3


is very important, as writing good rules is the key to building a detection system. The


chapter also explains different rules that are part of Snort distribution.


Chapter 4 is about input and output plug ins. Plug ins are parts of the software


that are compiled with Snort and are used to modify input or output of the Snort detec 


tion engine. Input plug ins prepare captured data packets before the actual detection


process is applied on these packets. Output plug ins format output to be used for a par 


ticular purpose. For example, an output plug in can convert the detection data to a Sim 


ple Network Management Protocol (SNMP) trap. Another output plug in is used to log


Snort output data into databases. This chapter provides a comprehensive overview of


how these plug ins are configured and used.


Chapter 5 provides information about using MySQL database with Snort. MySQL


plug in enables Snort to log data into the database to be used in the analysis later on. In


this chapter you will find information about how to create a database in MySQL, con 


figure a database plug in, and log data to the database.


Chapter 6 describes ACID, how to use it to get data from the database you config 


ured in Chapter 5, and how to display it using Apache web server. ACID is a very


important tool that provides rich data analysis capabilities. You can find frequency of


attacks, classify different attacks, view the source of these attacks and so on. ACID uses


PHP (Pretty Home Page) scripting language, graphic display library (GD library) and


PHPLOT, which is a tool to draw graphs. A combination of all of these results in web


pages that display, analyze and graph data stored in the MySQL database.


Chapter 7 is devoted to information about some other useful tools that can be used


with Snort.


The system that you will build after going through this book is displayed in Figure


1 1 with different components. 


As you can see, data is captured and analyzed by Snort. Snort then stores this data


in the MySQL database using the database output plug in. Apache web server takes help


from ACID, PHP, GD library and PHPLOT package to display this data in a browser


window when a user connects to Apache. A user can then make different types of queries


on the forms displayed in the web pages to analyze, archive, graph and delete data.


In essence, you can build a single computer with Snort, MySQL database,


Apache, PHP, ACID, GD library and PHPLOT. A more realistic picture of the system


that you will be able to build after reading this book is shown in Figure 1 2.


In the enterprise, usually people have multiple Snort sensors behind every router


or firewall. In that case you can use a single centralized database to collect data from all


of the sensors. You can run Apache web server on this centralized database server as


shown in Figure 1 3.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      toronto web hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Cheap Web Hosting
JSP Web Hosting
Ontario Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Java Hosting
Cheapest Hosting



Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved