This all new book covering the brand new Snort version 2.6 from members of the Snort developers team.This fully integrated book and Web toolkit covers everything from packet inspection to optimizing Snort for speed to using the most advanced features of Snort to defend even the largest and most congested enterprise networks. Leading Snort experts Brian Caswell, Andrew Baker, and Jay Beale analyze traffic from real attacks to demonstrate the best practices for implementing the most powerful Snort features. The book will begin with a discussion of packet inspection and the progression from intrusion detection to intrusion prevention. The authors provide examples of packet inspection methods including: protocol standards compliance, protocol anomaly detection, application control, and signature matching. In addition, application-level vulnerabilities including Binary Code in HTTP headers, HTTP/HTTPS Tunneling, URL Directory Traversal, Cross-Site Scripting, and SQL Injection will also be analyzed. Next, a brief chapter on installing and configuring Snort will highlight various methods for fine tuning your installation to optimize Snort performance including hardware/OS selection, finding and eliminating bottlenecks, and benchmarking and testing your deployment. A special chapter also details how to use Barnyard to improve the overall performance of Snort. Next, best practices will be presented allowing readers to enhance the performance of Snort for even the largest and most complex networks. The next chapter reveals the inner workings of Snort by analyzing the source code. The next several chapters will detail how to write, modify, and fine-tune basic to advanced rules and pre-processors. Detailed analysis of real packet captures will be provided both in the book and the companion material. Several examples for optimizing output plugins will then be discussed including a comparison of MySQL and PostrgreSQL. Best practices for monitoring Snort sensors and analyzing intrusion data follow with examples of real world attacks using: ACID, BASE, SGUIL, SnortSnarf, Snort_stat.pl, Swatch, and more.The last part of the book contains several chapters on active response, intrusion prevention, and using Snort's most advanced capabilities for everything from forensics and incident handling to building and analyzing honey pots.

This fully integrated book and Web toolkit covers everything all in one convenient package
It is authored by members of the Snort team and it is packed full of their experience and expertise
Includes full coverage of the brand new Snort version 2.6, packed full of all the latest information

Frequently asked questions

Simply head over to the account section in settings and click on “Cancel Subscription” - it’s as simple as that. After you cancel, your membership will stay active for the remainder of the time you’ve paid for. Learn more here.

At the moment all of our mobile-responsive ePub books are available to download via the app. Most of our PDFs are also available to download and we're working on making the final remaining ones downloadable now. Learn more here.

Both plans give you full access to the library and all of Perlego’s features. The only differences are the price and subscription period: With the annual plan you’ll save around 30% compared to 12 months on the monthly plan.

We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, we’ve got you covered! Learn more here.

Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.

Yes, you can access Snort Intrusion Detection and Prevention Toolkit by Brian Caswell,Jay Beale,Andrew Baker in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.

Information

Publisher

Syngress

Year

2007

ISBN

9780080549279

Topic

Computer Science

Subtopic

Cyber Security

Index

Computer Science

Chapter 1 Intrusion Detection Systems

Solutions in this chapter

What Is Intrusion Detection?

How an IDS Works

Why Are Intrusion Detection Systems Important?

What Else Can You Do with Intrusion Detection Systems?

What About Intrusion Protection?

Summary

Solutions Fast Track

Frequently Asked Questions

Introduction

The principle of intrusion detection isn’t new. Whether it’s car alarms or closed-circuit televisions, motion detectors or log analyzers, many folks with assets to protect have a vested interest in knowing when unauthorized persons are probing their defenses, sizing up their assets, or running off with crucial data. In this book, we’ll discuss how the principles of intrusion detection are implemented with respect to computer networks, and how using Snort can help overworked security administrators know when someone is running off with their digital assets.

All right, this might be a bit dramatic for a prelude to a discussion of intrusion detection, but most security administrators experience a moment of anxiety when a beeper goes off. Is this the big one? Did they get in? How many systems could have been compromised? What data was stored on or accessible by those systems? What sort of liability does this open us up to? Are more systems similarly vulnerable? Is the press going to have a field day with a data leak?

These and many other questions flood the mind of the well-prepared security administrator. On the other hand, the ill-prepared security administrator, being totally unaware of the intrusion, experiences little anxiety. For him, the anxiety comes later.

Okay, so how can a security-minded administrator protect his network from intrusions? The answer to that question is quite simple. An intrusion detection system (IDS) can help to detect intrusions and intrusion attempts within your network, allowing a savvy admin to take appropriate mitigation and remediation steps. A pure IDS will not prevent these attacks, but it will let you know when they occur.

