Library of Congress Control Number: 2004102600 ISBN: 0-7645-6835-3 Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 1O/SS/QW/QU/IN 01_568353 ffirs.qxd 6/3/04 10:07 AM Page v About the Authors Charlie Scott is an Information Security Analyst for the City of Austin, where he helps maintain the City’s network security infrastructure and helps analyze intrusion detection data. He has nearly ten years of experience in the Internet industry and has been an avid user of open source security software that entire time. Charlie is a Certified Information Systems Security Professional (CISSP) and a Cisco Certified Network Professional (CCNP). Bert Hayes is a Security Technical Analyst for the State of Texas, where he maintains network security for a medium sized agency. In Bert’s ten years of IT industry experience, he has done everything from managing a corporate IT shop during a successful IPO to performing white hat penetration tests for corporate and government offices. He has long been a proponent of open source solutions, and is a Red Hat Certified Engineer (RHCE). Paul Wolfe is an independent information security consultant and author, specializing in open source security. 01_568353 ffirs.qxd 6/3/04 10:07 AM Page vi 01_568353 ffirs.qxd 6/3/04 10:07 AM Page vii Authors’ Acknowledgments This book benefited greatly from the research and writing contribution of Mike Erwin, an early collaborator on this project. Mike is the president and CEO of Symbiot, Inc., a developer of intelligent security infrastructure man- agement system designed to interoperate with intrusion detection systems and other pieces of security infrastructure. Mike has fifteen years of experi- ence in network operations and security, has co-authored over a half-dozen books, and is a Certified Information Systems Security Professional (CISSP). The authors collectively bow to the developers of the myriad of security tools covered in this book, especially Marty Roesch, for answering our ques- tions and creating Snort in the first place! The authors also thank Melody Layne, Pat O’Brien, and the rest of the Wiley team for their hard work and prodding, and our agent Carole McClendon of Waterside Productions. They also thank Jamie Pugh of Symbiot for his inci- sive technical review. Bert dedicates his portion of the book to everyone who would rather build his or her own system than buy one off the shelf. He also acknowledges the unwavering love and support of his wife Kate, the loyalty of his pets, and the wisdom of his parents. Paul thanks Nikolaus, Lukas, Rayna, Jesse and Brenda, whose support make his work possible (and necessary . .). And finally, thanks to Charlie for ruling this project with the iron grip of a dictator. Bastard. Acquisitions, Editorial, and Composition Media Development Project Coordinator: Courtney MacIntyre Project Editor: Pat O'Brien Layout and Graphics: Andrea Dahl, Acquisitions Editor: Melody Layne Stephanie D. Jumper, Lynsey Osborn, Copy Editor: Barry Childs-Helton Heather Ryan Technical Editor: Jamie Pugh Proofreaders: Laura Albert, David Faust, Andy Hollandbeck, Brian H. Walls, Editorial Manager: Kevin Kirschner TECHBOOKS Production Services Media Development Manager: Indexer: TECHBOOKS Production Services Laura VanWinkle Media Development Supervisor: Richard Graves Editorial Assistant: Amanda Foxworth Cartoons: Rich Tennant (www.the5thwave.com) Corder, Editorial Director Publishing for Consumer Dummies Diane Graves Steele, Vice President and Publisher Joyce Pepple, Acquisitions Director Composition Services Gerry Fahey, Vice President of Production Services Debbie Stailey, Director of Composition Services 02_568353 ftoc.qxd 6/2/04 9:17 AM Page ix Contents at a Glance Introduction .................................................................1 Part I: Getting to Know Snort and Intrusion Detection .....5 Chapter 1: Looking Up Snort’s Nose ................................................................................7 Chapter 2: Fitting In Snort ...............................................................................................19 Chapter 3: Readying Your Preflight Checklist...............................................................29 Chapter 4: Makin’ Bacon: Installing Snort for Linux ....................................................41 Chapter 5: Installing Snort and MySQL for Windows...................................................77 Part II: Administering Your Snort Box.........................105 Chapter 6: Snorting Through Logs and Alerts............................................................107 Chapter 7: Adding Visuals and Getting Reports.........................................................133 Chapter 8: Making Your Own Rules..............................................................................175 Chapter 9: What, Me Worry?.........................................................................................199 Chapter 10: Dealing with the Real Thing .....................................................................217 Part III: Moving Beyond the Basics............................241 Chapter 11: Reacting in Real Time ...............................................................................243 Chapter 12: Keeping Snort Up to Date.........................................................................263 Chapter 13: Filling Your Farm with Pigs ......................................................................275 Chapter 14: Using the Barnyard Output Tool .............................................................295
