| |
| |
Preface | |
| |
| |
| |
Introduction | |
| |
| |
Disappearing Perimeters | |
| |
| |
Defense-in-Depth | |
| |
| |
Detecting Intrusions (a Hierarchy of Approaches) | |
| |
| |
What Is NIDS (and What Is an Intrusion)? | |
| |
| |
The Challenges of Network Intrusion Detection | |
| |
| |
Why Snort as an NIDS? | |
| |
| |
Sites of Interest | |
| |
| |
| |
Network Traffic Analysis | |
| |
| |
The TCP/IP Suite of Protocols | |
| |
| |
Dissecting a Network Packet | |
| |
| |
Packet Sniffing | |
| |
| |
Installing tcpdump | |
| |
| |
tcpdump Basics | |
| |
| |
Examining tcpdump Output | |
| |
| |
Running tcpdump | |
| |
| |
ethereal | |
| |
| |
Sites of Interest | |
| |
| |
| |
Installing Snort | |
| |
| |
About Snort | |
| |
| |
Installing Snort | |
| |
| |
Command-Line Options | |
| |
| |
Modes of Operation | |
| |
| |
| |
Know Your Enemy | |
| |
| |
The Bad Guys | |
| |
| |
Anatomy of an Attack: The Five Ps | |
| |
| |
Denial-of-Service | |
| |
| |
IDS Evasion | |
| |
| |
Sites of Interest | |
| |
| |
| |
The snort.conf File | |
| |
| |
Network and Configuration Variables | |
| |
| |
Snort Decoder and Detection Engine Configuration | |
| |
| |
Preprocessor Configurations | |
| |
| |
Output Configurations | |
| |
| |
File Inclusions | |
| |
| |
| |
Deploying Snort | |
| |
| |
Deploy NIDS with Your Eyes Open | |
| |
| |
Initial Configuration | |
| |
| |
Sensor Placement | |
| |
| |
Securing the Sensor Itself | |
| |
| |
Using Snort More Effectively | |
| |
| |
Sites of Interest | |
| |
| |
| |
Creating and Managing Snort Rules | |
| |
| |
Downloading the Rules | |
| |
| |
The Rule Sets | |
| |
| |
Creating Your Own Rules | |
| |
| |
Rule Execution | |
| |
| |
Keeping Things Up-to-Date | |
| |
| |
Sites of Interest | |
| |
| |
| |
Intrusion Prevention | |
| |
| |
Intrusion Prevention Strategies | |
| |
| |
IPS Deployment Risks | |
| |
| |
Flexible Response with Snort | |
| |
| |
The Snort Inline Patch | |
| |
| |
Controlling Your Border | |
| |
| |
Sites of Interest | |
| |
| |
| |
Tuning and Thresholding | |
| |
| |
False Positives (False Alarms) | |
| |
| |
False Negatives (Missed Alerts) | |
| |
| |
Initial Configuration and Tuning | |
| |
| |
Pass Rules | |
| |
| |
Thresholding and Suppression | |
| |
| |
| |
Using ACID as a Snort IDS Management Console | |
| |
| |
Software Installation and Configuration | |
| |
| |
ACID Console Installation | |
| |
| |
Accessing the ACID Console | |
| |
| |
Analyzing the Captured Data | |
| |
| |
Sites of Interest | |
| |
| |
| |
Using SnortCenter as a Snort IDS Management Console | |
| |
| |
SnortCenter Console Installation | |
| |
| |
SnortCenter Agent Installation | |
| |
| |
SnortCenter Management Console | |
| |
| |
Logging In and Surveying the Layout | |
| |
| |
Adding Sensors to the Console | |
| |
| |
Managing Tasks | |
| |
| |
| |
Additional Tools for Snort IDS Management | |
| |
| |
Open Source Solutions | |
| |
| |
Commercial Solutions | |
| |
| |
| |
Strategies for High-Bandwidth Implementations of Snort | |
| |
| |
Barnyard (and Sguil) | |
| |
| |
Commercial IDS Load Balancers | |
| |
| |
The IDS Distribution System (I(DS)[superscript 2]) | |
| |
| |
| |
Snort and ACID Database Schema | |
| |
| |
| |
The Default snort.conf File | |
| |
| |
| |
Resources | |
| |
| |
Index | |