Snort Intrusion Detection 2.0

Snort Intrusion Detection 2.0

1st Edition - March 30, 2003

Write a review

  • Author: Syngress
  • eBook ISBN: 9780080481005

Purchase options

Purchase options
DRM-free (EPub, Mobi, PDF)
Sales tax will be calculated at check-out

Institutional Subscription

Free Global Shipping
No minimum order


The incredible low maintenance costs of Snort combined with its powerful security features make it one of the fastest growing IDSs within corporate IT departments. Snort 2.0 Intrusion Detection is written by a member of The book provides a valuable insight to the code base of Snort and in-depth tutorials of complex installation, configuration, and troubleshooting scenarios. The primary reader will be an individual who has a working knowledge of the TCP/IP protocol, expertise in some arena of IT infrastructure, and is inquisitive about what has been attacking their IT network perimeter every 15 seconds.

Key Features

  • The most up-to-date and comprehensive coverage for Snort 2.0!
  • Expert Advice from the Development Team and Step-by-Step Instructions for Installing, Configuring, and Troubleshooting the Snort 2.0 Intrusion Detection System.


Security conscious or security curious professionals and power users interested in developing a comprehensive intrusion detection system.

Table of Contents

  • Foreword

    Chapter 1 Intrusion Detection Systems


    What Is Intrusion Detection

    Network IDS

    Host-Based IDS

    Distributed IDS

    A Trilogy of Vulnerabilities

    Directory Traversal Vulnerability

    CodeRed Worm

    Nimda Worm

    What Is an Intrusion

    Using Snort to Catch Intrusions

    Why Are Intrusion Detection Systems Important

    Why Are Attackers Interested in Me

    Where Does an IDS Fit with the Rest of My Security Plan

    Doesn’t My Firewall Serve as an IDS

    Where Else Should I Be Looking for Intrusions

    What Else Can Be Done with Intrusion Detection

    Monitoring Database Access

    Monitoring DNS Functions

    E-Mail Server Protection

    Using an IDS to Monitor My Company Policy


    Solutions Fast Track

    Frequently Asked Questions

    Chapter 2 Introducing Snort 2.0


    What Is Snort

    Snort System Requirements


    Exploring Snort’s Features

    Packet Sniffer


    Detection Engine

    Alerting/Logging Component

    Using Snort on Your Network

    Snort’s Uses

    Snort and Your Network Architecture

    Pitfalls When Running Snort

    Security Considerations with Snort

    Snort Is Susceptible to Attacks

    Securing Your Snort System


    Solutions Fast Track

    Frequently Asked Questions

    Chapter 3 Installing Snort


    A Brief Word about Linux Distributions




    Installing PCAP

    Installing libpcap from Source

    Installing libpcap from RPM

    Installing Snort

    Installing Snort from Source

    Customizing Your Installation: Editing the snort.conf File

    Installing Snort from RPM

    Installation on the Microsoft Windows Platform

    Installing Bleeding-Edge Versions of Snort


    Solutions Fast Track

    Frequently Asked Questions

    Chapter 4 Snort: The Inner Workings


    Snort Components

    Capturing Network Traffic

    Packet Sniffing

    Decoding Packets

    Storage of Packets

    Processing Packets 101


    Understanding Rule Parsing and Detection Engines

    Rules Builder

    Detection Plug-Ins

    Output and Logs

    Snort as a Quick Sniffer

    Intrusion Detection Mode

    Snort for Honeypot Capture and Analysis

    Logging to Databases

    Alerting Using SNMP

    Barnyard and Unified Output


    Solutions Fast Track

    Frequently Asked Questions

    Chapter 5 Playing by the Rules


    Understanding Configuration Files

    Defining and Using Variables

    Including Rule Files

    The Rule Header

    Rule Action Options

    Supported Protocols

    Assigning Source and Destination IP Addresses to Rules

    Assigning Source and Destination Ports

    Understanding Direction Operators

    Activate and Dynamic Rule Characteristics

    The Rule Body

    Rule Content

    Components of a Good Rule

    Action Events

