Snort Intrusion Detection 2.0 / Edition 2

Snort Intrusion Detection 2.0 / Edition 2

by Syngress, James C. Foster, Ryan Russell, Jay Beale

View All Available Formats & Editions

ISBN-10: 1931836744

ISBN-13: 9781931836746

Pub. Date: 04/13/2003

Publisher: Elsevier Science

The incredible low maintenance costs of Snort combined with its powerful security features make it one of the fastest growing IDSs within corporate IT departments.

Snort 2.0 Intrusion Detectionis written by a member of The book provides avaluable insight to the code base of Snort and in-depth tutorials of complex installation, configuration,


The incredible low maintenance costs of Snort combined with its powerful security features make it one of the fastest growing IDSs within corporate IT departments.

Snort 2.0 Intrusion Detectionis written by a member of The book provides avaluable insight to the code base of Snort and in-depth tutorials of complex installation, configuration, and troubleshooting scenarios.

The primary reader will be an individual who has a working knowledge of the TCP/IP protocol, expertise in some arena of IT infrastructure, and is inquisitive about what has been attacking their IT network perimeter every 15 seconds.

  • The most up-to-date and comprehensive coverage for Snort 2.0!
  • Expert Advice from the Development Team and Step-by-Step Instructions for Installing, Configuring, and Troubleshooting the Snort 2.0 Intrusion Detection System.

Product Details

Elsevier Science
Publication date:
Edition description:
Book & CD-ROM
Product dimensions:
7.45(w) x 9.23(h) x 1.28(d)

Table of Contents

Chapter 1 Intrusion Detection Systems

What Is Intrusion Detection?

Network IDS

Host-Based IDS

Distributed IDS

A Trilogy of Vulnerabilities

Directory Traversal Vulnerability

CodeRed Worm

Nimda Worm

What Is an Intrusion?

Using Snort to Catch Intrusions

Why Are Intrusion Detection Systems Important?

Why Are Attackers Interested in Me?

Where Does an IDS Fit with the Rest of My Security Plan?

Doesn’t My Firewall Serve as an IDS?

Where Else Should I Be Looking for Intrusions?

What Else Can Be Done with Intrusion Detection?

Monitoring Database Access

Monitoring DNS Functions

E-Mail Server Protection

Using an IDS to Monitor My Company Policy

Chapter 2 Introducing Snort 2.0

What Is Snort?

