Snort Intrusion Detection and Prevention Toolkit

Front Cover

Snort® IDS and IPS Toolkit

Copyright Page

Contents

Foreword

Chapter 1. Intrusion Detection Systems

Introduction

What Is Intrusion Detection?

How an IDS Works

Why Are Intrusion Detection Systems Important?

What Else Can You Do with Intrusion Detection Systems?

What About Intrusion Prevention?

Summary

Solutions Fast Track

Frequently Asked Questions

Chapter 2. Introducing Snort 2.6

Introduction

What Is Snort?

What's New in Snort 2.6

Snort System Requirements

Exploring Snort's Features

Using Snort on Your Network

Security Considerations with Snort

Summary

Solutions Fast Track

Frequently Asked Questions

Chapter 3. Installing Snort 2.6

Introduction

Choosing the Right OS

Hardware Platform Considerations

Installing Snort

Configuring Snort

Testing Snort

Maintaining Snort

Updating Snort

Summary

Solutions Fast Track

Frequently Asked Questions

Chapter 4. Configuring Snort and Add-Ons

Placing Your NIDS

Configuring Snort on a Windows System

Configuring Snort on a Linux System

Other Snort Add-Ons

Demonstrating Effectiveness

Summary

Solutions Fast Track

Frequently Asked Questions

Chapter 5. Inner Workings

Introduction

Snort Initialization

Snort Packet Processing

Inside the Detection Engine

The Dynamic Detection Engine

Summary

Solutions Fast Track

Frequently Asked Questions

Chapter 6. Preprocessors

Introduction

What Is a Preprocessor?

Preprocessor Options for Reassembling Packets

Preprocessor Options for Decoding and Normalizing Protocols

Preprocessor Options for Nonrule or Anomaly-Based Detection

Dynamic Preprocessors

Experimental Preprocessors

Summary

Solutions Fast Track

Frequently Asked Questions

Chapter 7. Playing by the Rules

Introduction

What Is a Rule?

Understanding Rules

Other Advanced Options

Ordering for Performance

Thresholding

Suppression

Packet Analysis

Rules for Vulnerabilities, Not Exploits

A Rule: Start to Finish

Rules of Note

Stupid Rule Tricks

Keeping Rules Up to Date

Summary

Solutions Fast Track

Frequently Asked Questions

Chapter 8. Snort Output Plug-Ins

Introduction

What Is an Output Plug-In?

Exploring Snort's Output Plug-In Options

Writing Your Own Output Plug-In

Troubleshooting Output Plug-In Problems

Add-On Tools

Summary

Solutions Fast Track

Frequently Asked Questions

Chapter 9. Exploring IDS Event Analysis, Snort Style

Introduction

What Is Data Analysis?

Data Analysis Tools

Analyzing Snort Events

Reporting Snort Events

Summary

Solutions Fast Track

Frequently Asked Questions

Chapter 10. Optimizing Snort

Introduction

How Do I Choose the Hardware to Use?

How Do I Choose the Operating System to Use?

Speeding Up Snort

Cranking Up the Database

Benchmarking and Testing the Deployment

Summary

Solutions Fast Track

Frequently Asked Questions

Chapter 11. Active Response

Introduction

Active Response versus Intrusion Prevention

SnortSam

Fwsnort

snort_Inline

Summary

Solutions Fast Track

Frequently Asked Questions

Chapter 12. Advanced Snort

Introduction

Monitoring the Network

Configuring Channel Bonding for Linux

Snort Rulesets

Plug-Ins

Preprocessor Plug-Ins

Detection Plug-Ins

Output Plug-Ins

Snort Inline

Solving Specific Security Requirements

Summary

Solutions Fast Track

Frequently Asked Questions

Chapter 13. Mucking Around with Barnyard

Introduction

What Is Barnyard?

Understanding the Snort Unified Files

Installing Barnyard

Configuring Barnyard

Understanding the Output Plug-Ins

Running Barnyard in Batch-Processing Mode

Using the Continual-Processing Mode

Deploying Barnyard

Writing a New Output Plug-In

Secret Capabilities of Barnyard

Summary

Solutions Fast Track

Frequently Asked Questions

Index

GNU General Public License