O'Reilly logo

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Snort Cookbook

Book Description

If you are a network administrator, you're under a lot of pressure to ensure that mission-critical systems are completely safe from malicious code, buffer overflows, stealth port scans, SMB probes, OS fingerprinting attempts, CGI attacks, and other network intruders. Designing a reliable way to detect intruders before they get in is an essential--but often overwhelming--challenge. Snort, the defacto open source standard of intrusion detection tools, is capable of performing real-time traffic analysis and packet logging on IP network. It can perform protocol analysis, content searching, and matching. Snort can save countless headaches; the new Snort Cookbook will save countless hours of sifting through dubious online advice or wordy tutorials in order to leverage the full power of SNORT.Each recipe in the popular and practical problem-solution-discussion O'Reilly cookbook format contains a clear and thorough description of the problem, a concise but complete discussion of a solution, and real-world examples that illustrate that solution. The Snort Cookbook covers important issues that sys admins and security pros will us everyday, such as:

  • installation
  • optimization
  • logging
  • alerting
  • rules and signatures
  • detecting viruses
  • countermeasures
  • detecting common attacks
  • administration
  • honeypots
  • log analysis
But the Snort Cookbook offers far more than quick cut-and-paste solutions to frustrating security issues. Those who learn best in the trenches--and don't have the hours to spare to pore over tutorials or troll online for best-practice snippets of advice--will find that the solutions offered in this ultimate Snort sourcebook not only solve immediate problems quickly, but also showcase the best tips and tricks they need to master be security gurus--and still have a life.

