Snort Cookbook
Solutions and Examples for Snort Administrators
1st Edition
Published on 29. March 2005
288 pages
978-0-596-55270-1 (ISBN)
Description
If you are a network administrator, you're under a lot of pressure to ensure that mission-critical systems are completely safe from malicious code, buffer overflows, stealth port scans, SMB probes, OS fingerprinting attempts, CGI attacks, and other network intruders. Designing a reliable way to detect intruders before they get in is an essential--but often overwhelming--challenge. Snort, the defacto open source standard of intrusion detection tools, is capable of performing real-time traffic analysis and packet logging on IP network. It can perform protocol analysis, content searching, and matching. Snort can save countless headaches; the new Snort Cookbook will save countless hours of sifting through dubious online advice or wordy tutorials in order to leverage the full power of SNORT.Each recipe in the popular and practical problem-solution-discussion O'Reilly cookbook format contains a clear and thorough description of the problem, a concise but complete discussion of a solution, and real-world examples that illustrate that solution. The Snort Cookbook covers important issues that sys admins and security pros will us everyday, such as:installationoptimizationloggingalertingrules and signaturesdetecting virusescountermeasuresdetecting common attacksadministrationhoneypotslog analysisBut the Snort Cookbook offers far more than quick cut-and-paste solutions to frustrating security issues. Those who learn best in the trenches--and don't have the hours to spare to pore over tutorials or troll online for best-practice snippets of advice--will find that the solutions offered in this ultimate Snort sourcebook not only solve immediate problems quickly, but also showcase the best tips and tricks they need to master be security gurus--and still have a life.
More details
Other editions
Additional editions
Angela Orebaugh, Simon Biles & Jacob Babbin
Snort Cookbook.
Book
05/2005
1st Edition
O'Reilly
€37.50
Shipment within 10-20 days
Content
- Intro
- Table of Contents
- Preface
- Audience
- Contents of This Book
- Conventions Used in This Book
- Using Code Examples
- Safari Books Online
- How to Contact Us
- Acknowledgments
- Angela Orebaugh
- Simon Biles
- Jake Babbin
- Installation and Optimization
- 1.0 Introduction
- 1.1 Installing Snort from Source on Unix
- Problem
- Solution
- Discussion
- See Also
- 1.2 Installing Snort Binaries on Linux
- Problem
- Solution
- Discussion
- See Also
- 1.3 Installing Snort on Solaris
- Problem
- Solution
- Discussion
- See Also
- 1.4 Installing Snort on Windows
- Problem
- Solution
- Discussion
- See Also
- 1.5 Uninstalling Snort from Windows
- Problem
- Solution
- Discussion
- See Also
- 1.6 Installing Snort on Mac OS X
- Problem
- Solution
- Discussion
- See Also
- 1.7 Uninstalling Snort from Linux
- Problem
- Solution
- Discussion
- See Also
- 1.8 Upgrading Snort on Linux
- Problem
- Solution
- Discussion
- See Also
- 1.9 Monitoring Multiple Network Interfaces
- Problem
- Solution
- Discussion
- See Also
- 1.10 Invisibly Tapping a Hub
- Problem
- Solution
- Discussion
- See Also
- 1.11 Invisibly Sniffing Between Two Network Points
- Problem
- Solution
- Discussion
- See Also
- 1.12 Invisibly Sniffing 100 MB Ethernet
- Problem
- Solution
- Discussion
- See Also
- 1.13 Sniffing Gigabit Ethernet
- Problem
- Solution
- Discussion
- See Also
- 1.14 Tapping a Wireless Network
- Problem
- Solution
- Discussion
- See Also
- 1.15 Positioning Your IDS Sensors
- Problem
- Solution
- Discussion
- Small business (or geek at home)
- Medium-sized business
- Larger organizations
- See Also
- 1.16 Capturing and Viewing Packets
- Problem
- Solution
- Discussion
- See Also
- 1.17 Logging Packets That Snort Captures
- Problem
- Solution
- Discussion
- See Also
- 1.18 Running Snort to Detect Intrusions
- Problem
- Solution
- Discussion
- See Also
- 1.19 Reading a Saved Capture File
- Problem
- Solution
- Discussion
- See Also
- 1.20 Running Snort as a Linux Daemon
- Problem
- Solution
- See Also
- 1.21 Running Snort as a Windows Service
- Problem
- Solution
- Discussion
- See Also
- 1.22 Capturing Without Putting the Interface into Promiscuous Mode
- Problem
- Solution
- Discussion
- See Also
- 1.23 Reloading Snort Settings
- Problem
- Solution
- Discussion
- See Also
- 1.24 Debugging Snort Rules
- Problem
- Solution
- Discussion
- See Also
- 1.25 Building a Distributed IDS (Plain Text)
- Problem
- Solution
- Discussion
- Client side
- Server side
- See Also
- 1.26 Building a Distributed IDS (Encrypted)
- Problem
- Solution
- Client side
- Encryption only
- Server side
- Discussion
- See Also
- Logging, Alerts, and Output Plug-ins
- 2.0 Introduction
- 2.1 Logging to a File Quickly
- Problem
- Solution
- Discussion
- See Also
- 2.2 Logging Only Alerts
- Problem
- Solution
- Discussion
- See Also
- 2.3 Logging to a CSV File
- Problem
- Solution
- Discussion
- See Also
- 2.4 Logging to a Specific File
- Problem
- Solution
- Discussion
- See Also
- 2.5 Logging to Multiple Locations
- Problem
- Solution
- Discussion
- See Also
- 2.6 Logging in Binary
- Problem
- Solution
- Discussion
- See Also
- 2.7 Viewing Traffic While Logging
- Problem
- Solution
- Discussion
- See Also
- 2.8 Logging Application Data
- Problem
- Solution
- Discussion
- See Also
- 2.9 Logging to the Windows Event Viewer
- Problem
- Solution
- Discussion
- See Also
- 2.10 Logging Alerts to a Database
- Problem
- Solution
- Discussion
- See Also
- 2.11 Installing and Configuring MySQL
- Problem
- Solution
- Discussion
- See Also
- 2.12 Configuring MySQL for Snort
- Problem
- Solution
- Discussion
- See Also
- 2.13 Using PostgreSQL with Snort and ACID
- Problem
- Solution
- Discussion
- See Also
- 2.14 Logging in PCAP Format (TCPDump)
- Problem
- Solution
- Discussion
- See Also
- 2.15 Logging to Email
- Problem
- Solution
- Discussion
- See Also
- 2.16 Logging to a Pager or Cell Phone
- Problem
- Solution
- Discussion
- See Also
- 2.17 Optimizing Logging
- Problem
- Solution
- Discussion
- See Also
- 2.18 Reading Unified Logged Data
- Problem
- Solution
- Discussion
- See Also
- 2.19 Generating Real-Time Alerts
- Problem
- Solution
- Discussion
- See Also
- 2.20 Ignoring Some Alerts
- Problem
- Solution
- Discussion
- See Also
- 2.21 Logging to System Logfiles
- Problem
- Solution
- Discussion
- See Also
- 2.22 Fast Logging
- Problem
- Solution
- Discussion
- See Also
- 2.23 Logging to a Unix Socket
- Problem
- Solution
- Discussion
- See Also
- 2.24 Not Logging
- Problem
- Solution
- Discussion
- See Also
- 2.25 Prioritizing Alerts
- Problem
- Solution
- Discussion
- See Also
- 2.26 Capturing Traffic from a Specific TCP Session
- Problem
- Solution
- Discussion
- See Also
- 2.27 Killing a Specific Session
- Problem
- Solution
- Discussion
- See Also
- Rules and Signatures
- 3.0 Introduction
- 3.1 How to Build Rules
- Problem
- Solution
- Protocol rules
- Port rules
- Application rules
- Discussion
- See Also
- 3.2 Keeping the Rules Up to Date
- Problem
- Solution
- Discussion
- See Also
- 3.3 Basic Rules You Shouldn't Leave Home Without
- Problem
- Solution
- Discussion
- See also
- 3.4 Dynamic Rules
- Problem
- Solution
- Discussion
- See Also
- 3.5 Detecting Binary Content
- Problem
- Solution
- Discussion
- See Also
- 3.6 Detecting Malware
- Problem
- Solution
- Discussion
- See Also
- 3.7 Detecting Viruses
- Problem
- Solution
- Discussion
- See Also
- 3.8 Detecting IM
- Problem
- Solution
- AOL IM
- Yahoo! IM (YIM)
- MSN IM
- Discussion
- See Also
- 3.9 Detecting P2P
- Problem
- Solution
- Kazaa
- BitTorrent
- Gnutella
- Discussion
- See Also
- 3.10 Detecting IDS Evasion
- Problem
- Solution
- Discussion
- Stream4
- Frag2
- Arpspoof
- Http_inspect
- See Also
- 3.11 Countermeasures from Rules
- Problem
- Solution
- Discussion
- See Also
- 3.12 Testing Rules
- Problem
- Solution
- Discussion
- See Also
- 3.13 Optimizing Rules
- Problem
- Solution
- Discussion
- See Also
- 3.14 Blocking Attacks in Real Time
- Problem
- Solution
- Discussion
- See Also
- 3.15 Suppressing Rules
- Problem
- Solution
- Discussion
- See Also
- 3.16 Thresholding Alerts
- Problem
- Solution
- Discussion
- See Also
- 3.17 Excluding from Logging
- Problem
- Solution
- Discussion
- See Also
- 3.18 Carrying Out Statistical Analysis
- Problem
- Solution
- Discussion
- closed-dport
- dead-dest
