Snort For Dummies

Snort For Dummies covers everything the reader needs to: Learn why and how an IDS should be implemented Identify how Snort fits in to a security management environment Deploy Snort on Linux and Windows systems Understand and create Snort detection rules Generate reports with ACID and other tools Discover the nature and source of attacks real-time. Cover 1 About the Authors 6 Authors' Acknowledgments 8 Contents at a Glance 10 Table of Contents 12 Introduction 19 Who Should Read This Book? 19 About This Book 19 How to Use This Book 20 What You Don't Need to Read 20 Foolish Assumptions 20 How This Book Is Organized 21 Icons Used in This Book 22 Where to Go from Here 22 Part I: Getting to Know Snort and Intrusion Detection 23 Chapter 1: Looking Up Snort's Nose 25 Why All the Hubbub about Security? 26 What Is an IDS, and Why Have One? 27 Why Snort? 30 Snort's Components 31 Glancing at Snort's Output 33 Visualizing with Consoles 34 Getting to Know Snort's Buddies 35 Chapter 2: Fitting In Snort 37 Network-Based IDS 37 Inviting More Pigs to the Party 43 Chapter 3: Readying Your Preflight Checklist 47 Choosing Your Operating System 47 Sizing Up Your System 52 Chapter 4: Makin' Bacon: Installing Snort for Linux 59 Staying Safe 59 Securing the SSH Daemon 66 Installing MySQL for Linux 73 Installing Snort for Linux 79 Chapter 5: Installing Snort and MySQL for Windows 95 The Windows Snort IDS Box 95 Keeping Your Windows Locked 99 Installing the Base Snort System 102 Bending Snort to Your Will 104 Testing the Installation 111 Setting Up MySQL for Snort 113 Configuring Snort as a Service 120 Part II: Administering Your Snort Box 123 Chapter 6: Snorting through Logs and Alerts 125 Snort's Basic Output 125 Snort's Output Modules 129 Chapter 7: Adding Visuals and Getting Reports 151 The ACID Dependency Soup 151 Preparing ACID and Its Dependencies 153 Installing and Configuring ACID 169 Using ACID to View Snort Alerts 181 Chapter 8: Making Your Own Rules 193 The Power of the Pig 193 The Center of Snort's Universe 194 Rule Installation 196 Rule Refinements 211 Chapter 9: What, Me Worry? 217 Preprocessing Punk Packets 217 Fine Tuning: Reducing False Positives 230 Chapter 10: Dealing with the Real Thing 235 Developing an Incident Response Plan 235 Houston, We Have an Incident 236 Using Snort to Track an Attack 239 Halting the Attack 244 Looking through Logs 246 Looking for Odd Running Processes 249 Looking for Odd Files 252 Looking for Odd Network Services 254 Recovering from the Incident 255 Learning from the Attack 256 Part III: Moving Beyond the Basics 259 Chapter 11: Reacting in Real Time 261 Integrating Snort into Your Security Strategy 261 Using Swatch to Watch Your Log Files 270 Firewalling Suspicious Traffic in Real Time 275 Chapter 12: Keeping Snort Up to Date 281 Updating Rules with Oinkmaster 281 Upgrading Snort 290 Chapter 13: Filling Your Farm with Pigs 293 Pigs on the Perimeter 293 Catching All the Oinks 299 Securing Snort's Output 301 Chapter 14: Using the Barnyard Output Tool 313 Barnyard for Fast Output 313 Installing and Configuring Barnyard 315 Fitting Barnyard into Your Snort Environment 319 Part IV: The Part of Tens 335 Chapter 15: Ten Cool Tools for Snort 337 Alert-Management Tools 337 Alert-Reporting Tools 340 Alert-Response Tools 341 Intrusion-Management Tools 343 Chapter 16: Ten Snort Information Resources 345 The Snort. org Web Site 345 The Snort Mailing Lists 346 The SANS Institute 346 The Whitehats Security Forums 346 The SecurityFocus IDS Mailing List 347 The WINSNORT. com Web Site 347 The My-snort. org Web Site 347 The LinuxSecurity. com Web Site 347 The Freshmeat. net Web Site 347 Our Web Site 348 Appendix A: What's on the CD-ROM 349 CD-ROM Contents 349 CD-ROM Considerations 353 Index 355 Snort is the world's most widely deployed open source intrusion-detection system, with more than 500,000 downloads-a package that can perform protocol analysis, handle content searching and matching, and detect a variety of attacks and probes Drawing on years of security experience and multiple Snort implementations, the authors guide readers through installation, configuration, and management of Snort in a busy operations environment No experience with intrusion detection systems (IDS) required Shows network administrators how to plan an IDS implementation, identify how Snort fits into a security management environment, deploy Snort on Linux and Windows systems, understand and create Snort detection rules, generate reports with ACID and other tools, and discover the nature and source of attacks in real time CD-ROM includes Snort, ACID, and a variety of management tools Note: CD-ROM/DVD and other supplementary materials are not included.

• Snort is the world's most widely deployed open source intrusion-detection system, with more than 500,000 downloads-a package that can perform protocol analysis, handle content searching and matching, and detect a variety of attacks and probes
• Drawing on years of security experience and multiple Snort implementations, the authors guide readers through installation, configuration, and management of Snort in a busy operations environment
• No experience with intrusion detection systems (IDS) required
• Shows network administrators how to plan an IDS implementation, identify how Snort fits into a security management environment, deploy Snort on Linux and Windows systems, understand and create Snort detection rules, generate reports with ACID and other tools, and discover the nature and source of attacks in real time
• CD-ROM includes Snort, ACID, and a variety of management tools

Introduces you to the world of detecting and responding to network and computer attacks using the Snort intrusion detection system (IDS)