Snort Cookbook

Angela Orebaugh, Simon Biles, Jacob Babbin

  • 出版商: O'Reilly
  • 出版日期: 2005-05-03
  • 售價: $1,510
  • 貴賓價: 9.5$1,435
  • 語言: 英文
  • 頁數: 400
  • 裝訂: Paperback
  • ISBN: 0596007914
  • ISBN-13: 9780596007911
  • 海外代購書籍(需單獨結帳)
    無現貨庫存(No stock available)




If you are a network administrator, you're under a lot of pressure to ensure that mission-critical systems are completely safe from malicious code, buffer overflows, stealth port scans, SMB probes, OS fingerprinting attempts, CGI attacks, and other network intruders. Designing a reliable way to detect intruders before they get in is an essential--but often overwhelming--challenge. Snort, the defacto open source standard of intrusion detection tools, is capable of performing real-time traffic analysis and packet logging on IP network. It can perform protocol analysis, content searching, and matching. Snort can save countless headaches; the new Snort Cookbook will save countless hours of sifting through dubious online advice or wordy tutorials in order to leverage the full power of SNORT.

Each recipe in the popular and practical problem-solution-discussion O'Reilly cookbook format contains a clear and thorough description of the problem, a concise but complete discussion of a solution, and real-world examples that illustrate that solution. The Snort Cookbook covers important issues that sys admins and security pros will us everyday, such as:

  • installation
  • optimization
  • logging
  • alerting
  • rules and signatures
  • detecting viruses
  • countermeasures
  • detecting common attacks
  • administration
  • honeypots
  • log analysis

But the Snort Cookbook offers far more than quick cut-and-paste solutions to frustrating security issues. Those who learn best in the trenches--and don't have the hours to spare to pore over tutorials or troll online for best-practice snippets of advice--will find that the solutions offered in this ultimate Snort sourcebook not only solve immediate problems quickly, but also showcase the best tips and tricks they need to master be security gurus--and still have a life. 


Table of Contents:


1. Installation and Optimization

      1.1 Installing Snort from Source on Unix  

      1.2 Installing Snort Binaries on Linux  

      1.3 Installing Snort on Solaris  

      1.4 Installing Snort on Windows  

      1.5 Uninstalling Snort from Windows  

      1.6 Installing Snort on Mac OS X  

      1.7 Uninstalling Snort from Linux  

      1.8 Upgrading Snort on Linux  

      1.9 Monitoring Multiple Network Interfaces  

      1.10 Invisibly Tapping a Hub  

      1.11 Invisibly Sniffing Between Two Network Points  

      1.12 Invisibly Sniffing 100 MB Ethernet  

      1.13 Sniffing Gigabit Ethernet  

      1.14 Tapping a Wireless Network  

      1.15 Positioning Your IDS Sensors  

      1.16 Capturing and Viewing Packets  

      1.17 Logging Packets That Snort Captures  

      1.18 Running Snort to Detect Intrusions  

      1.19 Reading a Saved Capture File  

      1.20 Running Snort as a Linux Daemon  

      1.21 Running Snort as a Windows Service  

      1.22 Capturing Without Putting the Interface into Promiscuous Mode  

      1.23 Reloading Snort Settings  

      1.24 Debugging Snort Rules  

      1.25 Building a Distributed IDS (Plain Text)  

      1.26 Building a Distributed IDS (Encrypted)  

2. Logging, Alerts, and Output Plug-ins

      2.1 Logging to a File Quickly  

      2.2 Logging Only Alerts  

      2.3 Logging to a CSV File  

      2.4 Logging to a Specific File  

      2.5 Logging to Multiple Locations  

      2.6 Logging in Binary  

      2.7 Viewing Traffic While Logging  

      2.8 Logging Application Data  

      2.9 Logging to the Windows Event Viewer  

      2.10 Logging Alerts to a Database  

      2.11 Installing and Configuring MySQL  

      2.12 Configuring MySQL for Snort  

      2.13 Using PostgreSQL with Snort and ACID  

      2.14 Logging in PCAP Format (TCPDump)  

      2.15 Logging to Email  

      2.16 Logging to a Pager or Cell Phone  

      2.17 Optimizing Logging  

      2.18 Reading Unified Logged Data  

      2.19 Generating Real-Time Alerts  

      2.20 Ignoring Some Alerts  

      2.21 Logging to System Logfiles  

      2.22 Fast Logging  

      2.23 Logging to a Unix Socket  

      2.24 Not Logging  

      2.25 Prioritizing Alerts  

      2.26 Capturing Traffic from a Specific TCP Session  

      2.27 Killing a Specific Session  

3. Rules and Signatures

      3.1 How to Build Rules  

      3.2 Keeping the Rules Up to Date  

      3.3 Basic Rules You Shouldn't Leave Home Without  

      3.4 Dynamic Rules  

      3.5 Detecting Binary Content  

      3.6 Detecting Malware  

      3.7 Detecting Viruses  

      3.8 Detecting IM  

      3.9 Detecting P2P  

      3.10 Detecting IDS Evasion  

      3.11 Countermeasures from Rules  

      3.12 Testing Rules  

      3.13 Optimizing Rules  

      3.14 Blocking Attacks in Real Time  

      3.15 Suppressing Rules  

      3.16 Thresholding Alerts  

      3.17 Excluding from Logging  

      3.18 Carrying Out Statistical Analysis  

4. Preprocessing: An Introduction

      4.1 Detecting Stateless Attacks and Stream Reassembly  

      4.2 Detecting Fragmentation Attacks and Fragment Reassemblywith Frag2  

      4.3 Detecting and Normalizing HTTP Traffic  

      4.4 Decoding Application Traffic  

      4.5 Detecting Port Scans and Talkative Hosts  

      4.6 Getting Performance Metrics  

      4.7 Experimental Preprocessors  

      4.8 Writing Your Own Preprocessor  

5. Administrative Tools

      5.1 Managing Snort Sensors  

      5.2 Installing and Configuring IDScenter  

      5.3 Installing and Configuring SnortCenter  

      5.4 Installing and Configuring Snortsnarf  

      5.5 Running Snortsnarf Automatically  

      5.6 Installing and Configuring ACID  

      5.7 Securing ACID  

      5.8 Installing and Configuring Swatch  

      5.9 Installing and Configuring Barnyard  

      5.10 Administering Snort with IDS Policy Manager  

      5.11 Integrating Snort with Webmin  

      5.12 Administering Snort with HenWen  

      5.13 Newbies Playing with Snort Using EagleX  

6. Log Analysis

      6.1 Generating Statistical Output from Snort Logs  

      6.2 Generating Statistical Output from Snort Databases  

      6.3 Performing Real-Time Data Analysis  

      6.4 Generating Text-Based Log Analysis  

      6.5 Creating HTML Log Analysis Output  

      6.6 Tools for Testing Signatures  

      6.7 Analyzing and Graphing Logs  

      6.8 Analyzing Sniffed (Pcap) Traffic  

      6.9 Writing Output Plug-ins  

7. Miscellaneous Other Uses

      7.1 Monitoring Network Performance  

      7.2 Logging Application Traffic  

      7.3 Recognizing HTTP Traffic on Unusual Ports  

      7.4 Creating a Reactive IDS  

      7.5 Monitoring a Network Using Policy-Based IDS  

      7.6 Port Knocking  

      7.7 Obfuscating IP Addresses  

      7.8 Passive OS Fingerprinting  

      7.9 Working with Honeypots and Honeynets  

      7.10 Performing Forensics Using Snort  

      7.11 Snort and Investigations  

      7.12 Snort as Legal Evidence in the U.S.  

      7.13 Snort as Evidence in the U.K.  

      7.14 Snort as a Virus Detection Tool  

      7.15 Staying Legal  




如果您是一名網絡管理員,您將面臨很大的壓力,需要確保關鍵系統完全免受惡意代碼、緩衝區溢出、隱蔽端口掃描、SMB探測、操作系統指紋識別嘗試、CGI攻擊和其他網絡入侵者的威脅。設計一種可靠的方法,在入侵者進入之前檢測到他們是一個必不可少的,但往往是壓倒性的挑戰。Snort是入侵檢測工具的事實上的開源標準,能夠在IP網絡上進行實時流量分析和封包記錄。它可以執行協議分析、內容搜索和匹配。Snort可以節省無數的麻煩;新的《Snort Cookbook》將節省無數的時間,不再需要瀏覽可疑的在線建議或冗長的教程,以充分利用SNORT的全部功能。

這本受歡迎且實用的問題解決討論O'Reilly食譜格式的每個食譜都包含了對問題的清晰而全面的描述,對解決方案的簡潔但完整的討論,以及展示該解決方案的實際示例。《Snort Cookbook》涵蓋了系統管理員和安全專家每天都會使用的重要問題,例如:

  • 安裝

  • 優化

  • 記錄

  • 警報

  • 規則和簽名

  • 檢測病毒

  • 對策

  • 檢測常見攻擊

  • 管理

  • 蜜罐

  • 日誌分析

但《Snort Cookbook》提供的不僅僅是解決令人沮喪的安全問題的快速剪貼板解決方案。那些在實戰中學習最佳的人,並且沒有時間閱讀教程或在線搜索最佳實踐建議的片段,將發現這本終極Snort資源手冊中提供的解決方案不僅可以快速解決即時問題,還展示了他們需要掌握的最佳技巧和訣竅,成為安全專家,同時還能有自己的生活。




1. 安裝和優化

      1.1 在Unix上從源碼安裝Snort  

      1.2 在Linux上安裝Snort二進制文件  

      1.3 在Solaris上安裝Snort  

      1.4 在Windows上安裝Snort  

      1.5 從Windows卸載Snort  

      1.6 在Mac OS X上安裝Snort  

      1.7 從Linux卸載Snort  

      1.8 在Linux上升級Snort  

      1.9 監控多個網絡接口  

      1.10 隱形監聽一個集線器  

      1.11 隱形監聽兩個網絡點之間的流量