| |  | Copyright |
| | | Preface |
| |
| | Audience |
| |
| | About This Book |
| |
| | Assumptions This Book Makes |
| |
| | Chapter Synopsis |
| |
| | Conventions Used in This Book |
| |
| | Comments and Questions |
| |
| | Acknowledgments |
| | |
Chapter 1.
Introduction |
| |
| |
Section 1.1.
Disappearing Perimeters |
| |
| |
Section 1.2.
Defense-in-Depth |
| |
| |
Section 1.3.
Detecting Intrusions (a Hierarchy of Approaches) |
| |
| |
Section 1.4.
What Is NIDS (and What Is an Intrusion)? |
| |
| |
Section 1.5.
The Challenges of Network Intrusion Detection |
| |
| |
Section 1.6.
Why Snort as an NIDS? |
| |
| |
Section 1.7.
Sites of Interest |
| | |
Chapter 2.
Network Traffic Analysis |
| |
| |
Section 2.1.
The TCP/IP Suite of Protocols |
| |
| |
Section 2.2.
Dissecting a Network Packet |
| |
| |
Section 2.3.
Packet Sniffing |
| |
| |
Section 2.4.
Installing tcpdump |
| |
| |
Section 2.5.
tcpdump Basics |
| |
| |
Section 2.6.
Examining tcpdump Output |
| |
| |
Section 2.7.
Running tcpdump |
| |
| |
Section 2.8.
ethereal |
| |
| |
Section 2.9.
Sites of Interest |
| | |
Chapter 3.
Installing Snort |
| |
| |
Section 3.1.
About Snort |
| |
| |
Section 3.2.
Installing Snort |
| |
| |
Section 3.3.
Command-Line Options |
| |
| |
Section 3.4.
Modes of Operation |
| | |
Chapter 4.
Know Your Enemy |
| |
| |
Section 4.1.
The Bad Guys |
| |
| |
Section 4.2.
Anatomy of an Attack: The Five Ps |
| |
| |
Section 4.3.
Denial-of-Service |
| |
| |
Section 4.4.
IDS Evasion |
| |
| |
Section 4.5.
Sites of Interest |
| | |
Chapter 5.
The snort.conf File |
| |
| |
Section 5.1.
Network and Configuration Variables |
| |
| |
Section 5.2.
Snort Decoder and Detection Engine Configuration |
| |
| |
Section 5.3.
Preprocessor Configurations |
| |
| |
Section 5.4.
Output Configurations |
| |
| |
Section 5.5.
File Inclusions |
| | |
Chapter 6.
Deploying Snort |
| |
| |
Section 6.1.
Deploy NIDS with Your Eyes Open |
| |
| |
Section 6.2.
Initial Configuration |
| |
| |
Section 6.3.
Sensor Placement |
| |
| |
Section 6.4.
Securing the Sensor Itself |
| |
| |
Section 6.5.
Using Snort More Effectively |
| |
| |
Section 6.6.
Sites of Interest |
| | |
Chapter 7.
Creating and Managing Snort Rules |
| |
| |
Section 7.1.
Downloading the Rules |
| |
| |
Section 7.2.
The Rule Sets |
| |
| |
Section 7.3.
Creating Your Own Rules |
| |
| |
Section 7.4.
Rule Execution |
| |
| |
Section 7.5.
Keeping Things Up-to-Date |
| |
| |
Section 7.6.
Sites of Interest |
| | |
Chapter 8.
Intrusion Prevention |
| |
| |
Section 8.1.
Intrusion Prevention Strategies |
| |
| |
Section 8.2.
IPS Deployment Risks |
| |
| |
Section 8.3.
Flexible Response with Snort |
| |
| |
Section 8.4.
The Snort Inline Patch |
| |
| |
Section 8.5.
Controlling Your Border |
| |
| |
Section 8.6.
Sites of Interest |
| | |
Chapter 9.
Tuning and Thresholding |
| |
| |
Section 9.1.
False Positives (False Alarms) |
| |
| |
Section 9.2.
False Negatives (Missed Alerts) |
| |
| |
Section 9.3.
Initial Configuration and Tuning |
| |
| |
Section 9.4.
Pass Rules |
| |
| |
Section 9.5.
Thresholding and Suppression |
| | |
Chapter 10.
Using ACID as a Snort IDS Management Console |
| |
| |
Section 10.1.
Software Installation and Configuration |
| |
| |
Section 10.2.
ACID Console Installation |
| |
| |
Section 10.3.
Accessing the ACID Console |
| |
| |
Section 10.4.
Analyzing the Captured Data |
| |
| |
Section 10.5.
Sites of Interest |
| | |
Chapter 11.
Using SnortCenter as a Snort IDS Management Console |
| |
| |
Section 11.1.
SnortCenter Console Installation |
| |
| |
Section 11.2.
SnortCenter Agent Installation |
| |
| |
Section 11.3.
SnortCenter Management Console |
| |
| |
Section 11.4.
Logging In and Surveying the Layout |
| |
| |
Section 11.5.
Adding Sensors to the Console |
| |
| |
Section 11.6.
Managing Tasks |
| | |
Chapter 12.
Additional Tools for Snort IDS Management |
| |
| |
Section 12.1.
Open Source Solutions |
| |
| |
Section 12.2.
Commercial Solutions |
| | |
Chapter 13.
Strategies for High-Bandwidth Implementations of Snort |
| |
| |
Section 13.1.
Barnyard (and Sguil) |
| |
| |
Section 13.2.
Commericial IDS Load Balancers |
| |
| |
Section 13.3.
The IDS Distribution System (I(DS)2) |
| | |
Appendix A.
Snort and ACID Database Schema |
| |
| |
Section A.1.
acid_ag |
| | |
Appendix B.
The Default snort.conf File |
| | |
Appendix C.
Resources |
| |
| |
Section C.1.
From Chapter 1: Introduction |
| |
| |
Section C.2.
From Chapter 2: Network Traffic Analysis |
| |
| |
Section C.3.
From Chapter 4: Know Your Enemy |
| |
| |
Section C.4.
From Chapter 6: Deploying Snort |
| |
| |
Section C.5.
From Chapter 7: Creating and Managing Snort Rules |
| |
| |
Section C.6.
From Chapter 8: Intrusion Prevention |
| |
| |
Section C.7.
From Chapter 10: Using ACID as a Snort IDS Management Console |
| |
| |
Section C.8.
From Chapter 12: Additional Tools for Snort IDS Management |
| |
| |
Section C.9.
From Chapter 13: Strategies for High-Bandwidth Implementations of Snort |
| | | Colophon |
| | | Index |
