Snort Intrusion Detection 2.0 / Edition 2

Paperback (Print)
Used and New from Other Sellers
Used and New from Other Sellers
from $1.99
Usually ships in 1-2 business days
(Save 96%)
Other sellers (Paperback)
  • All (21) from $1.99   
  • New (4) from $43.61   
  • Used (17) from $1.99   
Sort by
Page 1 of 1
Showing All
Note: Marketplace items are not eligible for any coupons and promotions
Seller since 2015

Feedback rating:



New — never opened or used in original packaging.

Like New — packaging may have been opened. A "Like New" item is suitable to give as a gift.

Very Good — may have minor signs of wear on packaging but item works perfectly and has no damage.

Good — item is in good condition but packaging may have signs of shelf wear/aging or torn packaging. All specific defects should be noted in the Comments section associated with each item.

Acceptable — item is in working order but may show signs of wear such as scratches or torn packaging. All specific defects should be noted in the Comments section associated with each item.

Used — An item that has been opened and may show signs of wear. All specific defects should be noted in the Comments section associated with each item.

Refurbished — A used item that has been renewed or updated and verified to be in proper working condition. Not necessarily completed by the original manufacturer.

"New, Excellent customer service. Satisfaction guaranteed!! "

Ships from: Irving, TX

Usually ships in 1-2 business days

  • Canadian
  • International
  • Standard, 48 States
  • Standard (AK, HI)
Seller since 2015

Feedback rating:


Condition: New
Brand new.

Ships from: acton, MA

Usually ships in 1-2 business days

  • Standard, 48 States
  • Standard (AK, HI)
Seller since 2015

Feedback rating:


Condition: New
Brand new.

Ships from: acton, MA

Usually ships in 1-2 business days

  • Standard, 48 States
  • Standard (AK, HI)
Seller since 2008

Feedback rating:


Condition: New

Ships from: Chicago, IL

Usually ships in 1-2 business days

  • Standard, 48 States
  • Standard (AK, HI)
Page 1 of 1
Showing All
Sort by


The incredible low maintenance costs of Snort combined with its powerful security features make it one of the fastest growing IDSs within corporate IT departments.

Snort 2.0 Intrusion Detection is the first book dealing with the Snort IDS and is written by a member of Readers will receive valuable insight to the code base of Snort and in-depth tutorials of complex installation, configuration, and troubleshooting scenarios.

The primary reader will be an individual who has a working knowledge of the TCP/IP protocol, expertise in some arena of IT infrastructure, and is inquisitive about what has been attacking their IT network perimeter every 15 seconds.

The most up-to-date and comprehensive coverage for Snort 2.0!
Expert Advice from the Development Team and Step-by-Step Instructions for Installing, Configuring, and Troubleshooting the Snort 2.0 Intrusion Detection System
Free CD Contains the Latest Version of Snort and Popular Plug-Ins Including ACID, Barnyard, and Swatch

Read More Show Less

Editorial Reviews

From the Publisher
"I have been a diehard Snort user and member of the community since day one. Snort is awesome and there are so many incredibly talented people involved with it. I always wished that there was a book that documented everything, and gave lots of very cool information on all of the inner workings. I was psyched when I heard this book was being written, and I orderd it before it came out. I got mine on Friday and spent the weekend reading it. Considering the guys (and gal!) who wrote it, I shouldn't be surprised that the book rocks. Everything you ever wanted to know about Snort is in there. And, you know you are getting it from the Pig's mouth—er, or Snout ;)" - reviewer on
Read More Show Less

Product Details

  • ISBN-13: 9781931836746
  • Publisher: Elsevier Science
  • Publication date: 4/13/2003
  • Edition description: Book & CD-ROM
  • Edition number: 2
  • Pages: 550
  • Product dimensions: 7.45 (w) x 9.23 (h) x 1.28 (d)

Read an Excerpt

Snort System Requirements

Before getting a system together, you need to know a few things. One, Snort data can take up a lot of disk space, and two, you'll need to be able to monitor the system remotely. The Snort system we maintain is in our machine room (which is cold, and a hike downstairs).

Because we're lazy and don't want to hike downstairs, we would like to be able to maintain it remotely and securely. For Linux and UNIX, this means including Secure Shell (SSH) and Apache with Secure Sockets Layer (SSL). For Windows, this would mean Terminal Services (with limitation on which users and machines can connect, and Internet Information Servers [IIS]).


