You are previewing Intrusion Detection with Snort.
O'Reilly logo
Intrusion Detection with Snort

Book Description

With over 100,000 installations, the Snort open-source network instrusion detection system is combined with other free tools to deliver IDS defense to medium - to small-sized companies, changing the tradition of intrusion detection being affordable only for large companies with large budgets.

Until now, Snort users had to rely on the official guide available on That guide is aimed at relatively experience snort administrators and covers thousands of rules and known exploits.

The lack of usable information made using Snort a frustrating experience. The average Snort user needs to learn how to actually get their systems up-and-running.

Snort Intrusion Detection provides readers with practical guidance on how to put Snort to work. Opening with a primer to intrusion detection and Snort, the book takes the reader through planning an installation to building the server and sensor, tuning the system, implementing the system and analyzing traffic, writing rules, upgrading the system, and extending Snort.

Table of Contents

  1. Copyright
  2. About the Author
  3. Acknowledgments
  4. We Want to Hear from You!
  5. Reader Services
  6. Introduction
  7. Intrusion Detection Primer
    1. IDSs Come in Different Flavors
    2. Methods of Detecting Intrusions
    3. Origin of Attacks
    4. Orchestrating an Attack
    5. The IDS Reality
    6. Summary
  8. Network Intrusion Detection with Snort
    1. Snort's Specifications
    2. Detecting Suspicious Traffic via Signatures
    3. Detecting Suspicious Traffic via Heuristics
    4. Gathering Intrusion Data
    5. Alerting via Output Plug-ins
    6. Prioritizing Alerts
    7. Distributed Snort Architecture
    8. Securing Snort
    9. Shortcomings
    10. Summary
  9. Dissecting Snort
    1. Feeding Snort Packets with Libpcap
    2. Preprocessors
    3. The Detection Engine
    4. Output Plugins
    5. Summary
  10. Planning for the Snort Installation
    1. Defining an IDS Policy
    2. Deciding What to Monitor
    3. Designing Your Snort Architecture
    4. Planning for Maintenance
    5. Incident Response Plan
    6. Responding to an Incident
    7. Restoring to a Normal State
    8. Summary
  11. The Foundation—Hardware and Operating Systems
    1. Hardware Performance Metrics
    2. Picking a Platform
    3. The Monitoring Segment
    4. Distributing Traffic to Multiple Sensors
    5. Summary
  12. Building the Server
    1. Installation Guide Notes
    2. Red Hat Linux 7.3
    3. Post-Installation Tasks
    4. Installing the Snort Server Components
    5. Summary
  13. Building the Sensor
    1. Installation Guide Notes
    2. Installing the Snort Sensor Components
    3. Installing Snort
    4. Implementing Barnyard
    5. Summary
  14. Building the Analyst's Console
    1. Windows
    2. Linux
    3. Testing the Console
    4. Working with ACID
    5. Summary
  15. Additional Installation Methods
    1. The Hybrid Server/Sensor
    2. Snort on OpenBSD
    3. Snort on Windows
    4. Summary
  16. Tuning and Reducing False Positives
    1. Pre-Tuning Activities
    2. Tuning the Network for Snort
    3. Filtering Traffic with Snort
    4. Tuning the Preprocessors
    5. Refining the Ruleset
    6. Organize Your Rules
    7. Designing a Targeted Ruleset
    8. Tuning MySQL
    9. Tuning ACID
    10. Summary
  17. Real-Time Alerting
    1. An Overview of Real-Time Alerting with Snort
    2. Prioritization of Alerts
    3. Alerting with the Hybrid
    4. Alerting with Distributed Snort
    5. Summary
  18. Basic Rule Writing
    1. Fundamental Rule Writing Concepts
    2. Rule Syntax
    3. Writing Rules
    4. Summary
  19. Upgrading and Maintaining Snort
    1. Choosing a Snort Management Application
    2. IDS Policy Manager
    3. SnortCenter
    4. Upgrading Snort
    5. Summary
  20. Advanced Topics in Intrusion Prevention
    1. A Warning Concerning Intrusion Prevention
    2. Planning an Intrusion Prevention Strategy
    3. Snort Inline Patch
    4. SnortSam
    5. Summary
  21. Troubleshooting
    1. Snort Issues
    2. ACID Issues
    3. IDS Strategy
  22. Rule Documentation
    1. Not Suspicious Traffic
    2. Unknown Traffic
    3. Potentially Bad Traffic
    4. Attempted Information Leak
    5. Attempted Denial of Service
    6. Attempted User Privilege Gain
    7. Unsuccessful User Privilege Gain
    8. Attempted Administrator Privilege Gain
    9. Successful Administrator Privilege Gain
  23. Index