What this book covers
Chapter 1, Introduction to Intrusion Detection and Prevention, discusses a defense-in-depth strategy and the role of various security tools, including IDS/IPS.
Chapter 2, The History and Evolution of Snort, explores the evolution of Snort from its original version to its current state. We will look at the key features of Snort and when they were incorporated into the system.
Chapter 3, Snort 3 – System Architecture and Functionality, explores the design goals, the main components, and the system architecture of Snort 3. The chapter provides you with a high-level idea of how network traffic gets analyzed by the Snort system.
Chapter 4, Installing Snort 3, shows you how to install the Snort 3 system. The chapter describes the step-by-step installation process of Snort 3 on two different operating systems.
Chapter 5, Configuring Snort 3, explains how to configure the Snort 3 system. It discusses how a user can configure the Snort 3 system and the various modules, using command-line arguments as well as configuration files.
Chapter 6, Data Acquisition, delves into the data acquisition layer and its role in the delivery and transmission of network packets to and from Snort.
Chapter 7, Packet Decoding, reinforces the idea that an analysis of network traffic begins with packet decoding. This chapter explains the process of packet decoding and discusses how the packet decoding module is structured, what the important data structures are, and how the module ties to the rest of the Snort system.
Chapter 8, Inspectors, discusses inspectors, which are considered the backbone of Snort 3 from a functionality perspective. From an evolution standpoint, the inspectors replaced the preprocessor module in Snort 2. This chapter discusses the role and functionality of the Inspector modules.
Chapter 9, Stream Inspectors, discusses the stateful analysis capability of Snort 3. The chapter also explains important terms such as flows, sessions, and streams, which are relevant to how Snort performs stateful analysis.
Chapter 10, HTTP Inspector, explores HTTP, which is one of the most prevalent protocols used over the internet. This chapter discusses the HTTP inspector and how it enables the detection of malicious attacks over the HTTP protocol.
Chapter 11, DCE/RPC Inspectors, discusses the DCE/RPC inspectors and their overview, dependencies, relevant rule options, and configurations.
Chapter 12, IP Reputation, shows you how the IP reputation inspector module works, its configuration, and its importance.
Chapter 13, Rules, discusses how Snort rules work, its structure, and some important points to keep in mind while developing Snort rules. The use of Snort rules allows a Snort user to specify what constitutes malicious traffic.
Chapter 14, Alert Subsystem, delves into the alert subsystem of Snort. We will discuss the various alert modules and how they are configured.
Chapter 15, OpenAppID, discusses the OpenAppID feature, the relevant inspector modules, and their configuration.
Chapter 16, Miscellaneous Topics on Snort 3, discusses a handful of miscellaneous topics related to Snort 3. We will explore how to go about troubleshooting and/or debugging Snort, Snort 2 to Snort 3 migration challenges, and so on.
