SNORT 2.0 Intrusion Detection

Jay Beale, James C. Foster, Jeffrey Posluns, Brian Caswell

Publisher: Syngress, 2003, 523 pages

ISBN: 1-931836-74-4

Keywords: IT Security

Last modified: April 22, 2021, 12:17 p.m.

Synopsis

The incredible low maintenance costs of Snort combined with its powerful security features make it one of the fastest growing IDSs within corporate IT departments.

Snort 2.0 Intrusion Detection is the first book dealing with the Snort IDS and is co-written by Brian Caswell of Snort.org.

Readers will gain valuable insight into the code base of Snort and in-depth tutorials covering complex installations, configurations, and troubleshooting scenarios.

  1. Explore Snort's Features
    Master the three core features that make Snort to powerful: packet sniffing, packet logging, and intrusion detection.
  2. Install Snort
    Find instructions on installing Snort for both Linux and Microsoft Windows
  3. Understand Rule Action Options
    Determine which of the five options is best for you: pass, log, alert, dynamic, or activate.
  4. Decide Which Rules to Enable
    Identify key protocols and services that are used on your network and determine the level of granularity required for your evidentiary logs.
  5. Master stream4 and frag2 Preprocessors
    Enhance Snort's original rule-based pattern-matching model with the stream4 and frag2 preprocessors
  6. Configure Unified Logs
    Use unified logs to significantly increase the efficiency of the Snort sensor and free up your Snort engine
  7. Manage Output Plug-Ins
    Install, configure, and use Swatch, ACID, SnortSnarf, IDSCenter, and other plug-ins to monitor log files.
  8. Watch for Rules Updates
    Use oinkmaster, a semi-automated tool, to download and compare new rulesets with old ones.
  9. Install and Configure Barnyard
    Run Barnyard in one of three modes of operation: one-shot mode, continual mode, or continual with checkpoint mode.
  10. Register for Your 1 Year Upgrade
    The Syngress Solutions upgrade plan protects you from content obsolescence and provides monthly mailings, whitepapers, and more!

