For the record, `Roesch' is pronounced like `fresh' without the `f.' Additionally, `Ruiu' is pronounced like `screw you' without the `sc.' Jed's last name is like `pick-el,' not `pickle.'
Nope. fyodor@insecure.org is the author of nmap, and he uses the same pseudonym as the other Snort Fyodor's real surname. Yeah, it messes up my mailbox too, but I think it's too late to change either of them.
Check the website, http://www.snort.org/. Other good resources are available in the source distribution, including the Snort Users Manual and the USAGE file. There is also a excellent mailing list, snort-users. You can find info on how to signup at http://www.snort.org/lists.html. You can also join #snort on irc.freenode.net.
All of the following offer courses on Intrusion Detection:
There are many good books on Intrusion Detection. Here are just a few:
Title | Author(s) | Publisher | ISBN |
Snort: The Complete Guide to Intrusion Detection | Jeff Nathan, Dragos Ruiu, & Jed Haile | Wiley & Sons | 0471455970 |
Intrusion Detection with Snort: Advanced IDS Techniques | Rafeeq Rehman | Prentice Hall | I0131407333 |
Snort Intrusion Detection | Ryan Russell | Syngress Media | 1931836744 |
Snort Intrusion Detection | Jack Koziol | New Riders | 157870281X |
Network Intrusion Detection: An Analyst's Handbook | Stephen Northcutt | New Riders | 0735708681 |
Intrusion Signatures and Analysis | Stephen Northcutt | New Riders | 0735710635 |
TCP/IP Illustrated, Volume 1 The Protocols | W. Richard Stevens | Addison-Wesley | 0201633469 |
Intrusion Detection | Rebecca G. Bace | MacMillan Technical Publishing | 1578701856 |
Yes, use preprocessor frag2.
Yes, check out the stream4 preprocessor (see FAQ ) that does stateful
analysis session login, TCP reassembly and much, much more.
Yes. Stream4 does this as well. See (see FAQ ).
Short version:
Being able to sniff on a switched network depends on what type of switch is being used. If the switch can mirror traffic, then set the switch to mirror all traffic to the Snort machine's port.
Extended version:
There are several ways of deploying NIDS in switched environments which all have their pros and cons. Which method applies to your needs depends on what kind of segments you want to monitor and on your budget. Here are the most common methods:
It is now possible to defeat these kinds of noise generators with
the stream4 preprocessor (see (see FAQ )). Even without the stream4 preprocessor
enabled, Snort will weather the alert storm without falling over
or losing a lot of alerts due to its highly optimized nature.
Using tools that generate huge amounts of alerts will warn a good
analyst that someone is trying to sneak by their defenses.
Yes, and this could defeat some of the NOP sled detection signatures, but the ordinary exploit rules should not be affected by this kind of obfuscation. The fnord preprocessor attempts to detect polymorphic shellcode attempts.
Yes, the packets should be in the directory that has the same IP address as the source host of the packet which generated the alert. If you are using binary logging, there will be a packet capture file (.pcap) in the logging directory instead.