How to Use the Open Source Intrusion Detection System SNORT
Intrusion detection is not for the faint at heart. But, if you are a network administrator
chances are you're under increasing pressure to ensure that mission-critical systems
are safe - in fact impenetrable - from malicious code, buffer overflows, stealth port
scans, SMB probes, OS fingerprinting attempts, CGI attacks, and other network intruders.
Designing a reliable way to detect intruders before they get in is a vital but daunting challenge.
Because of this, a plethora of complex, sophisticated, and pricy software solutions are
In terms of raw power and features, SNORT, the most commonly used Open Source
Intrusion Detection System, (IDS) has begun to eclipse many expensive proprietary IDSes.
In terms of documentation or ease of use, however, SNORT can seem overwhelming. Which
output plugin to use? How do you to email alerts to yourself? Most importantly, how do
you sort through the immense amount of information Snort makes available to you? Many
intrusion detection books are long on theory but short on specifics and practical examples. Not
Managing Security with Snort and IDS Tools.
This new book is a thorough, exceptionally practical guide to managing network security
using Snort 2.1 (the latest release) and dozens of other high-quality open source other open
source intrusion detection programs.
Managing Security with Snort and IDS Tools covers reliable methods for detecting
network intruders, from using simple packet sniffers to more sophisticated IDS (Intrusion
Detection Systems) applications and the GUI interfaces for managing them. A comprehensive
but concise guide for monitoring illegal entry attempts, this invaluable new book explains
how to shut down and secure workstations, servers, firewalls, routers, sensors and other
In the old days (two years ago or so), a firewall was most of what an administrator
needed to protect a network from attack. It was easy to establish where your
network ended and the Internet began. Technological advances and decreasing costs for
wide area network technologies have eroded this concept of a perimeter. VPNs have
all but replaced conventional dial-up modem pools. Most users have high-speed DSL
or cable modem service, and the VPN makes the user feel like he's sitting at his
desk. Some VPNs use an appliance that sits on the perimeter of the network and has
the capability of controlling how the network is used remotely. While this is a boon
for telecommuters, it is a real risk for most networks. A virus-infected system
on the user's home network suddenly has unfettered access to the inside of your
network. That high-speed highway into your network can allow rapid propagation of
an aggressive worm.
Connections to business partners used to be an expensive proposition and were only
for the most well-to-do organizations. Dedicated T1 links are expensive. With less
expensive network options (not to mention network-to-network VPN connections),
this cost has decreased significantly. This allows many organizations to connect their
network to yours - sometimes directly into the internal network. Without real precautions
in place, security problems on the partner networks quickly become security
problems on your network - very often undetected until much damage is done.
Whether you trust your partner to that extent is another matter.
When deploying troops in a theater of war, a general has to consider all the ways an
enemy might attack: by land (either at the front line, or a commando raid behind the
lines), by sea (surface ships or submarines), or by air (helicopters, fighters, bombers,
missiles, or artillery). The general has to deploy defenses against all potential vectors
of attack. he doesn't just trust the trenches at the front line for all his security. He
will deploy troops to the front line, as well as at high-value assets behind the lines.
He will deploy a variety of ant-submarine and anti-surface ship defenses. he will
deploy a variety of anti-air assets to protect against the various air threats. This concept
of multiple overlapping defensive measures is known as defence-in-depth.