Table of Contents

  1. Intrusion Detection Systems
    • Introduction
    • What Is Intrusion Detection?
      • Network IDS
      • Host-Based IDS
      • Distributed IDS
    • A Trilogy of Vulnerability
      • Directory Traversal Vulnerability
      • CodeRed Worm
      • Nimda Worm
      • What Is an Intrusion?
      • Using Snort to Catch Intrusions
        • Directory Traversal Detection Using Snort
        • CodeRed Detection Using Snort
        • Nimda Detection Using Snort
    • Why Are Intrusion Detection Systems Important?
      • Why Are Attackers Interested in Me?
      • Where Does an IDS Fit with the Rest of My Security Plan?
      • Doesn't My Firewall Serve as an IDS?
      • Where Else Can Should I Be Looking for Intrusions?
        • Backdoors and Trojans
      • What Else Can Be Done with Intrusion Detection?
      • Monitoring Database Access
      • Monitoring DNS Functions
      • E-Mail Server Protection
      • Using an IDS to Monitor My Company Policy
    • Summary
    • Solutions Fast Track
    • Frequently Asked Questions
  2. Introducing Snort 2.0
    • Introduction
    • What Is Snort?
    • Snort System Requirements
      • Hardware
        • Operating Systems
        • Other Software
    • Exploring Snort's Features
      • Packet Sniffer
      • Preprocessor
      • Detection Engine
      • Alerting/Logging Component
    • Using Snort on Your Network
      • Snort's Uses
        • Using Snort as a Packet Sniffer and Logger
        • Using Snort as an NIDS
      • Snort and Your Network Architecture
        • Snort and Switched Networks
      • Pitfalls When Running Snort
        • False Alerts
        • Upgrading Snort
    • Security Considerations with Snort
      • Snort Is Susceptible to Attacks
      • Securing Your Snort System
    • Summary
    • Solutions Fast Track
    • Frequently Asked Questions
  3. Installing Snort
    • Introduction
    • A Brief Word about Linux Distributions
      • Debian
      • Slackware
      • Gentoo
    • Installing PCAP
      • Installing libpcap from Source
      • Installing libpcap from RPM
    • Installing Snort
      • Installing Snort from Source
      • Customizing Your Installation: Editing the snort.conf File
        • Enabling Features via configure
      • Installing Snort from RPM
      • Installing on the Microsoft Windows Plarform
      • Installing Bleeding-Edge Versions of Snort
    • Summary
    • Solutions Fast Track
    • Frequently Asked Questions
  4. Snort: The Inner Workings
    • Introduction
    • Snort Components
      • Capturing Network Traffic
        • The OSI and TCP/IP Models
      • Packet Sniffing
        • A Network Card in Promiscuous Mode
        • What Is the libpcap Library?
        • How Does Snort Link into libpcap?
    • Decoding Packets
      • Storage of Packets
    • Processing Packets 101
      • Preprocessors
    • Understanding Rule Parsing and Detection Engine
      • Rules Builder
        • Rule Format
        • What Is a 3D Linked List?
        • How a Packet Is Matched
        • Pass Rules
      • Detection Plug-Ins
        • Snort 2.0 Rule Design
    • Output and Logs
      • Snort as a Quick Sniffer
        • Output Format
        • Berkeley Packet Filter Commands
        • Log to Disk
        • Log In to a pcap Foremat
      • Intrusion Detection Mode
        • Snort Logging
        • Logging Formats
      • Snort for Honeypot Capture and Analysis
      • Logging to Databases
        • Snort reporting Front Ends
      • Alerting Using SNMP
      • Barnyard and Unified Output
    • Summary
    • Solutions Fast Track
    • Frequently Asked Questions
  5. Playing by the Rules
    • Introduction
    • Understanding Configuration Files
      • Defining and Using Variables
      • Including Rule Files
    • The Rule Header
      • Rule Action Options
      • Supported Protocols
      • Assigning Source and Destination IP Addresses to Rules
      • Assigning Source and Destination Ports
      • Understanding Direction Operators
      • Activate and Dynamic Rule Characteristics
    • The Rule Body
      • Rule Content
        • ASCII Content
        • Including Binary Content
        • The depth Option
        • The offset Option
        • The nocase Option
        • The session Option
        • Uniform Resource Identifier Context
        • The stateless Option
        • Regular Expressions
        • Flow Control
      • IP Options
        • Fragmentation Bits
        • Equivalent Source and Destination IP Option
        • IP Protocol Options
        • ID Option
        • Type of Service Opetion
        • Time-to-Live Option
      • TCP Options
        • Sequence Number Options
        • TCP FLag Option
        • TCP ACK Option
      • ICMP Options
        • ID
        • Sequence
        • The icode Option
        • The itype Option
      • Rule Identifier Options
        • Snort ID Options
        • Rule Revision Number
        • Severity Identifier Option
        • Classification Identifier Option
        • External References
      • Miscellaneous Rule Options
        • Messages
        • Logging
        • TAG
        • Dsize
        • RPC
        • Real-Time Countermeasures
    • Components of a Good Rule
      • Action Events
      • Ensuring Proper Content
      • Merging Subnet Masks
    • Testing Your Rules
      • Stress Tests
      • Individual Snort Rule Tests
      • Berkeley Packet Filter Tests
    • Tuning Your Rules
      • Configuring Rule Variables
      • Disabling Rules
      • Berkeley Packet Filters
    • Summary
    • Solutions Fast Track
    • Frequently Asked Questions
  6. Preprocessors
    • Introduction
    • What Is a Preprocessor?
    • Preprocessor Options for Reassembling Packets
      • The stream4 Preprocessor
        • TCP Statefulness
        • Session Reassembly
        • stream4's Output
