E-Book, Englisch, 768 Seiten
Caswell / Beale / Baker Snort Intrusion Detection and Prevention Toolkit
1. Auflage 2007
ISBN: 978-0-08-054927-9
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: 6 - ePub Watermark
E-Book, Englisch, 768 Seiten
ISBN: 978-0-08-054927-9
Verlag: Elsevier Science & Techn.
Format: EPUB
Kopierschutz: 6 - ePub Watermark
This all new book covering the brand new Snort version 2.6 from members of the Snort developers team.
This fully integrated book and Web toolkit covers everything from packet inspection to optimizing Snort for speed to using the most advanced features of Snort to defend even the largest and most congested enterprise networks. Leading Snort experts Brian Caswell, Andrew Baker, and Jay Beale analyze traffic from real attacks to demonstrate the best practices for implementing the most powerful Snort features.
The companion material contains examples from real attacks allowing readers test their new skills. The book will begin with a discussion of packet inspection and the progression from intrusion detection to intrusion prevention. The authors provide examples of packet inspection methods including: protocol standards compliance, protocol anomaly detection, application control, and signature matching. In addition, application-level vulnerabilities including Binary Code in HTTP headers, HTTP/HTTPS Tunneling, URL Directory Traversal, Cross-Site Scripting, and SQL Injection will also be analyzed. Next, a brief chapter on installing and configuring Snort will highlight various methods for fine tuning your installation to optimize Snort performance including hardware/OS selection, finding and eliminating bottlenecks, and benchmarking and testing your deployment. A special chapter also details how to use Barnyard to improve the overall performance of Snort. Next, best practices will be presented allowing readers to enhance the performance of Snort for even the largest and most complex networks. The next chapter reveals the inner workings of Snort by analyzing the source code. The next several chapters will detail how to write, modify, and fine-tune basic to advanced rules and pre-processors. Detailed analysis of real packet captures will be provided both in the book and the companion material. Several examples for optimizing output plugins will then be discussed including a comparison of MySQL and PostrgreSQL. Best practices for monitoring Snort sensors and analyzing intrusion data follow with examples of real world attacks using: ACID, BASE, SGUIL, SnortSnarf, Snort_stat.pl, Swatch, and more.
The last part of the book contains several chapters on active response, intrusion prevention, and using Snort's most advanced capabilities for everything from forensics and incident handling to building and analyzing honey pots. Data from real world attacks will be presented throughout this part as well as on the companion website, http://booksite.elsevier.com/9781597490993/
This fully integrated book and Web toolkit covers everything all in one convenient package It is authored by members of the Snort team and it is packed full of their experience and expertiseIncludes full coverage of the brand new Snort version 2.6, packed full of all the latest informationCompanion website at http://booksite.elsevier.com/9781597490993/ contains all companion material
Autoren/Hrsg.
Weitere Infos & Material
1;Front Cover ;1
2;Snort® IDS and IPS Toolkit;4
3;Copyright Page;5
4;Contents ;18
5;Foreword;34
6;Chapter 1. Intrusion Detection Systems;36
6.1;Introduction;37
6.2;What Is Intrusion Detection?;37
6.3;How an IDS Works;43
6.4;Why Are Intrusion Detection Systems Important?;50
6.5;What Else Can You Do with Intrusion Detection Systems?;58
6.6;What About Intrusion Prevention?;60
6.7;Summary;62
6.8;Solutions Fast Track;62
6.9;Frequently Asked Questions;65
7;Chapter 2. Introducing Snort 2.6;66
7.1;Introduction;67
7.2;What Is Snort?;68
7.3;What's New in Snort 2.6;70
7.4;Snort System Requirements;72
7.5;Exploring Snort's Features;74
7.6;Using Snort on Your Network;82
7.7;Security Considerations with Snort;97
7.8;Summary;100
7.9;Solutions Fast Track;100