- odd-dport
- odd-port-dest
- odd-typecode
- See Also
- Preprocessing: An Introduction
- 4.0 Introduction
- 4.1 Detecting Stateless Attacks and Stream Reassembly
- Problem
- Solution
- Stream4
- Stream4_reassemble
- Discussion
- stream4_reassemble
- See Also
- 4.2 Detecting Fragmentation Attacks and Fragment Reassembly with Frag2
- Problem
- Solution
- Discussion
- See Also
- 4.3 Detecting and Normalizing HTTP Traffic
- Problem
- Solution
- Global examples
- Server examples
- Discussion
- See Also
- 4.4 Decoding Application Traffic
- Problem
- Solution
- Discussion
- See Also
- 4.5 Detecting Port Scans and Talkative Hosts
- Problem
- Solution
- Portscan
- Portscan2
- Flow-portscan
- Discussion
- See Also
- 4.6 Getting Performance Metrics
- Problem
- Solution
- Discussion
- See Also
- 4.7 Experimental Preprocessors
- Problem
- Solution
- Discussion
- See Also
- 4.8 Writing Your Own Preprocessor
- Problem
- Solution
- Discussion
- See Also
- Administrative Tools
- 5.0 Introduction
- 5.1 Managing Snort Sensors
- Problem
- Solution
- Discussion
- See Also
- 5.2 Installing and Configuring IDScenter
- Problem
- Solution
- Discussion
- See Also
- 5.3 Installing and Configuring SnortCenter
- Problem
- Solution
- Discussion
- See Also
- 5.4 Installing and Configuring Snortsnarf
- Problem
- Solution
- Discussion
- See Also
- 5.5 Running Snortsnarf Automatically
- Problem
- Solution
- Discussion
- See Also
- 5.6 Installing and Configuring ACID
- Problem
- Solution
- Discussion
- See Also
- 5.7 Securing ACID
- Problem
- Solution
- Discussion
- See Also
- 5.8 Installing and Configuring Swatch
- Problem
- Solution
- Discussion
- See Also
- 5.9 Installing and Configuring Barnyard
- Problem
- Solution
- Discussion
- See Also
- 5.10 Administering Snort with IDS Policy Manager
- Problem
- Solution
- Discussion
- See Also
- 5.11 Integrating Snort with Webmin
- Problem
- Solution
- Discussion
- See Also
- 5.12 Administering Snort with HenWen
- Problem
- Solution
- Discussion
- See Also
- 5.13 Newbies Playing with Snort Using EagleX
- Problem
- Solution
- Discussion
- See Also
- Log Analysis
- 6.0 Introduction
- 6.1 Generating Statistical Output from Snort Logs
- Problem
- Solution
- Discussion
- See Also
- 6.2 Generating Statistical Output from Snort Databases
- Problem
- Solution
- Discussion
- See Also
- 6.3 Performing Real-Time Data Analysis
- Problem
- Solution
- Discussion
- See Also
- 6.4 Generating Text-Based Log Analysis
- Problem
- Solution
- Discussion
- See Also
- 6.5 Creating HTML Log Analysis Output
- Problem
- Solution
- Discussion
- See Also
- 6.6 Tools for Testing Signatures
- Problem
- Solution
- Discussion
- See Also
- 6.7 Analyzing and Graphing Logs
- Problem
- Solution
- Discussion
- See Also
- 6.8 Analyzing Sniffed (Pcap) Traffic
- Problem
- Solution
- Discussion
- See Also
- 6.9 Writing Output Plug-ins
- Problem
- Solution
- Discussion
- See Also
- Miscellaneous Other Uses
- 7.0 Introduction
- 7.1 Monitoring Network Performance
- Problem
- Solution
- Discussion
- See Also
- 7.2 Logging Application Traffic
- Problem
- Solution
- Description
- See Also
- 7.3 Recognizing HTTP Traffic on Unusual Ports
- Problem
- Solution
- Description
- See Also
- 7.4 Creating a Reactive IDS
- Problem
- Solution
- Discussion
- See Also
- 7.5 Monitoring a Network Using Policy-Based IDS
- Problem
- Solution
- Discussion
- See Also
- 7.6 Port Knocking
- Problem
- Solution
- Discussion
- See Also
- 7.7 Obfuscating IP Addresses
- Problem
- Solution
- Discussion
- See Also
- 7.8 Passive OS Fingerprinting
- Problem
- Solution
- snortfp
- p0f
- Sourcefire RNA
- Discussion
- snortfp
- p0f
- See Also
- 7.9 Working with Honeypots and Honeynets
- Problem
- Solution
- Discussion
- See Also
- 7.10 Performing Forensics Using Snort
- Problem
- Solution
- Discussion
- See Also
- 7.11 Snort and Investigations
- Problem
- Solution
- Discussion
- See Also
- 7.12 Snort as Legal Evidence in the U.S.
- Problem
- Solution
- Discussion
- See Also
- 7.13 Snort as Evidence in the U.K.
- Problem
- Solution
- Discussion
- See Also
- 7.14 Snort as a Virus Detection Tool
- Problem
- Solution
- Discussion
- See Also
- 7.15 Staying Legal
- Problem
- Solution
- Discussion
- See Also
- Index
