IDS and IPS with Snort 3 : Get up and Running with Snort 3 and Discover Effective Solutions to Your Security Issues

IDS and IPS with Snort 3 Get up and Running with Snort 3 and Discover Effective Solutions to Your Security Issues

Learn the essentials of Snort 3.0, including installation, configuration, system architecture, and tuning to develop effective intrusion detection and prevention solutions with this easy-to-follow guide Key Features Get to grips with the fundamentals of IDS/IPS and its role in network defense Explor...

Descripción completa

Detalles Bibliográficos
Otros Autores: Thomas, Ashley, author (author)
Formato: Libro electrónico
Idioma:Inglés
Publicado: Birmingham, England : Packt Publishing Ltd [2024]
Edición:First edition
Materias:
Snort (Computer file)
Computer networks > Security measures.
Computers > Access control.
Computer security.
Ver en Biblioteca Universitat Ramon Llull:https://discovery.url.edu/permalink/34CSUC_URL/1im36ta/alma991009853381106719
Tabla de Contenidos:
  • Cover
  • Title Page
  • Copyright and Credits
  • Contributors
  • Table of Contents
  • Preface
  • Part 1: The Background
  • Chapter 1: Introduction to Intrusion Detection and Prevention
  • The need for information security
  • Defense-in-depth strategy
  • Firewalls (network and host layers)
  • Intrusion detection and prevention systems (network and host layers)
  • Endpoint detection and response (host layer)
  • Web application firewalls (network and host layers)
  • Mail security gateway (network)
  • Log management and monitoring (network and host)
  • The role of network IDS and IPS
  • Types of intrusion detection
  • Signature-based intrusion detection
  • Anomaly-based intrusion detection
  • Hybrid intrusion detection
  • The state of the art in IDS/IPS
  • Stateful analysis
  • Fast packet acquisition
  • Parallel processing
  • Pattern matching
  • Extending rule language
  • App and protocol identification
  • File analysis
  • IDS/IPS metrics
  • Detection accuracy
  • Performance-related IDS/IPS metrics
  • IDS/IPS evaluation and comparison
  • Evasions and attacks
  • IDS/IPS evasions
  • Attacks against the IDS/IPS
  • Summary
  • Chapter 2: The History and Evolution of Snort
  • The beginning of Snort
  • Snort 1 - key features and limitations
  • Snort 2 - key features, improvements, and limitations
  • Snort 2.9
  • The need for Snort 3
  • Summary
  • Part 2: Snort 3 - The New Horizon
  • Chapter 3: Snort 3 - System Architecture and Functionality
  • Design goals
  • High performance
  • Pluggable modular architecture
  • Configurability and customizability
  • Efficiency
  • Key components
  • DAQ module
  • Codecs
  • Inspectors
  • Detection or rule engine
  • Configuration module
  • Alerting and logging module
  • Snort 3 system architecture
  • Multithreading
  • Packet analysis flow within each Snort thread
  • Summary
  • Chapter 4: Installing Snort 3.
  • Choosing an OS for installing Snort 3
  • Snort 3 installation process
  • Preparing the system
  • Installing dependencies
  • Installing Snort 3
  • Installing Snort 3 on CentOS
  • Preparing the system
  • Installing build tools
  • Installing dependencies
  • Installing Snort 3
  • Installing Snort 3 on Kali (Debian)
  • Preparing the system
  • Installing dependencies
  • Installing Snort 3
  • Summary
  • Chapter 5: Configuring Snort 3
  • Configuring Snort 3 - how?
  • Command-line arguments
  • Configuration files
  • Configuring Snort 3 - what?
  • Configuring defaults
  • Configuring inspection
  • Configuring bindings
  • Configuring performance
  • Configuring detection
  • Configuring filters
  • Configuring output
  • Configuring your environment
  • HOME_NET
  • EXTERNAL_NET
  • HTTP_PORTS
  • The stream_tcp inspector
  • Optimal configuration and tuning
  • Managing multiple policies and configurations
  • Summary
  • Part 3: Snort 3 Packet Analysis
  • Chapter 6: Data Acquisition
  • The functionality of the DAQ layer
  • The performance of the DAQ Layer
  • Factors affecting packet capture performance
  • The consequence of packet capture performance degradation
  • Packet capture in Snort
  • Before DAQ
  • The DAQ module - introduced in Snort 2.9
  • The Snort 3 implementation of the DAQ layer
  • The DAQ library API
  • DAQ modules
  • Configuring DAQ
  • Summary
  • Chapter 7: Packet Decoding
  • OSI layering and packet structure
  • Data encapsulation and decapsulation
  • The role of packet decoding (Codecs)
  • Packet decoding in Snort 3
  • EthCodec - a layer 2 codec
  • IPv4Codec - a layer 3 codec
  • TcpCodec - a layer 4 codec
  • Code structure and other codecs
  • Summary
  • Chapter 8: Inspectors
  • The role of inspectors
  • Types of inspectors
  • Network inspectors
  • Service inspectors
  • Stream inspectors
  • Snort 3 inspectors
  • Network inspectors
  • Service inspectors.
  • Stream inspectors
  • Wizard and binder inspectors
  • Summary
  • Chapter 9: Stream Inspectors
  • Relevant protocols for the stream inspector
  • IP
  • ICMP
  • TCP
  • UDP
  • Flow
  • The stream inspectors
  • stream_ip
  • stream_udp
  • stream_icmp
  • stream_tcp
  • stream_base
  • Summary
  • Chapter 10: HTTP Inspector
  • Basics of HTTP
  • HTTP request
  • HTTP response
  • HTTP/2
  • HTTP inspector
  • HTTP buffers
  • HTTP/2 inspector
  • HTTP inspector configuration
  • Summary
  • Chapter 11: DCE/RPC Inspectors
  • A DCE/RPC overview
  • Connectionless versus connection-oriented DCE/RPC
  • DCE/RPC inspectors
  • DCE/RPC rule options
  • Exercise
  • Summary
  • Chapter 12: IP Reputation
  • Background
  • IP address as an entity - use of blocklists
  • Challenges
  • History of IP blocking in Snort
  • Configuration of the IP reputation inspector module
  • Functionality of the IP reputation inspector
  • Data structure for storing IP reputation scores
  • IP reputation inspector - alerts and pegs
  • Summary
  • Part 4: Rules and Alerting
  • Chapter 13: Rules
  • Snort rule - the structure
  • Service rule
  • File rule
  • File identification rule
  • Rule header
  • Traditional rule header
  • Rule options
  • General rule options
  • Payload options
  • Non-payload options
  • Recommendations for writing good rules
  • Using fast_pattern wisely
  • Using the inspection buffers for rule matching
  • Defining the right service or protocol
  • Summary
  • Chapter 14: Alert Subsystem
  • Post-inspection processing
  • Event generation
  • Event thresholding
  • Applying a rule action to a packet
  • Logging the alert
  • Alert formats
  • CSV format
  • Unified2 format
  • Alert Fast format
  • Alert Full format
  • JSON format
  • Summary
  • Chapter 15: OpenAppID
  • The OpenAppID feature
  • Design and architecture
  • Detectors
  • The inspector
  • The rules
  • Exercise
  • Summary.
  • Chapter 16: Miscellaneous Topics on Snort 3
  • Snort 2 to Snort 3 migration
  • Migrating the rules
  • Migrating configurations
  • Troubleshooting Snort 3
  • Why is the Snort rule for XYZ not alerting?
  • Snort is crashing!
  • Help! Got support?
  • Summary
  • Index
  • Other Books You May Enjoy.

Ejemplares similares