      • frag2 — Fragment Reassembly and Attack Detection
        • Configuring frag2
        • frag2 Output
    • Preprocessor Options for Decoding and Normalizing Protocols
      • Telnet Negotiation
        • Configuring the telnet_negotiation Preprocessor
        • telnet_negotiation Output
      • HTTP Normalization
        • Configuring the HTTP Normalization Preprocessor
        • http_decode's Output
      • rpc_decode
        • Configuring rpc_decode
        • rpc_decode Output
    • Preprocessor Options for Nonrule or Anomaly-Based Detection
      • portscan
        • Configuring the portscan Preprocessor
      • Back Orifice
        • Configuring the Back Orifice Preprocessor
      • General Nonrule-Based Detection
    • Experimental Preprocessors
      • arpspoof
      • asn1_decode
      • fnord
      • portscan2 and conversations
        • Configuring the postscan2 Preprocessor
        • Configuring the conversation Preprocessor
      • perfmonitor
    • Writing Your Own Preprocessor
      • Reassmbling Packets
      • Decoding Protocols
      • Nonrule or Anomaly-Based Detection
      • Setting Up My Preprocessor
      • What Am I Given by Snort?
        • Examining the Arguments Parsing Code
        • Getting the Preprocessor's Data Back into Snort
      • Adding the Preprocessor into Snort
    • Summary
    • Solutions Fast Track
    • Frequently Asked Questions
  7. Implementing Snort Output Plug-Ins
    • Introduction
    • What Is an Output Plug-In?
      • Key Components of an Output Plug-In
    • Exploring Output Plug-In Options
      • Default Logging
      • Syslog
      • PCAP Logging
      • Snortdb
      • Unified Logs
        • Why Should I Use Unified Logs?
        • What Do I Do with These Unified Files?
    • Writing Your Own Output Plug-In
      • Why Should I Write an Output Plug-In?
      • Setting Up My Output Plug-In
      • Dealing with Snort Output
    • Summary
    • Solutions Fast Track
    • Frequently Asked Questions
  8. Exploring the Data Analysis Tools
    • Introduction
    • Using Swatch
      • Performing a Swatch Installation
      • Configuring Swatch
      • Using Swatch
    • Using ACID
      • Installing ACID
        • Prerequisites for Installing ACID
      • Configuring ACID
      • Using ACID
        • Quering the Database
        • Alert Groups
        • Graphical Features of ACID
        • Managing Alert Databases
    • Using Snortsnarf
      • Installing Snortsnarf
      • Configuring Snort to Work with Snortsnarf
      • Basic Usage of Snortsnarf
    • Using IDScenter
      • Installing IDScenter
      • Configuring IDScenter
        • Minimal Configuration of IDScenter
      • Basic Usage of IDScenter
    • Summary
    • Solutions Fast Track
    • Frequently Asked Questions
  9. Keeping Everything Up to Date
    • Introduction
    • Applying Patches
    • Updating Rules
      • How Are the Rules Maintained?
      • How Do I Get Updates to the Rules?
        • Oinkmaster
      • How Do I Merge These Changes?
        • Using IDScenter to Merge Rules
    • Testing Rule Updates
      • Testing the New Rules
    • Watching for Updates
      • Mailing Lists and News Services to Watch
    • Summary
    • Solutions Fast Track
    • Frequently Asked Questions
  10. Optimizing Snort
    • Introduction
    • How Do I Choose What Hardware to Use?
      • What Constitutes "Good" Hardware?
        • Processors
        • RAM Requirements
        • Storage Medium
        • Network Interface Card
      • How Do I Test My Hardware?
    • How Do I Choose What Operating System to Use?
      • What Makes a "Good" OS for a NIDS
      • What OS Should I Use?
      • How Do I test my OS Choice?
    • Speeding Up Your Snort Installation
      • Deciding Which Rules to Enable
      • Configuring Preprocessors for Speed
      • Using Generic Variables
      • Choosing an Output Plug-In
    • Benchmarking Your Deployment
      • Benchmark Characteristics
        • Attributes of a Good Benchmark
        • Attributes of a Poor Benchmark
      • What Options Are Available for Benchmarking?
        • IDS Informer
        • IDS Wakeup
        • Sneeze
        • Miscellaneous Options
    • Summary
    • Solutions Fast Track
    • Frequently Asked Questions
  11. Mucking Around with Barnyard
    • Introduction
    • What Is Barnyard?
    • Preparation and Installation of Barnyard
    • How Does Barnyard Work?
      • Using the Barnyard Configuration File
      • Barnyard Innards
        • Configuration Declarations
        • Data Processors
        • Output Plug-Ins
      • Create and Display a Binary Log Output File
        • Running Barnyard
        • Barnyard Output Explanation
    • What Are the Output Options for Barnyard?
    • But I Want My Output Like "This"
      • An Example Output Plug-In
        • Using pluginbase.h and plugbase.c
    • Summary
    • Solutions Fast Track
    • Frequently Asked Questions
  12. Advanced Snort
    • Introduction
    • Policy-Based IDS
      • Defining a Network Policy for the IDS
      • An Example of Policy-Based IDS
      • Policy-Based IDS in Production
    • Inline IDS
      • Where Did the Inline IDS for Snort Come From?
      • Installation of Snort in Inline Mode
      • Using Inline IDS to Protrct Your Network
        • Is Inline IDS the Tool for Me?
    • Summary
    • Solutions Fast Track
    • Frequently Asked Questions

Reviews

SNORT 2.0 Intrusion Detection

Reviewed by Roland Buresund

Good ******* (7 out of 10)

Last modified: May 21, 2007, 3:23 a.m.

Opinion

This is probably the best reference book on Snort that you may find, even if it is a bit uneven (about twelve different authors with different styles). You need to know Snort and IDS concepts first, but if you do, this is your book.

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required

captcha

required