    Ensuring Proper Content

    Merging Subnet Masks

    Testing Your Rules

    Stress Tests

    Individual Snort Rule Tests

    Berkeley Packet Filter Tests

    Tuning Your Rules

    Configuring Rule Variables

    Disabling Rules

    Berkeley Packet Filters


    Solutions Fast Track

    Frequently Asked Questions

    Chapter 6 Preprocessors


    What Is a Preprocessor

    Preprocessor Options for Reassembling Packets

    The stream4 Preprocessor

    frag2—Fragment Reassembly and Attack Detection

    Preprocessor Options for Decoding and Normalizing Protocols

    Telnet Negotiation

    HTTP Normalization


    Preprocessor Options for Nonrule or Anomaly-Based Detection


    Back Orifice

    General Nonrule-Based Detection

    Experimental Preprocessors




    portscan2 and conversation


    Writing Your Own Preprocessor

    Reassembling Packets

    Decoding Protocols

    Nonrule or Anomaly-Based Detection

    Setting Up My Preprocessor

    What Am I Given by Snort

    Adding the Preprocessor into Snort


    Solutions Fast Track

    Frequently Asked Questions

    Chapter 7 Implementing Snort Output Plug-Ins


    What Is an Output Plug-In

    Key Components of an Output Plug-In

    Exploring Output Plug-In Options

    Default Logging


    PCAP Logging


    Unified Logs

    Writing Your Own Output Plug-In

    Why Should I Write an Output Plug-In

    Setting Up My Output Plug-In

    Dealing with Snort Output


    Solutions Fast Track

    Frequently Asked Questions

    Chapter 8 Exploring the Data Analysis Tools


    Using Swatch

    Performing a Swatch Installation

    Configuring Swatch

    Using Swatch

    Using ACID

    Installing ACID

    Configuring ACID

    Using ACID

    Using SnortSnarf

    Installing SnortSnarf

    Configuring Snort to Work with SnortSnarf

    Basic Usage of SnortSnarf

    Using IDScenter

    Installing IDScenter

    Configuring IDScenter

    Basic Usage of IDScenter


    Solutions Fast Track

    Frequently Asked Questions

    Chapter 9 Keeping Everything Up to Date


    Applying Patches

    Updating Rules

    How Are the Rules Maintained

    How Do I Get Updates to the Rules

    How Do I Merge These Changes

    Testing Rule Updates

    Testing the New Rules

    Watching for Updates

    Mailing Lists and News Services to Watch


    Solutions Fast Track

    Frequently Asked Questions

    Chapter 10 Optimizing Snort


    How Do I Choose What Hardware to Use

    What Constitutes “Good” Hardware

    How Do I Test My Hardware

    How Do I Choose What

    Operating System to Use

    What Makes a “Good” OS for a NIDS

    What OS Should I Use

    How Do I Test My OS Choice

    Speeding Up Your Snort Installation

    Deciding Which Rules to Enable

    Configuring Preprocessors for Speed

    Using Generic Variables

    Choosing an Output Plug-In

    Benchmarking Your Deployment

    Benchmark Characteristics

    What Options Are Available for Benchmarking


    Solutions Fast Track

    Frequently Asked Questions

    Chapter 11 Mucking Around with Barnyard

    Introduction 2

    What Is Barnyard

    Preparation and Installation of Barnyard

    How Does Barnyard Work

    Using the Barnyard Configuration File

    Barnyard Innards

    Create and Display a Binary Log Output File

    What Are the Output Options for Barnyard

    But I Want My Output Like “This”

    An Example Output Plug-In


    Solutions Fast Track

    Frequently Asked Questions

    Chapter 12 Advanced Snort


    Policy-Based IDS

    Defining a Network Policy for the IDS

    An Example of Policy-Based IDS

    Policy-Based IDS in Production

    Inline IDS

    Where Did the Inline IDS for Snort Come From

    Installation of Snort in Inline Mode

    Using Inline IDS to Protect Your Network


    Solutions Fast Track

    Frequently Asked Questions


Product details

  • No. of pages: 550
  • Language: English
  • Copyright: © Syngress 2003
  • Published: March 30, 2003
  • Imprint: Syngress
  • eBook ISBN: 9780080481005

About the Author


Ratings and Reviews

Write a review

There are currently no reviews for "Snort Intrusion Detection 2.0"