Managing Security with Snort
and IDS Tools
Table of Contents
Copyright
Preface
Audience
About This Book
Assumptions This Book Makes
Chapter Synopsis
Conventions Used in This Book
Comments and Questions
Acknowledgments
Chapter 1. Introduction
1.1 Disappearing Perimeters
1.2 Defense-in-Depth
1.3 Detecting Intrusions (a
Hierarchy of Approaches)
1.4 What Is NIDS (and What Is
an Intrusion)?
1.5 The Challenges of Network
Intrusion Detection
1.6 Why Snort as an NIDS?
1.7 Sites of Interest
Chapter 2. Network Traffic
Analysis
2.1 The TCP/IP Suite of
Protocols
2.2 Dissecting a Network
Packet
2.3 Packet Sniffing

2.4 Installing tcpdump
2.5 tcpdump Basics
2.6 Examining tcpdump Output
2.7 Running tcpdump
2.8 ethereal
2.9 Sites of Interest
Chapter 3. Installing Snort
3.1 About Snort
3.2 Installing Snort
3.3 Command-Line Options
3.4 Modes of Operation
Chapter 4. Know Your Enemy
4.1 The Bad Guys
4.2 Anatomy of an Attack: The
Five Ps
4.3 Denial-of-Service
4.4 IDS Evasion
4.5 Sites of Interest
Chapter 5. The snort.conf File
5.1 Network and Configuration
Variables
5.2 Snort Decoder and
Detection Engine Configuration
5.3 Preprocessor Configurations
5.4 Output Configurations
5.5 File Inclusions
Chapter 6. Deploying Snort
6.1 Deploy NIDS with Your
Eyes Open
6.2 Initial Configuration

6.3 Sensor Placement
6.4 Securing the Sensor Itself
6.5 Using Snort More
Effectively
6.6 Sites of Interest
Chapter 7. Creating and
Managing Snort Rules
7.1 Downloading the Rules
7.2 The Rule Sets
7.3 Creating Your Own Rules
7.4 Rule Execution
7.5 Keeping Things Up-to-Date
7.6 Sites of Interest
Chapter 8. Intrusion Prevention
8.1 Intrusion Prevention
Strategies
8.2 IPS Deployment Risks
8.3 Flexible Response with
Snort
8.4 The Snort Inline Patch
8.5 Controlling Your Border
8.6 Sites of Interest
Chapter 9. Tuning and
Thresholding
9.1 False Positives (False
Alarms)
9.2 False Negatives (Missed
Alerts)
9.3 Initial Configuration and
Tuning

9.4 Pass Rules
9.5 Thresholding and
Suppression
Chapter 10. Using ACID as a
Snort IDS Management
Console
10.1 Software Installation and
Configuration
10.2 ACID Console Installation
10.3 Accessing the ACID
Console
10.4 Analyzing the Captured
Data
10.5 Sites of Interest
Chapter 11. Using SnortCenter
as a Snort IDS Management
Console
11.1 SnortCenter Console
Installation
11.2 SnortCenter Agent
Installation
11.3 SnortCenter Management
Console
11.4 Logging In and Surveying
the Layout
11.5 Adding Sensors to the
Console
11.6 Managing Tasks
Chapter 12. Additional Tools
for Snort IDS Management

12.1 Open Source Solutions
12.2 Commercial Solutions
Chapter 13. Strategies for High-
Bandwidth Implementations of
Snort
13.1 Barnyard (and Sguil)
13.2 Commericial IDS Load
Balancers
13.3 The IDS Distribution
System (I(DS)2)
Appendix A. Snort and ACID
Database Schema
A.1 acid_ag
Appendix B. The Default
snort.conf File
Appendix C. Resources
C.1 From Chapter 1:
Introduction
C.2 From Chapter 2: Network
Traffic Analysis
C.3 From Chapter 4: Know
Your Enemy
C.4 From Chapter 6: Deploying
Snort
C.5 From Chapter 7: Creating
and Managing Snort Rules
C.6 From Chapter 8: Intrusion
Prevention
C.7 From Chapter 10: Using
ACID as a Snort IDS

Management Console
C.8 From Chapter 12:
Additional Tools for Snort IDS
Management
C.9 From Chapter 13:
Strategies for High-Bandwidth
Implementations of Snort
Colophon
Index
index_SYMBOL
index_A
index_B
index_C
index_D
index_E
index_F
index_G
index_H
index_I
index_J
index_K
index_L
index_M
index_N
index_O
index_P
index_Q
index_R
index_S
index_T

index_U
index_V
index_W
index_X
index_Y
index_Z

• Table of Contents
• Index
• Reviews
• Reader Reviews
• Errata
• Academic
Managing Security with Snort and IDS Tools
By Kerry J. Cox, Christopher Gerg

Publisher : O'Reilly
Pub Date : August 2004
ISBN : 0-596-00661-6
Pages : 288
This practical guide to
managing network security
covers reliable methods for
detecting network intruders,
from using simple packet
sniffers to more sophisticated
IDS (Intrusion Detection
Systems) applications and the
GUI interfaces for managing
them. A comprehensive

resource for monitoring illegal
entry attempts, Managing
Security with Snort and IDS
Tools provides step-by-step
instructions on getting up and
running with Snort 2.1, and
how to shut down and secure
workstations, servers, firewalls,
routers, sensors and other
network devices.