One of the most important things you'll need, especially if you're running Snort in Network-based Intrusion Detection System (NIDS) mode, is a really big hard drive. If you're storing your data as either syslog files or in a database, you'll need a lot of space to store all the data that the Snort's detection engine uses to check for rule violations.

Another highly recommended hardware component for Snort is a second Ethernet interface. One of the interfaces is necessary for typical network connectivity (SSH, Web services, and so forth), and the other interface is for Snorting. This sensing interface that does the "snorting" is your "Snort sensor."

Snort does not have any particular hardware requirements that your OS doesn't already require to run. Running any application with a faster processor usually makes the application work faster. However, you will be limited in the amount of data you collect by your network connection and by your hard drive.

However, you will need to have a reasonable size network interface card (NIC) to collect the correct amount of network packets. For example, if you are on a 100MB network, you will need a 100MB NIC to collect the correct amount of packets. Otherwise, you will miss packets and be unable to accurately collect alerts.

In addition, you will need a good size hard drive to store your data. If your hard drive is too small, there is a good chance that you will be unable to write alerts to either your database or log files. For example, our current setup for a single Snort sensor is a 9GB partition for /var.

Operating System

Snort was designed to be a lightweight network intrusion system. Currently, Snort can run on x86 systems Linux, FreeBSD, NetBSD, OpenBSD, and Windows. Other systems supported include Sparc Solaris, PowerPC MacOS X and MkLinux, and PA-RISC HP-UX. Snort will run on just about any modern OS today.


People can get into religious wars as to which OS is best, but you have to be the one to administer the system, so you pick the OS.

There is an ongoing argument regarding the best OS on which to run Snort. A while back, the *BSDs had the better IP stack, but since Linux has gone to the 2.4 kernel, the IP stacks are comparable. Our favorite is NetBSD, but your mileage might vary.

Read More Show Less

Table of Contents

Chapter 1 Intrusion Detection Systems

What Is Intrusion Detection?

Network IDS

Host-Based IDS

Distributed IDS

A Trilogy of Vulnerabilities

Directory Traversal Vulnerability

CodeRed Worm

Nimda Worm

What Is an Intrusion?

Using Snort to Catch Intrusions

Why Are Intrusion Detection Systems Important?

Why Are Attackers Interested in Me?

Where Does an IDS Fit with the Rest of My Security Plan?

Doesn’t My Firewall Serve as an IDS?

Where Else Should I Be Looking for Intrusions?

What Else Can Be Done with Intrusion Detection?

Monitoring Database Access

Monitoring DNS Functions

E-Mail Server Protection

Using an IDS to Monitor My Company Policy

Chapter 2 Introducing Snort 2.0

What Is Snort?

