To paraphrase Bruce Schneier, banks do not depend solely on vaults to keep
their assets safe; they also employ detection and response mechanisms in
the form of alarms and guards. Your network, or more properly the data on
it, is one of the most important assets your company has. You already
protect it with a vault -- your firewall, and logical and physical perimeter
security. But if you don't have alarms (intrusion-detection systems) and guards (incident response), you are not as secure as you could
be.
Arguably one of the best network intrusion-detection systems (NIDS) is the free and open source Snort package. It has a large and
active community, and is backed by the commercial company SourceFire, making Snort a
strong contender in the NIDS market. The package itself is free. All
that's required is some hardware to run it on and the time to install,
configure and maintain it. Snort runs on any modern operating system
(including Windows and Linux), but some consider it to be complicated to
operate. The goal of this guide is to take some of the mystery out of
Snort.
SNORT TECHNICAL GUIDE
Why Snort makes IDS worth the time and effort
How to identify ports
How to deal with switches and segments
Where to place IDS sensors
What OS to use for Snort sensors
How to determine how many interfaces a sensor needs
How to modify and write custom Snort rules
How to define Snort's configuration variables
Where to find Snort rules
How to automatically update Snort rules
How to decipher the Oinkcode
How to verify that Snort is operating
ABOUT THE AUTHOR:
|
JP Vossen, CISSP, is a Senior Security Engineer for Counterpane Internet Security. He is involved with various open source
projects including Snort, and has previously worked as an information security consultant and systems engineer.
|
|