Snort System Requirements


Exploring Snort’s Features

Packet Sniffer


Detection Engine

Alerting/Logging Component

Using Snort on Your Network

Snort’s Uses

Snort and Your Network Architecture

Pitfalls When Running Snort

Security Considerations with Snort

Snort Is Susceptible to Attacks

Securing Your Snort System

Chapter 3 Installing Snort

A Brief Word about Linux Distributions




Installing PCAP

Installing libpcap from Source

Installing libpcap from RPM

Installing Snort

Installing Snort from Source

Customizing Your Installation: Editing the snort.conf File

Installing Snort from RPM

Installation on the Microsoft Windows Platform

Installing Bleeding-Edge Versions of Snort

Chapter 4 Snort: The Inner Workings

Snort Components

Capturing Network Traffic

Packet Sniffing

Decoding Packets

Storage of Packets

Processing Packets 101


Understanding Rule Parsing and Detection Engines

Rules Builder

Detection Plug-Ins

Output and Logs

Snort as a Quick Sniffer

Intrusion Detection Mode

Snort for Honeypot Capture and Analysis

Logging to Databases

Alerting Using SNMP

Barnyard and Unified Output

Chapter 5 Playing by the Rules

Understanding Configuration Files

Defining and Using Variables

Including Rule Files

The Rule Header

Rule Action Options

Supported Protocols

Assigning Source and Destination IP Addresses to Rules

Assigning Source and Destination Ports

Understanding Direction Operators

Activate and Dynamic Rule Characteristics

The Rule Body

Rule Content

ASCII Content

Including Binary Content

The depth Option

The offset Option

The nocase Option

The session Option

Uniform Resource Identifier Content

The stateless Option

Regular Expressions

Flow Control

IP Options

Fragmentation Bits

Equivalent Source and Destination IP Option

IP Protocol Options

ID Option

Type of Service Option

Time-To-Live Option

TCP Options

Sequence Number Options

TCP Flags Option

TCP ACK Option

ICMP Options



The icode Option

The itype Option

Rule Identifier Options

Snort ID Options

Rule Revision Number

Severity Identifier Option

Classification Identifier Option

External References

Miscellaneous Rule Options






Real-Time Countermeasures

Components of a Good Rule

Action Events

Ensuring Proper Content

Merging Subnet Masks

Testing Your Rules

Stress Tests

Individual Snort Rule Tests

Berkeley Packet Filter Tests

Tuning Your Rules

Configuring Rule Variables

Disabling Rules

Berkeley Packet Filters

Chapter 6 Preprocessors

What Is a Preprocessor?

Preprocessor Options for Reassembling Packets

The stream4 Preprocessor

frag2—Fragment Reassembly and Attack Detection

Preprocessor Options for Decoding and Normalizing Protocols

Telnet Negotiation

HTTP Normalization


Preprocessor Options for Nonrule or Anomaly-Based Detection


Back Orifice

Configuring the Back Orifice Preprocessor

General Nonrule-Based Detection

Experimental Preprocessors




portscan2 and conversation


Writing Your Own Preprocessor

Reassembling Packets

Decoding Protocols

Nonrule or Anomaly-Based Detection

Setting Up My Preprocessor

What Am I Given by Snort?

Adding the Preprocessor into Snort

Chapter 7 Implementing Snort Output Plug-Ins

What Is an Output Plug-In?

Key Components of an Output Plug-In

Exploring Output Plug-In Options

Default Logging


PCAP Logging


Unified Logs

Writing Your Own Output Plug-In

Why Should I Write an Output Plug-In?

Setting Up My Output Plug-In

Dealing with Snort Output

Chapter 8 Exploring the Data Analysis Tools

Using Swatch

Performing a Swatch Installation

Configuring Swatch

Using Swatch

Using ACID

Installing ACID

Configuring ACID

Using ACID

Using SnortSnarf

Installing SnortSnarf

Configuring Snort to Work with SnortSnarf

Basic Usage of SnortSnarf

Using IDScenter

Installing IDScenter

Configuring IDScenter

Basic Usage of IDScenter

Chapter 9 Keeping Everything Up to Date

Applying Patches

Updating Rules

How Are the Rules Maintained?

How Do I Get Updates to the Rules?

How Do I Merge These Changes?

Testing Rule Updates

Testing the New Rules

Watching for Updates

Mailing Lists and News Services to Watch

Chapter 10 Optimizing Snort

How Do I Choose What Hardware to Use?

What Constitutes “Good” Hardware?

How Do I Test My Hardware?

How Do I Choose What Operating System to Use?

What Makes a “Good” OS for a NIDS?

What OS Should I Use?

How Do I Test My OS Choice?

Speeding Up Your Snort Installation

Deciding Which Rules to Enable

Configuring Preprocessors for Speed

Using Generic Variables

Choosing an Output Plug-In

Benchmarking Your Deployment

Benchmark Characteristics

Attributes of a Good Benchmark

Attributes of a Poor Benchmark

What Options Are Available for Benchmarking?

IDS Informer

IDS Wakeup


Miscellaneous Options

Chapter 11 Mucking Around with Barnyard

What Is Barnyard?

Preparation and Installation of Barnyard

How Does Barnyard Work?

Using the Barnyard Configuration File

Barnyard Innards

Create and Display a Binary Log Output File

What Are the Output Options for Barnyard?

But I Want My Output Like “This”

An Example Output Plug-In

Using plugbase.h and plugbase.c

Chapter 12 Advanced Snort

Policy-Based IDS

Defining a Network Policy for the IDS

An Example of Policy-Based IDS

Policy-Based IDS in Production

Inline IDS

Where Did the Inline IDS for Snort Come From?

Installation of Snort in Inline Mode

Using Inline IDS to Protect Your Network

Customer Reviews

Average Review:

Write a Review

and post it to your social network


Most Helpful Customer Reviews

See all customer reviews >