Snort System Requirements


Exploring Snort’s Features

Packet Sniffer


Detection Engine

Alerting/Logging Component

Using Snort on Your Network

Snort’s Uses

Snort and Your Network Architecture

Pitfalls When Running Snort

Security Considerations with Snort

Snort Is Susceptible to Attacks

Securing Your Snort System

Chapter 3 Installing Snort

A Brief Word about Linux Distributions




Installing PCAP

Installing libpcap from Source

Installing libpcap from RPM

Installing Snort

Installing Snort from Source

Customizing Your Installation: Editing the snort.conf File

Installing Snort from RPM

Installation on the Microsoft Windows Platform

Installing Bleeding-Edge Versions of Snort

Chapter 4 Snort: The Inner Workings

Snort Components

Capturing Network Traffic

Packet Sniffing

Decoding Packets

Storage of Packets

Processing Packets 101


Understanding Rule Parsing and Detection Engines

Rules Builder

Detection Plug-Ins

Output and Logs

Snort as a Quick Sniffer

Intrusion Detection Mode

Snort for Honeypot Capture and Analysis

Logging to Databases

Alerting Using SNMP

Barnyard and Unified Output

Chapter 5 Playing by the Rules

Understanding Configuration Files

Defining and Using Variables

Including Rule Files

The Rule Header

Rule Action Options

Supported Protocols

Assigning Source and Destination IP Addresses to Rules

Assigning Source and Destination Ports

Understanding Direction Operators

Activate and Dynamic Rule Characteristics

The Rule Body

Rule Content

ASCII Content

Including Binary Content

The depth Option

The offset Option

The nocase Option

The session Option

Uniform Resource Identifier Content

The stateless Option

Regular Expressions

Flow Control

IP Options

Fragmentation Bits

Equivalent Source and Destination IP Option

IP Protocol Options

ID Option

Type of Service Option

Time-To-Live Option

TCP Options

Sequence Number Options

TCP Flags Option

TCP ACK Option

ICMP Options



The icode Option

The itype Option

Rule Identifier Options

Snort ID Options

Rule Revision Number

Severity Identifier Option

Classification Identifier Option

External References

Miscellaneous Rule Options






Real-Time Countermeasures

Components of a Good Rule

Action Events

Ensuring Proper Content

Merging Subnet Masks

Testing Your Rules

Stress Tests

Individual Snort Rule Tests

Berkeley Packet Filter Tests

Tuning Your Rules

Configuring Rule Variables

Disabling Rules

Berkeley Packet Filters

Chapter 6 Preprocessors

What Is a Preprocessor?

Preprocessor Options for Reassembling Packets

The stream4 Preprocessor

frag2—Fragment Reassembly and Attack Detection

Preprocessor Options for Decoding and Normalizing Protocols

Telnet Negotiation

HTTP Normalization


Preprocessor Options for Nonrule or Anomaly-Based Detection


Back Orifice

Configuring the Back Orifice Preprocessor

General Nonrule-Based Detection

Experimental Preprocessors




portscan2 and conversation


Writing Your Own Preprocessor

Reassembling Packets

Decoding Protocols

Nonrule or Anomaly-Based Detection

Setting Up My Preprocessor

What Am I Given by Snort?

Adding the Preprocessor into Snort

Chapter 7 Implementing Snort Output Plug-Ins

What Is an Output Plug-In?

Key Components of an Output Plug-In

Exploring Output Plug-In Options

Default Logging


PCAP Logging


Unified Logs

Writing Your Own Output Plug-In

Why Should I Write an Output Plug-In?

Setting Up My Output Plug-In

Dealing with Snort Output

Chapter 8 Exploring the Data Analysis Tools

Using Swatch

Performing a Swatch Installation

Configuring Swatch

Using Swatch

Using ACID

Installing ACID

Configuring ACID

Using ACID

Using SnortSnarf

Installing SnortSnarf

Configuring Snort to Work with SnortSnarf

Basic Usage of SnortSnarf

Using IDScenter

Installing IDScenter

Configuring IDScenter

Basic Usage of IDScenter

Chapter 9 Keeping Everything Up to Date

Applying Patches

Updating Rules

How Are the Rules Maintained?

How Do I Get Updates to the Rules?

How Do I Merge These Changes?

Testing Rule Updates

Testing the New Rules

Watching for Updates

Mailing Lists and News Services to Watch

Chapter 10 Optimizing Snort

How Do I Choose What Hardware to Use?

What Constitutes “Good” Hardware?

How Do I Test My Hardware?

How Do I Choose What Operating System to Use?

What Makes a “Good” OS for a NIDS?

What OS Should I Use?

How Do I Test My OS Choice?

Speeding Up Your Snort Installation

Deciding Which Rules to Enable

Configuring Preprocessors for Speed

Using Generic Variables

Choosing an Output Plug-In

Benchmarking Your Deployment

Benchmark Characteristics

Attributes of a Good Benchmark

Attributes of a Poor Benchmark

What Options Are Available for Benchmarking?

IDS Informer

IDS Wakeup


Miscellaneous Options

Chapter 11 Mucking Around with Barnyard

What Is Barnyard?

Preparation and Installation of Barnyard

How Does Barnyard Work?

Using the Barnyard Configuration File

Barnyard Innards

Create and Display a Binary Log Output File

What Are the Output Options for Barnyard?

But I Want My Output Like “This”

An Example Output Plug-In

Using plugbase.h and plugbase.c

Chapter 12 Advanced Snort

Policy-Based IDS

Defining a Network Policy for the IDS

An Example of Policy-Based IDS

Policy-Based IDS in Production

Inline IDS

Where Did the Inline IDS for Snort Come From?

Installation of Snort in Inline Mode

Using Inline IDS to Protect Your Network

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing 1 Customer Reviews
  • Anonymous

    Posted May 29, 2003

    Awesome book by Snort gurus!

    An incredible book by the guys from and sourcefire--this book is just great and covers everything I could ever have thought to ask about Snort 2.0. It comes with Snort on CD, which is just handy.

    Was this review helpful? Yes  No   Report this review
Sort by: Showing 1 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)