Snort Intrusion Detection 2.0 book cover

Snort Intrusion Detection 2.0

The incredible low maintenance costs of Snort combined with its powerful security features make it one of the fastest growing IDSs within corporate IT departments. Snort 2.0 Intrusion Detection is the first book dealing with the Snort IDS and is written by a member of Readers will receive valuable insight to the code base of Snort and in-depth tutorials of complex installation, configuration, and troubleshooting scenarios. The primary reader will be an individual who has a working knowledge of the TCP/IP protocol, expertise in some arena of IT infrastructure, and is inquisitive about what has been attacking their IT network perimeter every 15 seconds.

Security conscious or security curious professionals and power users interested in developing a comprehensive intrusion detection system.


Published: March 2003

Imprint: Syngress

ISBN: 978-1-931836-74-6


  • "I have been a diehard Snort user and member of the community since day one. Snort is awesome and there are so many incredibly talented people involved with it. I always wished that there was a book that documented everything, and gave lots of very cool information on all of the inner workings. I was psyched when I heard this book was being written, and I orderd it before it came out. I got mine on Friday and spent the weekend reading it. Considering the guys (and gal!) who wrote it, I shouldn't be surprised that the book rocks. Everything you ever wanted to know about Snort is in there. And, you know you are getting it from the Pig's mouth--er, or Snout ;)" - reviewer on


