Tài liệu Managing Security with Snort and IDS Tools

Copyright
Preface
Audience
About This Book
Assumptions This Book Makes
Chapter Synopsis
Conventions Used in This Book
Comments and Questions
Acknowledgments
Chapter 1. Introduction
Section 1.1. Disappearing Perimeters
Section 1.2. Defense-in-Depth
Section 1.3. Detecting Intrusions (a Hierarchy of Approaches)
Section 1.4. What Is NIDS (and What Is an Intrusion)?
Section 1.5. The Challenges of Network Intrusion Detection
Section 1.6. Why Snort as an NIDS?
Section 1.7. Sites of Interest
Chapter 2. Network Traffic Analysis
Section 2.1. The TCP/IP Suite of Protocols
Section 2.2. Dissecting a Network Packet
Section 2.3. Packet Sniffing
Section 2.4. Installing tcpdump
Section 2.5. tcpdump Basics
Section 2.6. Examining tcpdump Output
Section 2.7. Running tcpdump
Section 2.8. ethereal
Section 2.9. Sites of Interest
Chapter 3. Installing Snort
Section 3.1. About Snort
Section 3.2. Installing Snort
Section 3.3. Command-Line Options
Section 3.4. Modes of Operation
Chapter 4. Know Your Enemy
Section 4.1. The Bad Guys
Section 4.2. Anatomy of an Attack: The Five Ps
Section 4.3. Denial-of-Service
Section 4.4. IDS Evasion
Section 4.5. Sites of Interest
Chapter 5. The snort.conf File
Section 5.1. Network and Configuration Variables
Section 5.2. Snort Decoder and Detection Engine Configuration
Section 5.3. Preprocessor Configurations
Section 5.4. Output Configurations
Section 5.5. File Inclusions
Chapter 6. Deploying Snort
Section 6.1. Deploy NIDS with Your Eyes Open
Section 6.2. Initial Configuration
Section 6.3. Sensor Placement
Section 6.4. Securing the Sensor Itself
Section 6.5. Using Snort More Effectively
Section 6.6. Sites of Interest
Chapter 7. Creating and Managing Snort Rules
Section 7.1. Downloading the Rules
Section 7.2. The Rule Sets
Section 7.3. Creating Your Own Rules
Section 7.4. Rule Execution
Section 7.5. Keeping Things Up-to-Date
Section 7.6. Sites of Interest
Chapter 8. Intrusion Prevention
Section 8.1. Intrusion Prevention Strategies
Section 8.2. IPS Deployment Risks
Section 8.3. Flexible Response with Snort
Section 8.4. The Snort Inline Patch
Section 8.5. Controlling Your Border
Section 8.6. Sites of Interest
Chapter 9. Tuning and Thresholding
Section 9.1. False Positives (False Alarms)
Section 9.2. False Negatives (Missed Alerts)
Section 9.3. Initial Configuration and Tuning
Section 9.4. Pass Rules
Section 9.5. Thresholding and Suppression
Chapter 10. Using ACID as a Snort IDS Management Console
Section 10.1. Software Installation and Configuration
Section 10.2. ACID Console Installation
Section 10.3. Accessing the ACID Console
Section 10.4. Analyzing the Captured Data
Section 10.5. Sites of Interest
Chapter 11. Using SnortCenter as a Snort IDS Management Console
Section 11.1. SnortCenter Console Installation
Section 11.2. SnortCenter Agent Installation
Section 11.3. SnortCenter Management Console
Section 11.4. Logging In and Surveying the Layout
Section 11.5. Adding Sensors to the Console
Section 11.6. Managing Tasks
Chapter 12. Additional Tools for Snort IDS Management
Section 12.1. Open Source Solutions
Section 12.2. Commercial Solutions
Chapter 13. Strategies for High-Bandwidth Implementations of Snort
Section 13.1. Barnyard (and Sguil)
Section 13.2. Commericial IDS Load Balancers
Section 13.3. The IDS Distribution System (I(DS)2)
Appendix A. Snort and ACID Database Schema
Section A.1. acid_ag
Appendix B. The Default snort.conf File
Appendix C. Resources
Section C.1. From Chapter 1: Introduction
Section C.2. From Chapter 2: Network Traffic Analysis
Section C.3. From Chapter 4: Know Your Enemy
Section C.4. From Chapter 6: Deploying Snort
Section C.5. From Chapter 7: Creating and Managing Snort Rules
Section C.6. From Chapter 8: Intrusion Prevention
Section C.7. From Chapter 10: Using ACID as a Snort IDS Management Console
Section C.8. From Chapter 12: Additional Tools for Snort IDS Management
Section C.9. From Chapter 13: Strategies for High-Bandwidth Implementations of Snort
Colophon
Index