• Table of Contents
• Index
• Reviews
• Reader Reviews
• Errata
• Academic
Managing Security with Snort and IDS Tools
By Kerry J. Cox, Christopher Gerg

Publisher : O'Reilly
Pub Date : August 2004
ISBN : 0-596-00661-6
Pages : 288
Copyright
Preface
Audience
About This Book
Assumptions This Book Makes
Chapter Synopsis

Conventions Used in This Book
Comments and Questions
Acknowledgments
Chapter 1. Introduction
Section 1.1. Disappearing Perimeters
Section 1.2. Defense-in-Depth

Section 1.3. Detecting Intrusions (a
Hierarchy of Approaches)
Section 1.4. What Is NIDS (and What Is an
Intrusion)?

Section 1.5. The Challenges of Network
Intrusion Detection
Section 1.6. Why Snort as an NIDS?
Section 1.7. Sites of Interest
Chapter 2. Network Traffic Analysis
Section 2.1. The TCP/IP Suite of Protocols
Section 2.2. Dissecting a Network Packet
Section 2.3. Packet Sniffing
Section 2.4. Installing tcpdump
Section 2.5. tcpdump Basics
Section 2.6. Examining tcpdump Output
Section 2.7. Running tcpdump
Section 2.8. ethereal
Section 2.9. Sites of Interest
Chapter 3. Installing Snort
Section 3.1. About Snort
Section 3.2. Installing Snort
Section 3.3. Command-Line Options

Section 3.4. Modes of Operation
Chapter 4. Know Your Enemy
Section 4.1. The Bad Guys

Section 4.2. Anatomy of an Attack: The Five
Ps
Section 4.3. Denial-of-Service
Section 4.4. IDS Evasion
Section 4.5. Sites of Interest
Chapter 5. The snort.conf File

Section 5.1. Network and Configuration
Variables

Section 5.2. Snort Decoder and Detection
Engine Configuration
Section 5.3. Preprocessor Configurations
Section 5.4. Output Configurations
Section 5.5. File Inclusions
Chapter 6. Deploying Snort

Section 6.1. Deploy NIDS with Your Eyes
Open
Section 6.2. Initial Configuration
Section 6.3. Sensor Placement
Section 6.4. Securing the Sensor Itself
Section 6.5. Using Snort More Effectively
Section 6.6. Sites of Interest
Chapter 7. Creating and Managing Snort Rules
Section 7.1. Downloading the Rules

Section 7.2. The Rule Sets
Section 7.3. Creating Your Own Rules
Section 7.4. Rule Execution
Section 7.5. Keeping Things Up-to-Date
Section 7.6. Sites of Interest
Chapter 8. Intrusion Prevention
Section 8.1. Intrusion Prevention Strategies
Section 8.2. IPS Deployment Risks
Section 8.3. Flexible Response with Snort
Section 8.4. The Snort Inline Patch
Section 8.5. Controlling Your Border
Section 8.6. Sites of Interest
Chapter 9. Tuning and Thresholding
Section 9.1. False Positives (False Alarms)

Section 9.2. False Negatives (Missed Alerts)
Section 9.3. Initial Configuration and Tuning
Section 9.4. Pass Rules
Section 9.5. Thresholding and Suppression

Chapter 10. Using ACID as a Snort IDS
Management Console

Section 10.1. Software Installation and
Configuration
Section 10.2. ACID Console Installation
Section 10.3. Accessing the ACID Console
Section 10.4. Analyzing the Captured Data
Section 10.5. Sites of Interest


Chapter 11. Using SnortCenter as a Snort IDS
Management Console

Section 11.1. SnortCenter Console
Installation
Section 11.2. SnortCenter Agent Installation

Section 11.3. SnortCenter Management
Console

Section 11.4. Logging In and Surveying the
Layout
Section 11.5. Adding Sensors to the Console
Section 11.6. Managing Tasks

Chapter 12. Additional Tools for Snort IDS
Management
Section 12.1. Open Source Solutions
Section 12.2. Commercial Solutions

Chapter 13. Strategies for High-Bandwidth
Implementations of Snort
Section 13.1. Barnyard (and Sguil)

Section 13.2. Commericial IDS Load
Balancers

Section 13.3. The IDS Distribution System
(I(DS)2)


Appendix A. Snort and ACID Database
Schema
Section A.1. acid_ag
Appendix B. The Default snort.conf File
Appendix C. Resources
Section C.1. From Chapter 1: Introduction

Section C.2. From Chapter 2: Network
Traffic Analysis

Section C.3. From Chapter 4: Know Your