What Is Intrusion Detection?

Webster’s defines an intrusion as “the act of thrusting in, or of entering into a place or state without invitation, right, or welcome.” When we speak of intrusion detection, we are referring to the act of detecting an unauthorized intrusion by a computer on a network. This unauthorized access, or intrusion, is an attempt to compromise, or otherwise do harm, to other network devices.

A body of American legislation surrounds what counts as a computer intrusion, but although the term computer intrusion is used to label the relevant laws, there is no single clear and useful definition of a computer intrusion. Title 18, Part I, Chapter 47, § 1030 of the United States Criminal Code for fraud and related activities in connection with computers contains several definitions of what constitutes a fraudulent criminal computer intrusion. “Knowingly accessed a computer without authorization or exceeding authorized access” is a common thread in several definitions. However, all the definitions go on to further require theft of government secrets, financial records, government data, or other such things. “Knowingly accessed without authorization or exceeding authorized access” doesn’t appear to be enough in and of itself. There is also a lack of legislative clarity regarding what “access” is. For example, a portscan gathers data about which ports on the target computer are listening, but does not attempt to use any services. Nevertheless, some people argue that this constitutes accessing those services. A security scanner such as Nessus or Retina may check the versions of listening services and compare them against a database of known security vulnerabilities. This is more intrusive than a simple portscan, but merely reports the presence of vulnerabilities rather than actually exploiting them. Is this accessing the service? Should it count as an intrusion? Finally, there are the blatant cases where the system is actually compromised. Most people would agree that this counts as an intrusion. For our purposes, we can define an intrusion as an unwanted and unauthorized intentional access of computerized network resources.

An IDS is the high-tech equivalent of a burglar alarm, one that is configured to monitor information gateways, hostile activities, and known intruders. An IDS is a specialized tool that knows how to parse and interpret network traffic and/or host activities. This data can range from network packet analysis to the contents of log files from routers, firewalls, and servers, local system logs and access calls, network flow data, and more. Furthermore, an IDS often stores a database of known attack signatures and can compare patterns of activity, traffic, or behavior it sees in the data it’s monitoring against those signatures to recognize when a close match between a signature and current or recent behavior occurs. At that point, the IDS can issue alarms or alerts, take various kinds of automated actions ranging from shutting down Internet links or specific servers to launching back-traces, and make other active attempts to identify attackers and collect evidence of their nefarious activities.

By analogy, an IDS does for a network what an antivirus software package does for files that enter a system: it inspects the contents of network traffic to look for and deflect possible attacks, just as an antivirus software package inspects the contents of incoming files, e-mail attachments, active Web content, and so forth to look for virus signatures (patterns that match known malware) or for possible malicious actions (patterns of behavior that are at least suspicious, if not downright unacceptable).

To be more specific, intrusion detection means detecting unauthorized use of or attacks upon a system or network. An IDS is designed and used to detect such attacks or unauthorized use of systems, networks, and related resources, and then in many cases to deflect or deter them if possible. Like firewalls, IDSes can be software-based or can combine hardware and software in the form of preinstalled and preconfigured stand-alone IDS devices. IDS software may run on the same devices or servers where firewalls, proxies, or other boundary services operate, though separate IDS sensors and managers are more popular. Nevertheless, an IDS not running on the same device or server where the firewall or other services are installed will monitor those devices with particular closeness and care. Although such devices tend to be deployed at network peripheries, IDSes can detect and deal with insider attacks as well as external attacks, and are often very useful in detecting violations of corporate security policy and other internal threats.

You are likely to encounter several kinds of IDSes in the field. First, it is possible to distinguish IDSes by the kinds of activities, traffic, transactions, or systems the...

Cover image
Title page
Table of Contents
VISIT US AT
Copyright
Acknowledgments
Technical Editor
Contributing Authors
Foreword
Series Editor
Foreword
Chapter 1: Intrusion Detection Systems
Chapter 2: Introducing Snort 2.6
Chapter 3: Installing Snort 2.6
Chapter 4: Configuring Snort and Add-Ons
Chapter 5: Inner Workings
Chapter 6: Preprocessors
Chapter 7: Playing by the Rules
Chapter 8: Snort Output Plug-Ins
Chapter 9: Exploring IDS Event Analysis, Snort Style
Chapter 10: Optimizing Snort
Chapter 11: Active Response
Chapter 12: Advanced Snort
Chapter 13: Mucking Around with Barnyard
Index
GNU GENERAL PUBLIC LICENSE