Managing Security with Snort
and IDS Tools
Table of Contents
Copyright
Preface
Audience
About This Book
Assumptions This Book Makes
Chapter Synopsis
Conventions Used in This Book
Comments and Questions
Acknowledgments
Chapter 1. Introduction
1.1 Disappearing Perimeters
1.2 Defense-in-Depth
1.3 Detecting Intrusions (a
Hierarchy of Approaches)
1.4 What Is NIDS (and What Is
an Intrusion)?
1.5 The Challenges of Network
Intrusion Detection
1.6 Why Snort as an NIDS?
1.7 Sites of Interest
Chapter 2. Network Traffic
Analysis
2.1 The TCP/IP Suite of
Protocols
2.2 Dissecting a Network
Packet
2.3 Packet Sniffing

6.3 Sensor Placement
6.4 Securing the Sensor Itself
6.5 Using Snort More
Effectively
6.6 Sites of Interest
Chapter 7. Creating and
Managing Snort Rules
7.1 Downloading the Rules
7.2 The Rule Sets
7.3 Creating Your Own Rules
7.4 Rule Execution
7.5 Keeping Things Up-to-Date
7.6 Sites of Interest
Chapter 8. Intrusion Prevention
8.1 Intrusion Prevention
Strategies
8.2 IPS Deployment Risks
8.3 Flexible Response with
Snort
8.4 The Snort Inline Patch
8.5 Controlling Your Border
8.6 Sites of Interest
Chapter 9. Tuning and
Thresholding
9.1 False Positives (False
Alarms)
9.2 False Negatives (Missed
Alerts)
9.3 Initial Configuration and
Tuning

12.1 Open Source Solutions
12.2 Commercial Solutions
Chapter 13. Strategies for High-
Bandwidth Implementations of
Snort
13.1 Barnyard (and Sguil)
13.2 Commericial IDS Load
Balancers
13.3 The IDS Distribution
System (I(DS)2)
Appendix A. Snort and ACID
Database Schema
A.1 acid_ag
Appendix B. The Default
snort.conf File
Appendix C. Resources
C.1 From Chapter 1:
Introduction
C.2 From Chapter 2: Network
Traffic Analysis
C.3 From Chapter 4: Know
Your Enemy
C.4 From Chapter 6: Deploying
Snort
C.5 From Chapter 7: Creating
and Managing Snort Rules
C.6 From Chapter 8: Intrusion
Prevention
C.7 From Chapter 10: Using
ACID as a Snort IDS

index_U
index_V
index_W
index_X
index_Y
index_Z

• Table of Contents
• Index
• Reviews
• Reader Reviews
• Errata
• Academic
Managing Security with Snort and IDS Tools
By Kerry J. Cox, Christopher Gerg

Publisher : O'Reilly
Pub Date : August 2004
ISBN : 0-596-00661-6
Pages : 288
This practical guide to
managing network security
covers reliable methods for
detecting network intruders,
from using simple packet
sniffers to more sophisticated
IDS (Intrusion Detection
Systems) applications and the
GUI interfaces for managing
them. A comprehensive

Conventions Used in This Book
Comments and Questions
Acknowledgments
Chapter 1. Introduction
Section 1.1. Disappearing Perimeters
Section 1.2. Defense-in-Depth

Section 1.3. Detecting Intrusions (a
Hierarchy of Approaches)
Section 1.4. What Is NIDS (and What Is an
Intrusion)?

Section 1.5. The Challenges of Network
Intrusion Detection
Section 1.6. Why Snort as an NIDS?
Section 1.7. Sites of Interest
Chapter 2. Network Traffic Analysis
Section 2.1. The TCP/IP Suite of Protocols
Section 2.2. Dissecting a Network Packet
Section 2.3. Packet Sniffing
Section 2.4. Installing tcpdump
Section 2.5. tcpdump Basics
Section 2.6. Examining tcpdump Output
Section 2.7. Running tcpdump
Section 2.8. ethereal
Section 2.9. Sites of Interest
Chapter 3. Installing Snort
Section 3.1. About Snort
Section 3.2. Installing Snort
Section 3.3. Command-Line Options

Section 7.2. The Rule Sets
Section 7.3. Creating Your Own Rules
Section 7.4. Rule Execution
Section 7.5. Keeping Things Up-to-Date
Section 7.6. Sites of Interest
Chapter 8. Intrusion Prevention
Section 8.1. Intrusion Prevention Strategies
Section 8.2. IPS Deployment Risks
Section 8.3. Flexible Response with Snort
Section 8.4. The Snort Inline Patch
Section 8.5. Controlling Your Border
Section 8.6. Sites of Interest
Chapter 9. Tuning and Thresholding
Section 9.1. False Positives (False Alarms)

Section 9.2. False Negatives (Missed Alerts)
Section 9.3. Initial Configuration and Tuning
Section 9.4. Pass Rules
Section 9.5. Thresholding and Suppression

Chapter 10. Using ACID as a Snort IDS
Management Console

Section 10.1. Software Installation and
Configuration
Section 10.2. ACID Console Installation
Section 10.3. Accessing the ACID Console
Section 10.4. Analyzing the Captured Data
Section 10.5. Sites of Interest


Appendix A. Snort and ACID Database
Schema
Section A.1. acid_ag
Appendix B. The Default snort.conf File
Appendix C. Resources
Section C.1. From Chapter 1: Introduction

Section C.2. From Chapter 2: Network
Traffic Analysis

Section C.3. From Chapter 4: Know Your