Snort Cookbook

 

book cover
Snort Cookbook
By Jacob Babbin, Simon Biles, Angela D. Orebaugh
...............................................
Publisher: O'Reilly
Pub Date: March 2005
ISBN: 0-596-00791-4
Pages: 288
 

Table of Contents  | Index  | Errata

overview
If you are a network administrator, you're under a lot of pressure to ensure that mission-critical systems are completely safe from malicious code, buffer overflows, stealth port scans, SMB probes, OS fingerprinting attempts, CGI attacks, and other network intruders. Designing a reliable way to detect intruders before they get in is an essential--but often overwhelming--challenge. Snort, the defacto open source standard of intrusion detection tools, is capable of performing real-time traffic analysis and packet logging on IP network. It can perform protocol analysis, content searching, and matching. Snort can save countless headaches; the new Snort Cookbook will save countless hours of sifting through dubious online advice or wordy tutorials in order to leverage the full power of SNORT. Each recipe in the popular and practical problem-solution-discussion O'Reilly cookbook format contains a clear and thorough description of the problem, a concise but complete discussion of a solution, and real-world examples that illustrate that solution. The Snort Cookbook covers important issues that sys admins and security pros will us everyday, such as: installation optimization logging alerting rules and signatures detecting viruses countermeasures detecting common attacks administration honeypots log analysis But the Snort Cookbook offers far more than quick cut-and-paste solutions to frustrating security issues. Those who learn best in the trenches--and don't have the hours to spare to pore over tutorials or troll online for best-practice snippets of advice--will find that the solutions offered in this ultimate Snort sourcebook not only solve immediate problems quickly, but also showcase the best tips and tricks they need to master be security gurus--and still have a life.

 

book cover
Snort Cookbook
By Jacob Babbin, Simon Biles, Angela D. Orebaugh
...............................................
Publisher: O'Reilly
Pub Date: March 2005
ISBN: 0-596-00791-4
Pages: 288
 

