Snort Intrusion Detection 2.0


  • . Syngress

The incredible low maintenance costs of Snort combined with its powerful security features make it one of the fastest growing IDSs within corporate IT departments. Snort 2.0 Intrusion Detection is the first book dealing with the Snort IDS and is written by a member of Readers will receive valuable insight to the code base of Snort and in-depth tutorials of complex installation, configuration, and troubleshooting scenarios. The primary reader will be an individual who has a working knowledge of the TCP/IP protocol, expertise in some arena of IT infrastructure, and is inquisitive about what has been attacking their IT network perimeter every 15 seconds.
View full description


Security conscious or security curious professionals and power users interested in developing a comprehensive intrusion detection system.


Book information

  • Published: March 2003
  • Imprint: SYNGRESS
  • ISBN: 978-1-931836-74-6


"I have been a diehard Snort user and member of the community since day one. Snort is awesome and there are so many incredibly talented people involved with it. I always wished that there was a book that documented everything, and gave lots of very cool information on all of the inner workings. I was psyched when I heard this book was being written, and I orderd it before it came out. I got mine on Friday and spent the weekend reading it. Considering the guys (and gal!) who wrote it, I shouldn't be surprised that the book rocks. Everything you ever wanted to know about Snort is in there. And, you know you are getting it from the Pig's mouth--er, or Snout ;)" - reviewer on

Table of Contents


Chapter 1 Intrusion Detection Systems


What Is Intrusion Detection

Network IDS

Host-Based IDS

Distributed IDS

A Trilogy of Vulnerabilities

Directory Traversal Vulnerability

CodeRed Worm

Nimda Worm

What Is an Intrusion

Using Snort to Catch Intrusions

Why Are Intrusion Detection Systems Important

Why Are Attackers Interested in Me

Where Does an IDS Fit with the Rest of My Security Plan

Doesn’t My Firewall Serve as an IDS

Where Else Should I Be Looking for Intrusions

What Else Can Be Done with Intrusion Detection

Monitoring Database Access

Monitoring DNS Functions

E-Mail Server Protection

Using an IDS to Monitor My Company Policy


Solutions Fast Track

Frequently Asked Questions

Chapter 2 Introducing Snort 2.0


What Is Snort

Snort System Requirements


Exploring Snort’s Features

Packet Sniffer


Detection Engine

Alerting/Logging Component

Using Snort on Your Network

Snort’s Uses

Snort and Your Network Architecture

Pitfalls When Running Snort

Security Considerations with Snort

Snort Is Susceptible to Attacks

Securing Your Snort System


Solutions Fast Track

Frequently Asked Questions

Chapter 3 Installing Snort


A Brief Word about Linux Distributions




Installing PCAP

Installing libpcap from Source

Installing libpcap from RPM

Installing Snort

Installing Snort from Source

Customizing Your Installation: Editing the snort.conf File

Installing Snort from RPM

Installation on the Microsoft Windows Platform

Installing Bleeding-Edge Versions of Snort


Solutions Fast Track

Frequently Asked Questions

Chapter 4 Snort: The Inner Workings


Snort Components

Capturing Network Traffic

Packet Sniffing

Decoding Packets

Storage of Packets

Processing Packets 101


Understanding Rule Parsing and Detection Engines

Rules Builder

Detection Plug-Ins

Output and Logs

Snort as a Quick Sniffer

Intrusion Detection Mode

Snort for Honeypot Capture and Analysis

Logging to Databases

Alerting Using SNMP

Barnyard and Unified Output


Solutions Fast Track

Frequently Asked Questions

Chapter 5 Playing by the Rules


Understanding Configuration Files

Defining and Using Variables

Including Rule Files

The Rule Header

Rule Action Options

Supported Protocols

Assigning Source and Destination IP Addresses to Rules

Assigning Source and Destination Ports

Understanding Direction Operators

Activate and Dynamic Rule Characteristics

The Rule Body

Rule Content

Components of a Good Rule

Action Events

Ensuring Proper Content

Merging Subnet Masks

Testing Your Rules

Stress Tests

Individual Snort Rule Tests

Berkeley Packet Filter Tests

Tuning Your Rules

Configuring Rule Variables

Disabling Rules

Berkeley Packet Filters


Solutions Fast Track

Frequently Asked Questions

Chapter 6 Preprocessors


What Is a Preprocessor

Preprocessor Options for Reassembling Packets

The stream4 Preprocessor

frag2-Fragment Reassembly and Attack Detection

Preprocessor Options for Decoding and Normalizing Protocols

Telnet Negotiation

HTTP Normalization


Preprocessor Options for Nonrule or Anomaly-Based Detection


Back Orifice

General Nonrule-Based Detection

Experimental Preprocessors




portscan2 and conversation


Writing Your Own Preprocessor

Reassembling Packets

Decoding Protocols

Nonrule or Anomaly-Based Detection

Setting Up My Preprocessor

What Am I Given by Snort

Adding the Preprocessor into Snort


Solutions Fast Track

Frequently Asked Questions

Chapter 7 Implementing Snort Output Plug-Ins


What Is an Output Plug-In

Key Components of an Output Plug-In

Exploring Output Plug-In Options

Default Logging


PCAP Logging


Unified Logs

Writing Your Own Output Plug-In

Why Should I Write an Output Plug-In

Setting Up My Output Plug-In

Dealing with Snort Output


Solutions Fast Track

Frequently Asked Questions

Chapter 8 Exploring the Data Analysis Tools


Using Swatch

Performing a Swatch Installation

Configuring Swatch

Using Swatch

Using ACID

Installing ACID

Configuring ACID

Using ACID

Using SnortSnarf

Installing SnortSnarf

Configuring Snort to Work with SnortSnarf

Basic Usage of SnortSnarf

Using IDScenter

Installing IDScenter

Configuring IDScenter

Basic Usage of IDScenter


Solutions Fast Track

Frequently Asked Questions

Chapter 9 Keeping Everything Up to Date


Applying Patches

Updating Rules

How Are the Rules Maintained

How Do I Get Updates to the Rules

How Do I Merge These Changes

Testing Rule Updates

Testing the New Rules

Watching for Updates

Mailing Lists and News Services to Watch


Solutions Fast Track

Frequently Asked Questions

Chapter 10 Optimizing Snort


How Do I Choose What Hardware to Use

What Constitutes “Good” Hardware

How Do I Test My Hardware

How Do I Choose What

Operating System to Use

What Makes a “Good” OS for a NIDS

What OS Should I Use

How Do I Test My OS Choice

Speeding Up Your Snort Installation

Deciding Which Rules to Enable

Configuring Preprocessors for Speed

Using Generic Variables

Choosing an Output Plug-In

Benchmarking Your Deployment

Benchmark Characteristics

What Options Are Available for Benchmarking


Solutions Fast Track

Frequently Asked Questions

Chapter 11 Mucking Around with Barnyard

Introduction 2

What Is Barnyard

Preparation and Installation of Barnyard

How Does Barnyard Work

Using the Barnyard Configuration File

Barnyard Innards

Create and Display a Binary Log Output File

What Are the Output Options for Barnyard

But I Want My Output Like “This”

An Example Output Plug-In


Solutions Fast Track

Frequently Asked Questions

Chapter 12 Advanced Snort


Policy-Based IDS

Defining a Network Policy for the IDS

An Example of Policy-Based IDS

Policy-Based IDS in Production

Inline IDS

Where Did the Inline IDS for Snort Come From

Installation of Snort in Inline Mode

Using Inline IDS to Protect Your Network


Solutions Fast Track

Frequently Asked Questions