| Preface | p. vii |
| Installation and Optimization | p. 1 |
| Installing Snort from Source on Unix | p. 1 |
| Installing Snort Binaries on Linux | p. 4 |
| Installing Snort on Solaris | p. 5 |
| Installing Snort on Windows | p. 7 |
| Uninstalling Snort from Windows | p. 12 |
| Installing Snort on Mac OS X | p. 14 |
| Uninstalling Snort from Linux | p. 16 |
| Upgrading Snort on Linux | p. 17 |
| Monitoring Multiple Network Interfaces | p. 17 |
| Invisibly Tapping a Hub | p. 19 |
| Invisibly Sniffing Between Two Network Points | p. 19 |
| Invisibly Sniffing 100 MB Ethernet | p. 21 |
| Sniffing Gigabit Ethernet | p. 22 |
| Tapping a Wireless Network | p. 23 |
| Positioning Your IDS Sensors | p. 24 |
| Capturing and Viewing Packets | p. 27 |
| Logging Packets That Snort Captures | p. 30 |
| Running Snort to Detect Intrusions | p. 33 |
| Reading a Saved Capture File | p. 35 |
| Running Snort as a Linux Daemon | p. 36 |
| Running Snort as a Windows Service | p. 37 |
| Capturing Without Putting the Interface into Promiscuous Mode | p. 39 |
| Reloading Snort Settings | p. 39 |
| Debugging Snort Rules | p. 40 |
| Building a Distributed IDS (Plain Text) | p. 41 |
| Building a Distributed IDS (Encrypted) | p. 44 |
| Logging, Alerts, and Output Plug-ins | p. 51 |
| Logging to a File Quickly | p. 51 |
| Logging Only Alerts | p. 52 |
| Logging to a CSV File | p. 54 |
| Logging to a Specific File | p. 56 |
| Logging to Multiple Locations | p. 56 |
| Logging in Binary | p. 58 |
| Viewing Traffic While Logging | p. 60 |
| Logging Application Data | p. 61 |
| Logging to the Windows Event Viewer | p. 63 |
| Logging Alerts to a Database | p. 64 |
| Installing and Configuring MySQL | p. 65 |
| Configuring MySQL for Snort | p. 67 |
| Using PostgreSQL with Snort and ACID | p. 70 |
| Logging in PCAP Format (TCPDump) | p. 74 |
| Logging to Email | p. 75 |
| Logging to a Pager or Cell Phone | p. 77 |
| Optimizing Logging | p. 78 |
| Reading Unified Logged Data | p. 80 |
| Generating Real-Time Alerts | p. 81 |
| Ignoring Some Alerts | p. 82 |
| Logging to System Logfiles | p. 82 |
| Fast Logging | p. 83 |
| Logging to a Unix Socket | p. 84 |
| Not Logging | p. 86 |
| Prioritizing Alerts | p. 87 |
| Capturing Traffic from a Specific TCP Session | p. 88 |
| Killing a Specific Session | p. 89 |
| Rules and Signatures | p. 90 |
| How to Build Rules | p. 90 |
| Keeping the Rules Up to Date | p. 94 |
| Basic Rules You Shouldn't Leave Home Without | p. 98 |
| Dynamic Rules | p. 100 |
| Detecting Binary Content | p. 102 |
| Detecting Malware | p. 103 |
| Detecting Viruses | p. 104 |
| Detecting IM | p. 105 |
| Detecting P2P | p. 107 |
| Detecting IDS Evasion | p. 110 |
| Countermeasures from Rules | p. 114 |
| Testing Rules | p. 115 |
| Optimizing Rules | p. 116 |
| Blocking Attacks in Real Time | p. 117 |
| Suppressing Rules | p. 118 |
| Thresholding Alerts | p. 118 |
| Excluding from Logging | p. 119 |
| Carrying Out Statistical Analysis | p. 120 |
| Preprocessing: An Introduction | p. 125 |
| Detecting Stateless Attacks and Stream Reassembly | p. 126 |
| Detecting Fragmentation Attacks and Fragment Reassembly with Frag2 | p. 131 |
| Detecting and Normalizing HTTP Traffic | p. 136 |
| Decoding Application Traffic | p. 141 |
| Detecting Port Scans and Talkative Hosts | p. 142 |
| Getting Performance Metrics | p. 149 |
| Experimental Preprocessors | p. 155 |
| Writing Your Own Preprocessor | p. 156 |
| Administrative Tools | p. 157 |
| Managing Snort Sensors | p. 157 |
| Installing and Configuring IDScenter | p. 159 |
| Installing and Configuring SnortCenter | p. 167 |
| Installing and Configuring Snortsnarf | p. 173 |
| Running Snortsnarf Automatically | p. 175 |
| Installing and Configuring ACID | p. 175 |
| Securing ACID | p. 180 |
| Installing and Configuring Swatch | p. 181 |
| Installing and Configuring Barnyard | p. 183 |
| Administering Snort with IDS Policy Manager | p. 184 |
| Integrating Snort with Webmin | p. 190 |
| Administering Snort with HenWen | p. 196 |
| Newbies Playing with Snort Using EagleX | p. 201 |
| Log Analysis | p. 203 |
| Generating Statistical Output from Snort Logs | p. 203 |
| Generating Statistical Output from Snort Databases | p. 207 |
| Performing Real-Time Data Analysis | p. 208 |
| Generating Text-Based Log Analysis | p. 212 |
| Creating HTML Log Analysis Output | p. 214 |
| Tools for Testing Signatures | p. 215 |
| Analyzing and Graphing Logs | p. 220 |
| Analyzing Sniffed (Pcap) Traffic | p. 223 |
| Writing Output Plug-ins | p. 224 |
| Miscellaneous Other Uses | p. 225 |
| Monitoring Network Performance | p. 225 |
| Logging Application Traffic | p. 233 |
| Recognizing HTTP Traffic on Unusual Ports | p. 234 |
| Creating a Reactive IDS | p. 235 |
| Monitoring a Network Using Policy-Based IDS | p. 238 |
| Port Knocking | p. 240 |
| Obfuscating IP Addresses | p. 243 |
| Passive OS Fingerprinting | p. 244 |
| Working with Honeypots and Honeynets | p. 250 |
| Performing Forensics Using Snort | p. 252 |
| Snort and Investigations | p. 253 |
| Snort as Legal Evidence in the U.S. | p. 257 |
| Snort as Evidence in the U.K. | p. 258 |
| Snort as a Virus Detection Tool | p. 260 |
| Staying Legal | p. 263 |
| Index | p. 265 |
| Table of Contents provided by Ingram. All Rights Reserved. |
