β Scribed by Jack Koziol
No coin nor oath required. For personal study only.
With over 100,000 installations, the Snort open-source network instrusion detection system is combined with other free tools to deliver IDS defense to medium - to small-sized companies, changing the tradition of intrusion detection being affordable only for large companies with large budgets. Until now, Snort users had to rely on the official guide available on snort.org. That guide is aimed at relatively experience snort administrators and covers thousands of rules and known exploits. The lack of usable information made using Snort a frustrating experience. The average Snort user needs to learn how to actually get their systems up-and-running. Snort Intrusion Detection provides readers with practical guidance on how to put Snort to work. Opening with a primer to intrusion detection and Snort, the book takes the reader through planning an installation to building the server and sensor, tuning the system, implementing the system and analyzing traffic, writing rules, upgrading the system, and extending Snort.
Intrusion Detection with Snort......Page 2
Copyright Β© 2003 by Sams Publishing......Page 3
Contents at a Glance......Page 5
Table of Contents......Page 6
About the Author......Page 16
We Want to Hear from You!......Page 18
Introduction......Page 20
CHAPTER 1 Intrusion Detection Primer......Page 22
IDSs Come in Different Flavors......Page 23
Methods of Detecting Intrusions......Page 26
Origin of Attacks......Page 29
Orchestrating an Attack......Page 31
The IDS Reality......Page 41
Summary......Page 42
CHAPTER 2 Network Intrusion Detection with Snort......Page 44
Snortβs Specifications......Page 45
Detecting Suspicious Traffic via Signatures......Page 47
Gathering Intrusion Data......Page 50
Alerting via Output Plug-ins......Page 53
Prioritizing Alerts......Page 55
Distributed Snort Architecture......Page 56
Shortcomings......Page 59
Summary......Page 61
CHAPTER 3 Dissecting Snort......Page 64
Feeding Snort Packets with Libpcap......Page 65
Preprocessors......Page 67
The Detection Engine......Page 82
Output Plugins......Page 83
Summary......Page 88
CHAPTER 4 Planning for the Snort Installation......Page 90
Defining an IDS Policy......Page 91
Deciding What to Monitor......Page 95
Designing Your Snort Architecture......Page 97
Planning for Maintenance......Page 100
Incident Response Plan......Page 101
Responding to an Incident......Page 104
Restoring to a Normal State......Page 107
Summary......Page 108
Hardware Performance Metrics......Page 110
Picking a Platform......Page 113
The Monitoring Segment......Page 115
Distributing Traffic to Multiple Sensors......Page 122
Summary......Page 123
Red Hat Linux 7.3......Page 126
Post-Installation Tasks......Page 129
Installing the Snort Server Components......Page 132
Summary......Page 161
Installation Guide Notes......Page 164
Installing the Snort Sensor Components......Page 168
Installing Snort......Page 174
Implementing Barnyard......Page 187
Summary......Page 192
CHAPTER 8 Building the Analystβs Console......Page 194
Windows......Page 195
Linux......Page 196
Testing the Console......Page 197
Working with ACID......Page 198
Summary......Page 209
The Hybrid Server/Sensor......Page 210
Snort on OpenBSD......Page 212
Snort on Windows......Page 214
Summary......Page 226
CHAPTER 10 Tuning and Reducing False Positives......Page 228
Pre-Tuning Activities......Page 229
Tuning the Network for Snort......Page 231
Filtering Traffic with Snort......Page 232
Tuning the Preprocessors......Page 234
Refining the Ruleset......Page 240
Organize Your Rules......Page 244
Designing a Targeted Ruleset......Page 246
Tuning MySQL......Page 248
Tuning ACID......Page 250
Summary......Page 252
An Overview of Real-Time Alerting with Snort......Page 254
Prioritization of Alerts......Page 255
Alerting with the Hybrid......Page 258
Alerting with Distributed Snort......Page 262
Summary......Page 269
Fundamental Rule Writing Concepts......Page 272
Rule Syntax......Page 274
Writing Rules......Page 294
Summary......Page 298
CHAPTER 13 Upgrading and Maintaining Snort......Page 300
IDS Policy Manager......Page 301
SnortCenter......Page 305
Upgrading Snort......Page 310
Summary......Page 312
CHAPTER 14 Advanced Topics in Intrusion Prevention......Page 314
A Warning Concerning Intrusion Prevention......Page 315
Planning an Intrusion Prevention Strategy......Page 316
Snort Inline Patch......Page 318
SnortSam......Page 324
Summary......Page 333
Snort Issues......Page 334
ACID Issues......Page 337
IDS Strategy......Page 338
Unknown Traffic......Page 340
Attempted Information Leak......Page 341
Attempted Denial of Service......Page 342
Attempted User Privilege Gain......Page 343
Attempted Administrator Privilege Gain......Page 344
Successful Administrator Privilege Gain......Page 345
Index......Page 346
π SIMILAR VOLUMES
This book is a bit out of date, dealing with issues from Snort 1.8 and RedHat 7.3. I think I glanced at it for about 1 hour total. Just put it on the bookshelf next to the Snort Intrusion Detection 2.0 book which was (if u ask me) a complete reference.
As many others have said, this book had alot of errors. Mostly in language and what not. It's seriously outdated now, and a new edition is needed (and appears to be on it's way).
The incredible low maintenance costs of Snort combined with its powerful security features make it one of the fastest growing IDSs within corporate IT departments. Complete with a free CD containing Snort 2.0 plus popular plug-Ins including ACID, Barnyard, and Swatch, Snort 2.0 Intrusion Detection i