Certified Snort Professional 

Introduction

Installing Snort from Source

Installing Snort

Upgrading Snort

Monitoring Multiple Network Interfaces

Invisibly Tapping a Hub

Invisibly Sniffing Between Two Network Points

Invisibly Sniffing MB Ethernet

Sniffing Gigabit Ethernet

Tapping a Wireless Network

Positioning Your IDS Sensors

Capturing and Viewing Packets

Logging Packets That Snort Captures

Running Snort to Detect Intrusions

Reading a Saved Capture File

Running Snort as a Linux Daemon

Running Snort as a Windows Service

Capturing Without Putting the Interface into Promiscuous Mode

Reloading Snort Settings

Debugging Snort Rules

Building a Distributed IDS

Logging, Alerts, and Output Plug-ins

Introduction

Logging to a File Quickly

Logging Only Alerts

Logging to a CSV File

Logging to a Specific File

Logging to Multiple Locations

Logging in Binary

Viewing Traffic While Logging

Logging Application Data

Logging to the Windows Event Viewer

Logging Alerts to a Database

Installing and Configuring MySQL

Configuring MySQL for Snort

Using PostgreSQL with Snort and ACID

Logging in PCAP Format (TCPDump)

Logging to Email

Logging to a Pager or Cell Phone

Optimizing Logging

Reading Unified Logged Data

Generating Real-Time Alerts

Ignoring Some Alerts

Logging to System Logfiles

Fast Logging

Logging to a Unix Socket

Not Logging

Prioritizing Alerts

Capturing Traffic from a Specific TCP Session

Killing a Specific Session

Introduction

How to Build Rules

Keeping the Rules Up to Date

Basic Rules You Shouldn't Leave Home Without

Dynamic Rules

Detecting Binary Content

Detecting Malware

Detecting Viruses

Detecting IM

Detecting PP

Detecting IDS Evasion

Countermeasures from Rules

Testing Rules

Optimizing Rules

Blocking Attacks in Real Time

Suppressing Rules

Thresholding Alerts

Excluding from Logging

Carrying Out Statistical Analysis

Introduction

Detecting Stateless Attacks and Stream Reassembly

Detecting Fragmentation Attacks and Fragment Reassembly with Frag

Detecting and Normalizing HTTP Traffic

Decoding Application Traffic

Detecting Port Scans and Talkative Hosts

Getting Performance Metrics

Experimental Preprocessors

Writing Your Own Preprocessor

Introduction

Managing Snort Sensors

Installing and Configuring IDScenter

Installing and Configuring SnortCenter

Installing and Configuring Snortsnarf

Running Snortsnarf Automatically

Installing and Configuring ACID

Securing ACID

Installing and Configuring Swatch

Installing and Configuring Barnyard

Administering Snort with IDS Policy Manager

Integrating Snort with Webmin

Administering Snort with HenWen

Newbies Playing with Snort Using EagleX

Introduction

Generating Statistical Output from Snort Logs

Generating Statistical Output from Snort Databases

Performing Real-Time Data Analysis

Generating Text-Based Log Analysis

Creating HTML Log Analysis Output

Tools for Testing Signatures

Analyzing and Graphing Logs

Analyzing Sniffed (Pcap) Traffic

Writing Output Plug-ins

Introduction

Monitoring Network Performance

Logging Application Traffic

Recognizing HTTP Traffic on Unusual Ports

Creating a Reactive IDS

Monitoring a Network Using Policy-Based IDS

Port Knocking

Obfuscating IP Addresses

Passive OS Fingerprinting

Working with Honeypots and Honeynets

Performing Forensics Using Snort

Snort and Investigations

Snort as Legal Evidence in the US

Snort as Evidence in the UK

Snort as a Virus Detection Tool

Staying Legal