions
      2. Where IDS Should be Placed in Network Topology
      3. Honey Pots
      4. Security Zones and Levels of Trust
    2. IDS Policy
    3. Components of Snort
      1. Packet Decoder
      2. Preprocessors
      3. The Detection Engine
      4. Logging and Alerting System
      5. Output Modules
    4. Dealing with Switches
    5. TCP Stream Follow Up
    6. Supported Platforms
    7. How to Protect IDS Itself
      1. Snort on Stealth Interface
      2. Snort with no IP Address Interface
    8. References
  2. Installing Snort and getting Started
    1. Snort Installation Scenarios
      1. Test Installation
      2. Single Sensor Production IDS
      3. Single Sensor with Network Management System Integration
      4. Single Sensor with Database and Web Interface
      5. Multiple Snort Sensors with Centralized Database
    2. Installing Snort
      1. Installing Snort from the RPM Package
      2. Installing Snort fro Source Code
      3. Errors While Starting Snort
      4. Testing Snort
      5. Running Snort on a Non-Default Interface
      6. Automatic Startup and Shutdown
    3. Running Snort on Multiple Networks
    4. Snort Command Line Options
    5. Step-By-Step Procedure to Compile and Install Snort
    6. Location of Snort Files
    7. Snort Modes
      1. Network Sniffer Mode
      2. Network Intrusion Detection Mode
    8. Snort Alert Modes
      1. Fast Mode
      2. Full Mode
      3. UNIX Socket Mode
      4. No Alert Mode
      5. Sending Alerts to Syslog
      6. Sending Alerts to SNMP
      7. Sending Alerts to Windows
    9. Running Snort in Stealth Mode
    10. References
  3. Working with Snort Rules
    1. TCP/IP Network Layers
    2. The First Bad Rule
    3. CIDR
    4. Structure of a Rule
    5. Rule Headers
      1. Rule Actions
      2. Protocols
      3. Address
      4. Port Number
      5. Direction
    6. Rule Options
      1. The ack Keyword
      2. The classtype Keyword
      3. the content Keyword
      4. The offset Keyword
      5. The depth Keyword
      6. The content-list Keyword
      7. The dsize Keyword
      8. The flags Keyword
      9. The fragbits Keyword
      10. The icmp_id Keyword
      11. The icmp_seq Keyword
      12. The itype Keyword
      13. The icode Keyword
      14. The id Keyword
      15. The ipopts Keyword
      16. The ip_proto Keyword
      17. The logto Keyword
      18. The msg Keyword
      19. The nocase Keyword
      20. The priority Keyword
      21. The react Keyword
      22. The reference Keyword
      23. The resp Keyword
      24. The rev Keyword
      25. The rpc Keyword
      26. The sameip Keyword
      27. The seq Keyword
      28. The flow Keyword
      29. The session Keyword
      30. The sid Keyword
      31. The tag Keyword
      32. The tos Keyword
      33. The ttl Keyword
      34. The uricontent Keyword
    7. The Snort Configuration File
      1. Using Variables in Rules
      2. The config Directives
      3. Preprocessor Configuration
      4. Output Module Configuration
      5. Defining New Action Types
      6. Rules Configurations
      7. Include Files
      8. Sample snort.conf File
    8. Order of Rules Based upon Action
    9. Automatically Updating Snort Rules
      1. The Simple Method
      2. The Sophisticated and Complex Method
    10. Default Snort Rules and Classes
      1. The local.rules File
    11. Sample Default Rules
      1. Checking su Attempts from a Telnet Session
      2. Checking for Incorrect Login on Telnet Sessions
    12. Writing Good Rules
    13. References
  4. Plugins, Preprocessors and Output Modules
    1. Preprocessors
      1. HTTP Decode
      2. Port Scanning
      3. The frag2 Module
      4. The stream4 Module
      5. The spade Module
      6. ARP Spoofing
    2. Output Modules
      1. The alert_syslog Output Module
      2. The alert_full Output Module 
      3. The alert_fast Output Module
      4. The alert_smb Output Module
      5. The log_tcpdump Output Module
      6. The XML Output Module
      7. Logging to Databases
      8. CSV Output Module
      9. Unified Logging Output Module
      10. SNMP Traps Output Module
      11. Log Null Output Module
    3. Using BPF Filters
    4. References
  5. Using Snort with MySQL
    1. Making Snort Work with MySQl
      1. Step 1: Snort Compilations with MySQL Support
      2. Step 2: Install MySQL
      3. Step 3: Creating Smart Database in MySQL
      4. Step 4: Creating MySQL User and Granting Permission to User and Setting Password
      5. Step 5: Creating Tables in the Snort Database
      6. Modify snort.conf Configuration File
      7. Starting Snort with Database Support
      8. Step 8: Logging to Database
    2. Secure Logging to Remote Databases Securely Using Stunnel
    3. Snort Database Maintenace
      1. Archiving the Database
      2. using Sledge Hammer: Drop the Database
    4. References
  6. Using ACID and SnortSnarf with Snort
    1. What is ACID?
    2. Installation and Configuration
    3. Using ACID
      1. ACID Main Page
      2. Listing Protocol Data
      3. Alert Details
      4. Searching
      5. Searching whois Databases?
      6. Generating Graphs
      7. Archiving Snort Data
      8. ACID Tables
    4. SnortSnarf
    5. Barnyard
    6. References
  7. Miscellaneous Tools
    1. SnortSam
    2. IDS Policy Manager
    3. Securing the ACID Web Console
      1. Using a Private Network
      2. Blocking Access to the Web Server on the Firewall
      3. Using iptables
    4. Easy IDS
    5. References
  1. Introduction to tcpdump
  2. Getting Started with MySQL
  3. Packet Header Formats
  4. Glossary
  5. SNML DTD

Reviews

Intrusion Detection with SNORT

Reviewed by Roland Buresund

OK ***** (5 out of 10)

Last modified: May 21, 2007, 3:09 a.m.

Opinion

A good overview, with some examples, but the book lacks depth. But as a quick-start book, it is excellent, just don't expect to understand what you are doing or to be able to tune the system after having read it.

Please observe that this book can also be found legally on the Internet, as it is licensed under the OPL license.

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required

captcha

required