Snort Cookbook

ISBN: 0596007914
EAN: 2147483647

Year: 2006
Pages: 167

Authors: Angela Orebaugh, Simon Biles, Jacob Babbin

BUY ON AMAZON

Installing Snort from Source on Unix

• Installing Snort from Source on Unix
• Installing Snort Binaries on Linux
• Installing Snort on Solaris
• Installing Snort on Windows
• Uninstalling Snort from Windows
• Installing Snort on Mac OS X
• Uninstalling Snort from Linux
• Upgrading Snort on Linux
• Monitoring Multiple Network Interfaces
• Invisibly Tapping a Hub
• Invisibly Sniffing Between Two Network Points
• Invisibly Sniffing 100 MB Ethernet
• Sniffing Gigabit Ethernet
• Tapping a Wireless Network
• Positioning Your IDS Sensors
• Capturing and Viewing Packets
• Logging Packets That Snort Captures
• Running Snort to Detect Intrusions
• Reading a Saved Capture File
• Running Snort as a Linux Daemon
• Running Snort as a Windows Service
• Capturing Without Putting the Interface into Promiscuous Mode
• Reloading Snort Settings
• Debugging Snort Rules
• Building a Distributed IDS (Plain Text)
• Building a Distributed IDS (Encrypted)

Logging to a File Quickly

• Logging to a File Quickly
• Logging Only Alerts
• Logging to a CSV File
• Logging to a Specific File
• Logging to Multiple Locations
• Logging in Binary
• Viewing Traffic While Logging
• Logging Application Data
• Logging to the Windows Event Viewer
• Logging Alerts to a Database
• Installing and Configuring MySQL
• Configuring MySQL for Snort
• Using PostgreSQL with Snort and ACID
• Logging in PCAP Format (TCPDump)
• Logging to Email
• Logging to a Pager or Cell Phone
• Optimizing Logging
• Reading Unified Logged Data
• Generating Real-Time Alerts
• Ignoring Some Alerts
• Logging to System Logfiles
• Fast Logging
• Logging to a Unix Socket
• Not Logging
• Prioritizing Alerts
• Capturing Traffic from a Specific TCP Session
• Killing a Specific Session

How to Build Rules

• How to Build Rules
• Keeping the Rules Up to Date
• Basic Rules You Shouldnt Leave Home Without
• Dynamic Rules
• Detecting Binary Content
• Detecting Malware
• Detecting Viruses
• Detecting IM
• Detecting P2P
• Detecting IDS Evasion
• Countermeasures from Rules
• Testing Rules
• Optimizing Rules
• Blocking Attacks in Real Time
• Suppressing Rules
• Thresholding Alerts
• Excluding from Logging
• Carrying Out Statistical Analysis

Detecting Stateless Attacks and Stream Reassembly

• Detecting Stateless Attacks and Stream Reassembly
• Detecting Fragmentation Attacks and Fragment Reassembly with Frag2
• Detecting and Normalizing HTTP Traffic
• Decoding Application Traffic
• Detecting Port Scans and Talkative Hosts
• Getting Performance Metrics
• Experimental Preprocessors
• Writing Your Own Preprocessor

Managing Snort Sensors

• Managing Snort Sensors
• Installing and Configuring IDScenter
• Installing and Configuring SnortCenter
• Installing and Configuring Snortsnarf
• Running Snortsnarf Automatically
• Installing and Configuring ACID
• Securing ACID
• Installing and Configuring Swatch
• Installing and Configuring Barnyard
• Administering Snort with IDS Policy Manager
• Integrating Snort with Webmin
• Administering Snort with HenWen
• Newbies Playing with Snort Using EagleX

Generating Statistical Output from Snort Logs

• Generating Statistical Output from Snort Logs
• Generating Statistical Output from Snort Databases
• Performing Real-Time Data Analysis
• Generating Text-Based Log Analysis
• Creating HTML Log Analysis Output
• Tools for Testing Signatures
• Analyzing and Graphing Logs
• Analyzing Sniffed (Pcap) Traffic
• Writing Output Plug-ins

Monitoring Network Performance

• Monitoring Network Performance
• Logging Application Traffic
• Recognizing HTTP Traffic on Unusual Ports
• Creating a Reactive IDS
• Monitoring a Network Using Policy-Based IDS
• Port Knocking
• Obfuscating IP Addresses
• Passive OS Fingerprinting
• Working with Honeypots and Honeynets
• Performing Forensics Using Snort
• Snort and Investigations
• Snort as Legal Evidence in the U.S.
• Snort as Evidence in the U.K.
• Snort as a Virus Detection Tool
• Staying Legal

Index