| |
| |
Preface | |
| |
| |
| |
Installation and Optimization | |
| |
| |
| |
Installing Snort from Source on Unix | |
| |
| |
| |
Installing Snort Binaries on Linux | |
| |
| |
| |
Installing Snort on Solaris | |
| |
| |
| |
Installing Snort on Windows | |
| |
| |
| |
Uninstalling Snort from Windows | |
| |
| |
| |
Installing Snort on Mac OS X | |
| |
| |
| |
Uninstalling Snort from Linux | |
| |
| |
| |
Upgrading Snort on Linux | |
| |
| |
| |
Monitoring Multiple Network Interfaces | |
| |
| |
| |
Invisibly Tapping a Hub | |
| |
| |
| |
Invisibly Sniffing Between Two Network Points | |
| |
| |
| |
Invisibly Sniffing 100 MB Ethernet | |
| |
| |
| |
Sniffing Gigabit Ethernet | |
| |
| |
| |
Tapping a Wireless Network | |
| |
| |
| |
Positioning Your IDS Sensors | |
| |
| |
| |
Capturing and Viewing Packets | |
| |
| |
| |
Logging Packets That Snort Captures | |
| |
| |
| |
Running Snort to Detect Intrusions | |
| |
| |
| |
Reading a Saved Capture File | |
| |
| |
| |
Running Snort as a Linux Daemon | |
| |
| |
| |
Running Snort as a Windows Service | |
| |
| |
| |
Capturing Without Putting the Interface into Promiscuous Mode | |
| |
| |
| |
Reloading Snort Settings | |
| |
| |
| |
Debugging Snort Rules | |
| |
| |
| |
Building a Distributed IDS (Plain Text) | |
| |
| |
| |
Building a Distributed IDS (Encrypted) | |
| |
| |
| |
Logging, Alerts, and Output Plug-ins | |
| |
| |
| |
Logging to a File Quickly | |
| |
| |
| |
Logging Only Alerts | |
| |
| |
| |
Logging to a CSV File | |
| |
| |
| |
Logging to a Specific File | |
| |
| |
| |
Logging to Multiple Locations | |
| |
| |
| |
Logging in Binary | |
| |
| |
| |
Viewing Traffic While Logging | |
| |
| |
| |
Logging Application Data | |
| |
| |
| |
Logging to the Windows Event Viewer | |
| |
| |
| |
Logging Alerts to a Database | |
| |
| |
| |
Installing and Configuring MySQL | |
| |
| |
| |
Configuring MySQL for Snort | |
| |
| |
| |
Using PostgreSQL with Snort and ACID | |
| |
| |
| |
Logging in PCAP Format (TCPDump) | |
| |
| |
| |
Logging to Email | |
| |
| |
| |
Logging to a Pager or Cell Phone | |
| |
| |
| |
Optimizing Logging | |
| |
| |
| |
Reading Unified Logged Data | |
| |
| |
| |
Generating Real-Time Alerts | |
| |
| |
| |
Ignoring Some Alerts | |
| |
| |
| |
Logging to System Logfiles | |
| |
| |
| |
Fast Logging | |
| |
| |
| |
Logging to a Unix Socket | |
| |
| |
| |
Not Logging | |
| |
| |
| |
Prioritizing Alerts | |
| |
| |
| |
Capturing Traffic from a Specific TCP Session | |
| |
| |
| |
Killing a Specific Session | |
| |
| |
| |
Rules and Signatures | |
| |
| |
| |
How to Build Rules | |
| |
| |
| |
Keeping the Rules Up to Date | |
| |
| |
| |
Basic Rules You Shouldn't Leave Home Without | |
| |
| |
| |
Dynamic Rules | |
| |
| |
| |
Detecting Binary Content | |
| |
| |
| |
Detecting Malware | |
| |
| |
| |
Detecting Viruses | |
| |
| |
| |
Detecting IM | |
| |
| |
| |
Detecting P2P | |
| |
| |
| |
Detecting IDS Evasion | |
| |
| |
| |
Countermeasures from Rules | |
| |
| |
| |
Testing Rules | |
| |
| |
| |
Optimizing Rules | |
| |
| |
| |
Blocking Attacks in Real Time | |
| |
| |
| |
Suppressing Rules | |
| |
| |
| |
Thresholding Alerts | |
| |
| |
| |
Excluding from Logging | |
| |
| |
| |
Carrying Out Statistical Analysis | |
| |
| |
| |
Preprocessing: An Introduction | |
| |
| |
| |
Detecting Stateless Attacks and Stream Reassembly | |
| |
| |
| |
Detecting Fragmentation Attacks and Fragment Reassembly with Frag2 | |
| |
| |
| |
Detecting and Normalizing HTTP Traffic | |
| |
| |
| |
Decoding Application Traffic | |
| |
| |
| |
Detecting Port Scans and Talkative Hosts | |
| |
| |
| |
Getting Performance Metrics | |
| |
| |
| |
Experimental Preprocessors | |
| |
| |
| |
Writing Your Own Preprocessor | |
| |
| |
| |
Administrative Tools | |
| |
| |
| |
Managing Snort Sensors | |
| |
| |
| |
Installing and Configuring IDScenter | |
| |
| |
| |
Installing and Configuring SnortCenter | |
| |
| |
| |
Installing and Configuring Snortsnarf | |
| |
| |
| |
Running Snortsnarf Automatically | |
| |
| |
| |
Installing and Configuring ACID | |
| |
| |
| |
Securing ACID | |
| |
| |
| |
Installing and Configuring Swatch | |
| |
| |
| |
Installing and Configuring Barnyard | |
| |
| |
| |
Administering Snort with IDS Policy Manager | |
| |
| |
| |
Integrating Snort with Webmin | |
| |
| |
| |
Administering Snort with HenWen | |
| |
| |
| |
Newbies Playing with Snort Using EagleX | |
| |
| |
| |
Log Analysis | |
| |
| |
| |
Generating Statistical Output from Snort Logs | |
| |
| |
| |
Generating Statistical Output from Snort Databases | |
| |
| |
| |
Performing Real-Time Data Analysis | |
| |
| |
| |
Generating Text-Based Log Analysis | |
| |
| |
| |
Creating HTML Log Analysis Output | |
| |
| |
| |
Tools for Testing Signatures | |
| |
| |
| |
Analyzing and Graphing Logs | |
| |
| |
| |
Analyzing Sniffed (Pcap) Traffic | |
| |
| |
| |
Writing Output Plug-ins | |
| |
| |
| |
Miscellaneous Other Uses | |
| |
| |
| |
Monitoring Network Performance | |
| |
| |
| |
Logging Application Traffic | |
| |
| |
| |
Recognizing HTTP Traffic on Unusual Ports | |
| |
| |
| |
Creating a Reactive IDS | |
| |
| |
| |
Monitoring a Network Using Policy-Based IDS | |
| |
| |
| |
Port Knocking | |
| |
| |
| |
Obfuscating IP Addresses | |
| |
| |
| |
Passive OS Fingerprinting | |
| |
| |
| |
Working with Honeypots and Honeynets | |
| |
| |
| |
Performing Forensics Using Snort | |
| |
| |
| |
Snort and Investigations | |
| |
| |
| |
Snort as Legal Evidence in the U.S. | |
| |
| |
| |
Snort as Evidence in the U.K. | |
| |
| |
| |
Snort as a Virus Detection Tool | |
| |
| |
| |
Staying Legal | |
| |
| |
Index | |