book

Snort Cookbook

by Angela Orebaugh, Simon Biles, Jacob Babbin

March 2005

Intermediate to advanced

288 pages

7h 30m

English

O'Reilly Media, Inc.

Read now

Unlock full access

AudienceContents of This BookConventions Used in This BookUsing Code ExamplesSafari EnabledHow to Contact UsAcknowledgments
Introduction1.1. Installing Snort from Source on Unix1.2. Installing Snort Binaries on Linux1.3. Installing Snort on Solaris1.4. Installing Snort on Windows1.5. Uninstalling Snort from Windows1.6. Installing Snort on Mac OS X1.7. Uninstalling Snort from Linux1.8. Upgrading Snort on Linux1.9. Monitoring Multiple Network Interfaces1.10. Invisibly Tapping a Hub1.11. Invisibly Sniffing Between Two Network Points1.12. Invisibly Sniffing 100 MB Ethernet1.13. Sniffing Gigabit Ethernet1.14. Tapping a Wireless Network1.15. Positioning Your IDS Sensors1.16. Capturing and Viewing Packets1.17. Logging Packets That Snort Captures1.18. Running Snort to Detect Intrusions1.19. Reading a Saved Capture File1.20. Running Snort as a Linux Daemon1.21. Running Snort as a Windows Service1.22. Capturing Without Putting the Interface into Promiscuous Mode1.23. Reloading Snort Settings1.24. Debugging Snort Rules1.25. Building a Distributed IDS (Plain Text)1.26. Building a Distributed IDS (Encrypted)
Introduction2.1. Logging to a File Quickly2.2. Logging Only Alerts2.3. Logging to a CSV File2.4. Logging to a Specific File2.5. Logging to Multiple Locations2.6. Logging in Binary2.7. Viewing Traffic While Logging2.8. Logging Application Data2.9. Logging to the Windows Event Viewer2.10. Logging Alerts to a Database2.11. Installing and Configuring MySQL2.12. Configuring MySQL for Snort2.13. Using PostgreSQL with Snort and ACID2.14. Logging in PCAP Format (TCPDump)2.15. Logging to Email2.16. Logging to a Pager or Cell Phone2.17. Optimizing Logging2.18. Reading Unified Logged Data2.19. Generating Real-Time Alerts2.20. Ignoring Some Alerts2.21. Logging to System Logfiles2.22. Fast Logging2.23. Logging to a Unix Socket2.24. Not Logging2.25. Prioritizing Alerts2.26. Capturing Traffic from a Specific TCP Session2.27. Killing a Specific Session
Introduction3.1. How to Build Rules3.2. Keeping the Rules Up to Date3.3. Basic Rules You Shouldn’t Leave Home Without3.4. Dynamic Rules3.5. Detecting Binary Content3.6. Detecting Malware3.7. Detecting Viruses3.8. Detecting IM3.9. Detecting P2P3.10. Detecting IDS Evasion3.11. Countermeasures from Rules3.12. Testing Rules3.13. Optimizing Rules3.14. Blocking Attacks in Real Time3.15. Suppressing Rules3.16. Thresholding Alerts3.17. Excluding from Logging3.18. Carrying Out Statistical Analysis
Introduction4.1. Detecting Stateless Attacks and Stream Reassembly4.2. Detecting Fragmentation Attacks and Fragment Reassembly with Frag24.3. Detecting and Normalizing HTTP Traffic4.4. Decoding Application Traffic4.5. Detecting Port Scans and Talkative Hosts4.6. Getting Performance Metrics4.7. Experimental Preprocessors4.8. Writing Your Own Preprocessor
Introduction5.1. Managing Snort Sensors5.2. Installing and Configuring IDScenter5.3. Installing and Configuring SnortCenter5.4. Installing and Configuring Snortsnarf5.5. Running Snortsnarf Automatically5.6. Installing and Configuring ACID5.7. Securing ACID5.8. Installing and Configuring Swatch5.9. Installing and Configuring Barnyard5.10. Administering Snort with IDS Policy Manager5.11. Integrating Snort with Webmin5.12. Administering Snort with HenWen5.13. Newbies Playing with Snort Using EagleX
Introduction6.1. Generating Statistical Output from Snort Logs6.2. Generating Statistical Output from Snort Databases6.3. Performing Real-Time Data Analysis6.4. Generating Text-Based Log Analysis6.5. Creating HTML Log Analysis Output6.6. Tools for Testing Signatures6.7. Analyzing and Graphing Logs6.8. Analyzing Sniffed (Pcap) Traffic6.9. Writing Output Plug-ins
Introduction7.1. Monitoring Network Performance7.2. Logging Application Traffic7.3. Recognizing HTTP Traffic on Unusual Ports7.4. Creating a Reactive IDS7.5. Monitoring a Network Using Policy-Based IDS7.6. Port Knocking7.7. Obfuscating IP Addresses7.8. Passive OS Fingerprinting7.9. Working with Honeypots and Honeynets7.10. Performing Forensics Using Snort7.11. Snort and Investigations7.12. Snort as Legal Evidence in the U.S.7.13. Snort as Evidence in the U.K.7.14. Snort as a Virus Detection Tool7.15. Staying Legal

Content preview from Snort Cookbook

Chapter 5. Administrative Tools

Introduction

Your IDS is installed and configured, and it is happily generating logs and alerts, so now what do you do? One of the biggest issues with managing an IDS implementation is handling the potentially large numbers of alerts and logs. If your IDS is configured on a public network that receives a lot of traffic, you could potentially see thousands of alerts a day, from script kiddy scans to worms and other exploits. There are several Snort add-on tools that help you correlate and analyze Snort output data. You can find anything from full-fledged alert-management systems with web frontends to simple purpose-built scripts. This chapter explores some of the most popular tools for administering your Snort implementation: IDScenter, SnortCenter, ACID, SWATCH, Snortsnarf, Barnyard, IDS Policy Manager, HenWen, and Webmin. Some of the functionality for these tools overlaps. However, each has its own benefits and function. The good thing is that you can experiment with all of them to see which ones best suit your needs, because they are all free!

5.1. Managing Snort Sensors

Problem

You need an easy-to-use GUI management console to manage your Snort sensors.

Solution

Use SnortCenter or IDS Policy Manager to manage your distributed Snort sensors remotely.

Use IDScenter to manage a Windows Snort sensor locally.

Discussion

Managing numerous Snort sensors in a distributed environment via the command line and editing configuration files can sometimes be a tedious ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Start your free trial

Publisher Resources

ISBN: 0596007914Errata Page

Snort Cookbook

by Angela Orebaugh, Simon Biles, Jacob Babbin

Chapter 5. Administrative Tools

Introduction

5.1. Managing Snort Sensors

Problem

Solution

Discussion

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

You might also like

Snort Intrusion Detection 2.0

Learning CoreOS

NGINX Cookbook

DevSecOps in Kubernetes

Publisher Resources

Chapter 5. Administrative Tools

Introduction

5.1. Managing Snort Sensors

Problem

Solution

Discussion

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,and much more.

You might also like

Snort Intrusion Detection 2.0

Learning CoreOS

NGINX Cookbook

DevSecOps in Kubernetes

Publisher Resources

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.