Table of Contents  | Index  | Errata


   Copyright
   Preface
      Audience
      Contents of This Book
      Conventions Used in This Book
      Using Code Examples
      Safari Enabled
      How to Contact Us
      Acknowledgments
    Chapter 1.  Installation and Optimization
      Introduction
      Recipe 1.1.  Installing Snort from Source on Unix
      Recipe 1.2.  Installing Snort Binaries on Linux
      Recipe 1.3.  Installing Snort on Solaris
      Recipe 1.4.  Installing Snort on Windows
      Recipe 1.5.  Uninstalling Snort from Windows
      Recipe 1.6.  Installing Snort on Mac OS X
      Recipe 1.7.  Uninstalling Snort from Linux
      Recipe 1.8.  Upgrading Snort on Linux
      Recipe 1.9.  Monitoring Multiple Network Interfaces
      Recipe 1.10.  Invisibly Tapping a Hub
      Recipe 1.11.  Invisibly Sniffing Between Two Network Points
      Recipe 1.12.  Invisibly Sniffing 100 MB Ethernet
      Recipe 1.13.  Sniffing Gigabit Ethernet
      Recipe 1.14.  Tapping a Wireless Network
      Recipe 1.15.  Positioning Your IDS Sensors
      Recipe 1.16.  Capturing and Viewing Packets
      Recipe 1.17.  Logging Packets That Snort Captures
      Recipe 1.18.  Running Snort to Detect Intrusions
      Recipe 1.19.  Reading a Saved Capture File
      Recipe 1.20.  Running Snort as a Linux Daemon
      Recipe 1.21.  Running Snort as a Windows Service
      Recipe 1.22.  Capturing Without Putting the Interface into Promiscuous Mode
      Recipe 1.23.  Reloading Snort Settings
      Recipe 1.24.  Debugging Snort Rules
      Recipe 1.25.  Building a Distributed IDS (Plain Text)
      Recipe 1.26.  Building a Distributed IDS (Encrypted)
    Chapter 2.  Logging, Alerts, and Output Plug-ins
      Introduction
      Recipe 2.1.  Logging to a File Quickly
      Recipe 2.2.  Logging Only Alerts
      Recipe 2.3.  Logging to a CSV File
      Recipe 2.4.  Logging to a Specific File
      Recipe 2.5.  Logging to Multiple Locations
      Recipe 2.6.  Logging in Binary
      Recipe 2.7.  Viewing Traffic While Logging
      Recipe 2.8.  Logging Application Data
      Recipe 2.9.  Logging to the Windows Event Viewer
      Recipe 2.10.  Logging Alerts to a Database
      Recipe 2.11.  Installing and Configuring MySQL
      Recipe 2.12.  Configuring MySQL for Snort
      Recipe 2.13.  Using PostgreSQL with Snort and ACID
      Recipe 2.14.  Logging in PCAP Format (TCPDump)
      Recipe 2.15.  Logging to Email
      Recipe 2.16.  Logging to a Pager or Cell Phone
      Recipe 2.17.  Optimizing Logging
      Recipe 2.18.  Reading Unified Logged Data
      Recipe 2.19.  Generating Real-Time Alerts
      Recipe 2.20.  Ignoring Some Alerts
      Recipe 2.21.  Logging to System Logfiles
      Recipe 2.22.  Fast Logging
      Recipe 2.23.  Logging to a Unix Socket
      Recipe 2.24.  Not Logging
      Recipe 2.25.  Prioritizing Alerts
      Recipe 2.26.  Capturing Traffic from a Specific TCP Session
      Recipe 2.27.  Killing a Specific Session
    Chapter 3.  Rules and Signatures
      Introduction
      Recipe 3.1.  How to Build Rules
      Recipe 3.2.  Keeping the Rules Up to Date
      Recipe 3.3.  Basic Rules You Shouldn't Leave Home Without
      Recipe 3.4.  Dynamic Rules
      Recipe 3.5.  Detecting Binary Content
      Recipe 3.6.  Detecting Malware
      Recipe 3.7.  Detecting Viruses
      Recipe 3.8.  Detecting IM
      Recipe 3.9.  Detecting P2P
      Recipe 3.10.  Detecting IDS Evasion
      Recipe 3.11.  Countermeasures from Rules
      Recipe 3.12.  Testing Rules
      Recipe 3.13.  Optimizing Rules
      Recipe 3.14.  Blocking Attacks in Real Time
      Recipe 3.15.  Suppressing Rules
      Recipe 3.16.  Thresholding Alerts
      Recipe 3.17.  Excluding from Logging
      Recipe 3.18.  Carrying Out Statistical Analysis
    Chapter 4.  Preprocessing: An Introduction
      Introduction
      Recipe 4.1.  Detecting Stateless Attacks and Stream Reassembly
      Recipe 4.2.  Detecting Fragmentation Attacks and Fragment Reassembly with Frag2
      Recipe 4.3.  Detecting and Normalizing HTTP Traffic
      Recipe 4.4.  Decoding Application Traffic
      Recipe 4.5.  Detecting Port Scans and Talkative Hosts
      Recipe 4.6.  Getting Performance Metrics
      Recipe 4.7.  Experimental Preprocessors
      Recipe 4.8.  Writing Your Own Preprocessor
    Chapter 5.  Administrative Tools
      Introduction
      Recipe 5.1.  Managing Snort Sensors
      Recipe 5.2.  Installing and Configuring IDScenter
      Recipe 5.3.  Installing and Configuring SnortCenter
      Recipe 5.4.  Installing and Configuring Snortsnarf
      Recipe 5.5.  Running Snortsnarf Automatically
      Recipe 5.6.  Installing and Configuring ACID
      Recipe 5.7.  Securing ACID
      Recipe 5.8.  Installing and Configuring Swatch
      Recipe 5.9.  Installing and Configuring Barnyard
      Recipe 5.10.  Administering Snort with IDS Policy Manager
      Recipe 5.11.  Integrating Snort with Webmin
      Recipe 5.12.  Administering Snort with HenWen
      Recipe 5.13.  Newbies Playing with Snort Using EagleX
    Chapter 6.  Log Analysis
      Introduction
      Recipe 6.1.  Generating Statistical Output from Snort Logs
      Recipe 6.2.  Generating Statistical Output from Snort Databases
      Recipe 6.3.  Performing Real-Time Data Analysis
      Recipe 6.4.  Generating Text-Based Log Analysis
      Recipe 6.5.  Creating HTML Log Analysis Output
      Recipe 6.6.  Tools for Testing Signatures
      Recipe 6.7.  Analyzing and Graphing Logs
      Recipe 6.8.  Analyzing Sniffed (Pcap) Traffic
      Recipe 6.9.  Writing Output Plug-ins
    Chapter 7.  Miscellaneous Other Uses
      Introduction
      Recipe 7.1.  Monitoring Network Performance
      Recipe 7.2.  Logging Application Traffic
      Recipe 7.3.  Recognizing HTTP Traffic on Unusual Ports
      Recipe 7.4.  Creating a Reactive IDS
      Recipe 7.5.  Monitoring a Network Using Policy-Based IDS
      Recipe 7.6.  Port Knocking
      Recipe 7.7.  Obfuscating IP Addresses
      Recipe 7.8.  Passive OS Fingerprinting
      Recipe 7.9.  Working with Honeypots and Honeynets
      Recipe 7.10.  Performing Forensics Using Snort
      Recipe 7.11.  Snort and Investigations
      Recipe 7.12.  Snort as Legal Evidence in the U.S.
      Recipe 7.13.  Snort as Evidence in the U.K.
      Recipe 7.14.  Snort as a Virus Detection Tool
      Recipe 7.15.  Staying Legal
   Colophon
   Index