Snort 2.0 Intrusion Detection (Paperback, CD-ROM)

Foreword

Chapter 1 Intrusion Detection Systems

Introduction

What Is Intrusion Detection

Network IDS

Host-Based IDS

Distributed IDS

A Trilogy of Vulnerabilities

Directory Traversal Vulnerability

CodeRed Worm

Nimda Worm

What Is an Intrusion

Using Snort to Catch Intrusions

Why Are Intrusion Detection Systems Important

Why Are Attackers Interested in Me

Where Does an IDS Fit with the Rest of My Security Plan

Doesn’t My Firewall Serve as an IDS

Where Else Should I Be Looking for Intrusions

What Else Can Be Done with Intrusion Detection

Monitoring Database Access

Monitoring DNS Functions

E-Mail Server Protection

Using an IDS to Monitor My Company Policy

Summary

Solutions Fast Track

Frequently Asked Questions

Chapter 2 Introducing Snort 2.0

Introduction

What Is Snort

Snort System Requirements

Hardware

Exploring Snort’s Features

Packet Sniffer

Preprocessor

Detection Engine

Alerting/Logging Component

Using Snort on Your Network

Snort’s Uses

Snort and Your Network Architecture

Pitfalls When Running Snort

Security Considerations with Snort

Snort Is Susceptible to Attacks

Securing Your Snort System

Summary

Solutions Fast Track

Frequently Asked Questions

Chapter 3 Installing Snort

Introduction

A Brief Word about Linux Distributions

Debian

Slackware

Gentoo

Installing PCAP

Installing libpcap from Source

Installing libpcap from RPM

Installing Snort

Installing Snort from Source

Customizing Your Installation: Editing the snort.conf File

Installing Snort from RPM

Installation on the Microsoft Windows Platform

Installing Bleeding-Edge Versions of Snort

Summary

Solutions Fast Track

Frequently Asked Questions

Chapter 4 Snort: The Inner Workings

Introduction

Snort Components

Capturing Network Traffic

Packet Sniffing

Decoding Packets

Storage of Packets

Processing Packets 101

Preprocessors

Understanding Rule Parsing and Detection Engines

Rules Builder

Detection Plug-Ins

Output and Logs

Snort as a Quick Sniffer

Intrusion Detection Mode

Snort for Honeypot Capture and Analysis

Logging to Databases

Alerting Using SNMP

Barnyard and Unified Output

Summary

Solutions Fast Track

Frequently Asked Questions

Chapter 5 Playing by the Rules

Introduction

Understanding Configuration Files

Defining and Using Variables

Including Rule Files

The Rule Header

Rule Action Options

Supported Protocols

Assigning Source and Destination IP Addresses to Rules

Assigning Source and Destination Ports

Understanding Direction Operators

Activate and Dynamic Rule Characteristics

The Rule Body

Rule Content

Components of a Good Rule

Action Events

Ensuring Proper Content

Merging Subnet Masks

Testing Your Rules

Stress Tests

Individual Snort Rule Tests

Berkeley Packet Filter Tests

Tuning Your Rules

Configuring Rule Variables

Disabling Rules

Berkeley Packet Filters

Summary

Solutions Fast Track

Frequently Asked Questions

Chapter 6 Preprocessors

Introduction

What Is a Preprocessor

Preprocessor Options for Reassembling Packets

The stream4 Preprocessor

frag2?Fragment Reassembly and Attack Detection

Preprocessor Options for Decoding and Normalizing Protocols

Telnet Negotiation

HTTP Normalization

rpc_decode

Preprocessor Options for Nonrule or Anomaly-Based Detection

portscan

Back Orifice

General Nonrule-Based Detection

Experimental Preprocessors

arpspoof

asn1_decode

fnord

portscan2 and conversation

perfmonitor

Writing Your Own Preprocessor

Reassembling Packets

Decoding Protocols

Nonrule or Anomaly-Based Detection

Setting Up My Preprocessor

What Am I Given by Snort

Adding the Preprocessor into Snort

Summary

Solutions Fast Track

Frequently Asked Questions

Chapter 7 Implementing Snort Output Plug-Ins

Introduction

What Is an Output Plug-In

Key Components of an Output Plug-In

Exploring Output Plug-In Options

Default Logging

Syslog

PCAP Logging

Snortdb

Unified Logs

Writing Your Own Output Plug-In

Why Should I Write an Output Plug-In

Setting Up My Output Plug-In

Dealing with Snort Output

Summary

Solutions Fast Track

Frequently Asked Questions

Chapter 8 Exploring the Data Analysis Tools

Introduction

Using Swatch

Performing a Swatch Installation

Configuring Swatch

Using Swatch

Using ACID

Installing ACID

Configuring ACID

Using ACID

Using SnortSnarf

Installing SnortSnarf

Configuring Snort to Work with SnortSnarf

Basic Usage of SnortSnarf

Using IDScenter

Installing IDScenter

Configuring IDScenter

Basic Usage of IDScenter

Summary

Solutions Fast Track

Frequently Asked Questions

Chapter 9 Keeping Everything Up to Date

Introduction

Applying Patches

Updating Rules

How Are the Rules Maintained

How Do I Get Updates to the Rules

How Do I Merge These Changes

Testing Rule Updates

Testing the New Rules

Watching for Updates

Mailing Lists and News Services to Watch

Summary

Solutions Fast Track

Frequently Asked Questions

Chapter 10 Optimizing Snort

Introduction

How Do I Choose What Hardware to Use

What Constitutes “Good? Hardware

How Do I Test My Hardware

How Do I Choose What

Operating System to Use

What Makes a “Good? OS for a NIDS

What OS Should I Use

How Do I Test My OS Choice

Speeding Up Your Snort Installation

Deciding Which Rules to Enable

Configuring Preprocessors for Speed

Using Generic Variables

Choosing an Output Plug-In

Benchmarking Your Deployment

Benchmark Characteristics

What Options Are Available for Benchmarking

Summary

Solutions Fast Track

Frequently Asked Questions

Chapter 11 Mucking Around with Barnyard

Introduction 2

What Is Barnyard

Preparation and Installation of Barnyard

How Does Barnyard Work

Using the Barnyard Configuration File

Barnyard Innards

Create and Display a Binary Log Output File

What Are the Output Options for Barnyard

But I Want My Output Like “This?

An Example Output Plug-In

Summary

Solutions Fast Track

Frequently Asked Questions

Chapter 12 Advanced Snort

Introduction

Policy-Based IDS

Defining a Network Policy for the IDS

An Example of Policy-Based IDS

Policy-Based IDS in Production

Inline IDS

Where Did the Inline IDS for Snort Come From

Installation of Snort in Inline Mode

Using Inline IDS to Protect Your Network

Summary

Solutions Fast Track

Frequently Asked Questions

Index