7.10;Frequently Asked Questions;102
8;Chapter 3. Installing Snort 2.6;104
8.1;Introduction;105
8.2;Choosing the Right OS;105
8.3;Hardware Platform Considerations;125
8.4;Installing Snort;133
8.5;Configuring Snort;143
8.6;Testing Snort;156
8.7;Maintaining Snort;161
8.8;Updating Snort;162
8.9;Summary;164
8.10;Solutions Fast Track;164
8.11;Frequently Asked Questions;166
9;Chapter 4. Configuring Snort and Add-Ons;168
9.1;Placing Your NIDS;169
9.2;Configuring Snort on a Windows System;171
9.3;Configuring Snort on a Linux System;188
9.4;Other Snort Add-Ons;201
9.5;Demonstrating Effectiveness;204
9.6;Summary;206
9.7;Solutions Fast Track;206
9.8;Frequently Asked Questions;208
10;Chapter 5. Inner Workings;210
10.1;Introduction;211
10.2;Snort Initialization;211
10.3;Snort Packet Processing;214
10.4;Inside the Detection Engine;224
10.5;The Dynamic Detection Engine;231
10.6;Summary;256
10.7;Solutions Fast Track;256
10.8;Frequently Asked Questions;258
11;Chapter 6. Preprocessors;260
11.1;Introduction;261
11.2;What Is a Preprocessor?;261
11.3;Preprocessor Options for Reassembling Packets;262
11.4;Preprocessor Options for Decoding and Normalizing Protocols;286
11.5;Preprocessor Options for Nonrule or Anomaly-Based Detection;302
11.6;Dynamic Preprocessors;312
11.7;Experimental Preprocessors;323
11.8;Summary;325
11.9;Solutions Fast Track;326
11.10;Frequently Asked Questions;327
12;Chapter 7. Playing by the Rules;330
12.1;Introduction;331
12.2;What Is a Rule?;331
12.3;Understanding Rules;337
12.4;Other Advanced Options;349
12.5;Ordering for Performance;352
12.6;Thresholding;353
12.7;Suppression;355
12.8;Packet Analysis;356
12.9;Rules for Vulnerabilities, Not Exploits;356
12.10;A Rule: Start to Finish;357
12.11;Rules of Note;361
12.12;Stupid Rule Tricks;364
12.13;Keeping Rules Up to Date;367
12.14;Summary;375
12.15;Solutions Fast Track;375
12.16;Frequently Asked Questions;376
13;Chapter 8. Snort Output Plug-Ins;378
13.1;Introduction;379
13.2;What Is an Output Plug-In?;380
13.3;Exploring Snort's Output Plug-In Options;382
13.4;Writing Your Own Output Plug-In ;405
13.5;Troubleshooting Output Plug-In Problems;431
13.6;Add-On Tools;433
13.7;Summary;441
13.8;Solutions Fast Track;442
13.9;Frequently Asked Questions;443
14;Chapter 9. Exploring IDS Event Analysis, Snort Style;446
14.1;Introduction;447
14.2;What Is Data Analysis?;447
14.3;Data Analysis Tools;458
14.4;Analyzing Snort Events;511
14.5;Reporting Snort Events;525
14.6;Summary;528
14.7;Solutions Fast Track;529
14.8;Frequently Asked Questions;531
15;Chapter 10. Optimizing Snort;534
15.1;Introduction;535
15.2;How Do I Choose the Hardware to Use?;535
15.3;How Do I Choose the Operating System to Use?;544
15.4;Speeding Up Snort;551
15.5;Cranking Up the Database;558
15.6;Benchmarking and Testing the Deployment;561
15.7;Summary;586
15.8;Solutions Fast Track;587
15.9;Frequently Asked Questions;589
16;Chapter 11. Active Response;592
16.1;Introduction;593
16.2;Active Response versus Intrusion Prevention;593
16.3;SnortSam;605
16.4;Fwsnort;621
16.5;snort_Inline;639
16.6;Summary;652
16.7;Solutions Fast Track;652
16.8;Frequently Asked Questions;654
17;Chapter 12. Advanced Snort;656
17.1;Introduction;657
17.2;Monitoring the Network;657
17.3;Configuring Channel Bonding for Linux;658
17.4;Snort Rulesets;659
17.5;Plug-Ins;663
17.6;Preprocessor Plug-Ins;664
17.7;Detection Plug-Ins;671
17.8;Output Plug-Ins;672
17.9;Snort Inline;673
17.10;Solving Specific Security Requirements;673
17.11;Summary;677
17.12;Solutions Fast Track;677
17.13;Frequently Asked Questions;679
18;Chapter 13. Mucking Around with Barnyard;680
18.1;Introduction;681
18.2;What Is Barnyard?;682
18.3;Understanding the Snort Unified Files;682
18.4;Installing Barnyard;688
18.5;Configuring Barnyard;691
18.6;Understanding the Output Plug-Ins;699
18.7;Running Barnyard in Batch-Processing Mode;716
18.8;Using the Continual-Processing Mode;721
18.9;Deploying Barnyard;726
18.10;Writing a New Output Plug-In;732
18.11;Secret Capabilities of Barnyard;744
18.12;Summary;745
18.13;Solutions Fast Track;745
18.14;Frequently Asked Questions;749
19;Index;752
20;GNU General Public License;766