  • Foreword

    Chapter 1 Intrusion Detection Systems


    What Is Intrusion Detection

    Network IDS

    Host-Based IDS

    Distributed IDS

    A Trilogy of Vulnerabilities

    Directory Traversal Vulnerability

    CodeRed Worm

    Nimda Worm

    What Is an Intrusion

    Using Snort to Catch Intrusions

    Why Are Intrusion Detection Systems Important

    Why Are Attackers Interested in Me

    Where Does an IDS Fit with the Rest of My Security Plan

    Doesn’t My Firewall Serve as an IDS

    Where Else Should I Be Looking for Intrusions

    What Else Can Be Done with Intrusion Detection

    Monitoring Database Access

    Monitoring DNS Functions

    E-Mail Server Protection

    Using an IDS to Monitor My Company Policy


    Solutions Fast Track

    Frequently Asked Questions

    Chapter 2 Introducing Snort 2.0


    What Is Snort

    Snort System Requirements


    Exploring Snort’s Features

    Packet Sniffer


    Detection Engine

    Alerting/Logging Component

    Using Snort on Your Network

    Snort’s Uses

    Snort and Your Network Architecture

    Pitfalls When Running Snort

    Security Considerations with Snort

    Snort Is Susceptible to Attacks

    Securing Your Snort System


    Solutions Fast Track

    Frequently Asked Questions

    Chapter 3 Installing Snort


    A Brief Word about Linux Distributions




    Installing PCAP

    Installing libpcap from Source

    Installing libpcap from RPM

    Installing Snort

    Installing Snort from Source

    Customizing Your Installation: Editing the snort.conf File

    Installing Snort from RPM

    Installation on the Microsoft Windows Platform

    Installing Bleeding-Edge Versions of Snort


    Solutions Fast Track

    Frequently Asked Questions

    Chapter 4 Snort: The Inner Workings


    Snort Components

    Capturing Network Traffic

    Packet Sniffing

    Decoding Packets

    Storage of Packets

    Processing Packets 101


    Understanding Rule Parsing and Detection Engines

    Rules Builder

    Detection Plug-Ins

    Output and Logs

    Snort as a Quick Sniffer

    Intrusion Detection Mode

    Snort for Honeypot Capture and Analysis

    Logging to Databases

    Alerting Using SNMP

    Barnyard and Unified Output


    Solutions Fast Track

    Frequently Asked Questions

    Chapter 5 Playing by the Rules


    Understanding Configuration Files

    Defining and Using Variables

    Including Rule Files

    The Rule Header

    Rule Action Options

    Supported Protocols

    Assigning Source and Destination IP Addresses to Rules

    Assigning Source and Destination Ports

    Understanding Direction Operators

    Activate and Dynamic Rule Characteristics

    The Rule Body

    Rule Content

    Components of a Good Rule

    Action Events

    Ensuring Proper Content

    Merging Subnet Masks

    Testing Your Rules

    Stress Tests

    Individual Snort Rule Tests

    Berkeley Packet Filter Tests

    Tuning Your Rules

    Configuring Rule Variables

    Disabling Rules

    Berkeley Packet Filters


    Solutions Fast Track

    Frequently Asked Questions

    Chapter 6 Preprocessors


    What Is a Preprocessor

    Preprocessor Options for Reassembling Packets

    The stream4 Preprocessor

    frag2-Fragment Reassembly and Attack Detection

    Preprocessor Options for Decoding and Normalizing Protocols

    Telnet Negotiation

    HTTP Normalization


    Preprocessor Options for Nonrule or Anomaly-Based Detection


    Back Orifice

    General Nonrule-Based Detection

    Experimental Preprocessors




    portscan2 and conversation


    Writing Your Own Preprocessor

    Reassembling Packets

    Decoding Protocols

    Nonrule or Anomaly-Based Detection

    Setting Up My Preprocessor

    What Am I Given by Snort

    Adding the Preprocessor into Snort


    Solutions Fast Track

    Frequently Asked Questions

    Chapter 7 Implementing Snort Output Plug-Ins


    What Is an Output Plug-In

    Key Components of an Output Plug-In

    Exploring Output Plug-In Options

    Default Logging


    PCAP Logging


    Unified Logs

    Writing Your Own Output Plug-In

    Why Should I Write an Output Plug-In

    Setting Up My Output Plug-In

    Dealing with Snort Output


    Solutions Fast Track

    Frequently Asked Questions

    Chapter 8 Exploring the Data Analysis Tools


    Using Swatch

    Performing a Swatch Installation

    Configuring Swatch

    Using Swatch

    Using ACID

    Installing ACID

    Configuring ACID

    Using ACID

    Using SnortSnarf

    Installing SnortSnarf

    Configuring Snort to Work with SnortSnarf

    Basic Usage of SnortSnarf

    Using IDScenter

    Installing IDScenter

    Configuring IDScenter

    Basic Usage of IDScenter


    Solutions Fast Track

    Frequently Asked Questions

    Chapter 9 Keeping Everything Up to Date


    Applying Patches

    Updating Rules

    How Are the Rules Maintained

    How Do I Get Updates to the Rules

    How Do I Merge These Changes

    Testing Rule Updates

    Testing the New Rules

    Watching for Updates

    Mailing Lists and News Services to Watch


    Solutions Fast Track

    Frequently Asked Questions

    Chapter 10 Optimizing Snort


    How Do I Choose What Hardware to Use

    What Constitutes “Good” Hardware

    How Do I Test My Hardware

    How Do I Choose What

    Operating System to Use

    What Makes a “Good” OS for a NIDS

    What OS Should I Use

    How Do I Test My OS Choice

    Speeding Up Your Snort Installation

    Deciding Which Rules to Enable

    Configuring Preprocessors for Speed

    Using Generic Variables

    Choosing an Output Plug-In

    Benchmarking Your Deployment

    Benchmark Characteristics

    What Options Are Available for Benchmarking


    Solutions Fast Track

    Frequently Asked Questions

    Chapter 11 Mucking Around with Barnyard

    Introduction 2

    What Is Barnyard

    Preparation and Installation of Barnyard

    How Does Barnyard Work

    Using the Barnyard Configuration File

    Barnyard Innards

    Create and Display a Binary Log Output File

    What Are the Output Options for Barnyard

    But I Want My Output Like “This”

    An Example Output Plug-In


    Solutions Fast Track

    Frequently Asked Questions

    Chapter 12 Advanced Snort


    Policy-Based IDS

    Defining a Network Policy for the IDS

    An Example of Policy-Based IDS

    Policy-Based IDS in Production

    Inline IDS

    Where Did the Inline IDS for Snort Come From

    Installation of Snort in Inline Mode

    Using Inline IDS to Protect Your Network


    Solutions Fast Track

    Frequently Asked Questions



advert image