Table of Contents

  1. Preface
    1. Audience
    2. Contents of This Book
    3. Conventions Used in This Book
    4. Using Code Examples
    5. Safari Enabled
    6. How to Contact Us
    7. Acknowledgments
  2. 1. Installation and Optimization
    1. Introduction
    2. 1.1. Installing Snort from Source on Unix
    3. 1.2. Installing Snort Binaries on Linux
    4. 1.3. Installing Snort on Solaris
    5. 1.4. Installing Snort on Windows
    6. 1.5. Uninstalling Snort from Windows
    7. 1.6. Installing Snort on Mac OS X
    8. 1.7. Uninstalling Snort from Linux
    9. 1.8. Upgrading Snort on Linux
    10. 1.9. Monitoring Multiple Network Interfaces
    11. 1.10. Invisibly Tapping a Hub
    12. 1.11. Invisibly Sniffing Between Two Network Points
    13. 1.12. Invisibly Sniffing 100 MB Ethernet
    14. 1.13. Sniffing Gigabit Ethernet
    15. 1.14. Tapping a Wireless Network
    16. 1.15. Positioning Your IDS Sensors
    17. 1.16. Capturing and Viewing Packets
    18. 1.17. Logging Packets That Snort Captures
    19. 1.18. Running Snort to Detect Intrusions
    20. 1.19. Reading a Saved Capture File
    21. 1.20. Running Snort as a Linux Daemon
    22. 1.21. Running Snort as a Windows Service
    23. 1.22. Capturing Without Putting the Interface into Promiscuous Mode
    24. 1.23. Reloading Snort Settings
    25. 1.24. Debugging Snort Rules
    26. 1.25. Building a Distributed IDS (Plain Text)
    27. 1.26. Building a Distributed IDS (Encrypted)
  3. 2. Logging, Alerts, and Output Plug-ins
    1. Introduction
    2. 2.1. Logging to a File Quickly
    3. 2.2. Logging Only Alerts
    4. 2.3. Logging to a CSV File
    5. 2.4. Logging to a Specific File
    6. 2.5. Logging to Multiple Locations
    7. 2.6. Logging in Binary
    8. 2.7. Viewing Traffic While Logging
    9. 2.8. Logging Application Data
    10. 2.9. Logging to the Windows Event Viewer
    11. 2.10. Logging Alerts to a Database
    12. 2.11. Installing and Configuring MySQL
    13. 2.12. Configuring MySQL for Snort
    14. 2.13. Using PostgreSQL with Snort and ACID
    15. 2.14. Logging in PCAP Format (TCPDump)
    16. 2.15. Logging to Email
    17. 2.16. Logging to a Pager or Cell Phone
    18. 2.17. Optimizing Logging
    19. 2.18. Reading Unified Logged Data
    20. 2.19. Generating Real-Time Alerts
    21. 2.20. Ignoring Some Alerts
    22. 2.21. Logging to System Logfiles
    23. 2.22. Fast Logging
    24. 2.23. Logging to a Unix Socket
    25. 2.24. Not Logging
    26. 2.25. Prioritizing Alerts
    27. 2.26. Capturing Traffic from a Specific TCP Session
    28. 2.27. Killing a Specific Session
  4. 3. Rules and Signatures
    1. Introduction
    2. 3.1. How to Build Rules
    3. 3.2. Keeping the Rules Up to Date
    4. 3.3. Basic Rules You Shouldn’t Leave Home Without
    5. 3.4. Dynamic Rules
    6. 3.5. Detecting Binary Content
    7. 3.6. Detecting Malware
    8. 3.7. Detecting Viruses
    9. 3.8. Detecting IM
    10. 3.9. Detecting P2P
    11. 3.10. Detecting IDS Evasion
    12. 3.11. Countermeasures from Rules
    13. 3.12. Testing Rules
    14. 3.13. Optimizing Rules
    15. 3.14. Blocking Attacks in Real Time
    16. 3.15. Suppressing Rules
    17. 3.16. Thresholding Alerts
    18. 3.17. Excluding from Logging
    19. 3.18. Carrying Out Statistical Analysis
  5. 4. Preprocessing: An Introduction
    1. Introduction
    2. 4.1. Detecting Stateless Attacks and Stream Reassembly
    3. 4.2. Detecting Fragmentation Attacks and Fragment Reassembly with Frag2
    4. 4.3. Detecting and Normalizing HTTP Traffic
    5. 4.4. Decoding Application Traffic
    6. 4.5. Detecting Port Scans and Talkative Hosts
    7. 4.6. Getting Performance Metrics
    8. 4.7. Experimental Preprocessors
    9. 4.8. Writing Your Own Preprocessor
  6. 5. Administrative Tools
    1. Introduction
    2. 5.1. Managing Snort Sensors
    3. 5.2. Installing and Configuring IDScenter
    4. 5.3. Installing and Configuring SnortCenter
    5. 5.4. Installing and Configuring Snortsnarf
    6. 5.5. Running Snortsnarf Automatically
    7. 5.6. Installing and Configuring ACID
    8. 5.7. Securing ACID
    9. 5.8. Installing and Configuring Swatch
    10. 5.9. Installing and Configuring Barnyard
    11. 5.10. Administering Snort with IDS Policy Manager
    12. 5.11. Integrating Snort with Webmin
    13. 5.12. Administering Snort with HenWen
    14. 5.13. Newbies Playing with Snort Using EagleX
  7. 6. Log Analysis
    1. Introduction
    2. 6.1. Generating Statistical Output from Snort Logs
    3. 6.2. Generating Statistical Output from Snort Databases
    4. 6.3. Performing Real-Time Data Analysis
    5. 6.4. Generating Text-Based Log Analysis
    6. 6.5. Creating HTML Log Analysis Output
    7. 6.6. Tools for Testing Signatures
    8. 6.7. Analyzing and Graphing Logs
    9. 6.8. Analyzing Sniffed (Pcap) Traffic
    10. 6.9. Writing Output Plug-ins
  8. 7. Miscellaneous Other Uses
    1. Introduction
    2. 7.1. Monitoring Network Performance
    3. 7.2. Logging Application Traffic
    4. 7.3. Recognizing HTTP Traffic on Unusual Ports
    5. 7.4. Creating a Reactive IDS
    6. 7.5. Monitoring a Network Using Policy-Based IDS
    7. 7.6. Port Knocking
    8. 7.7. Obfuscating IP Addresses
    9. 7.8. Passive OS Fingerprinting
    10. 7.9. Working with Honeypots and Honeynets
    11. 7.10. Performing Forensics Using Snort
    12. 7.11. Snort and Investigations
    13. 7.12. Snort as Legal Evidence in the U.S.
    14. 7.13. Snort as Evidence in the U.K.
    15. 7.14. Snort as a Virus Detection Tool
    16. 7.15. Staying Legal
  9. Index
  10. About the Authors
  11. Colophon
  12. Copyright