snort in windows 7
DESCRIPTION
Snort is a Powerful IDPS. Most people use it in linux based platform. Here a Project how to configure and use snort in Windows 7.TRANSCRIPT
Intrusion Detection Systems (IDS)
Snort In Windows 7
Project By: Sapan Mishra
Under Guidance of: Er. Nutan Kumar Panda
Intrusion Detection Systems (IDS)
Table of ContentsTable of Contents..........................................................................................................2
Introduction..................................................................................................................3
Host-Based Intrusion Detection....................................................................................3
Network Based Intrusion Detection..............................................................................4
Approaches...................................................................................................................5
The Need for Intrusion Detection Systems...................................................................5
IDS Location...................................................................................................................7
Intrusion Tactics............................................................................................................9
Snort............................................................................................................................10
Snort Modes of Operation..........................................................................................10
Packet Sniffer..............................................................................................................10
Network Intrusion Detection Mode............................................................................11
Network Intrusion Detection Rules.............................................................................11
Snort Rule Header.......................................................................................................12
Snort Rule Options......................................................................................................13
Snort Alerts.................................................................................................................13
Conclusion...................................................................................................................14
References..................................................................................................................15
Intrusion Detection Systems (IDS)
Introduction
“An intrusion detection system monitors computer systems, looking for signs
of intrusion (unauthorized users) or misuse (authorized users overstepping their
bounds).” (1) Intrusion Detection Systems (IDS) can operate on a variety of different
levels. Host-Bases IDSs reside on a host machine and execute intrusion detection
locally. Network-based Intrusion Detection Systems (NIDS) focus on network data
flow. The key to successfully identifying and preventing intrusion lies within the
various techniques. “Using intrusion detection methods, you can collect and use
information from known types of attacks and find out if someone is trying to attack
your network or particular hosts.” (3) IDSs have a series of steps that all need to be
completed before a system can be appropriately protected. These steps revolve
around the data that is being processed on the system being monitored. “Data is
collected by monitoring activities in the hosts or network. The raw data is analyzed to
classify activities as normal or suspicious. When a suspicious activity is considered
sufficiently serious, a response is triggered.” (6)
Host-Based Intrusion DetectionHost-Based Intrusion Detection is accomplished by installing software on each
individual local system. These software modules, or agents, work on the client
system to perform intrusion detection. This can be accomplished using a variety of
methods. One common method is to have the software agent monitor the system
logs, and look for irregular patterns. An example of this is when an agent watches for
unauthorized activities done by a user without adequate permissions. Essentially,
the agent will keep a running log of the users actions. If the users actions raise a red
flag (meaning that the actions of the user are suspicious), then the system
administrator is able to backtrack the actions, and investigate why a particular user
was using the system in that way. Another effective method for Host-Based IDSs is
to watch for suspicious processes that are running. Sometimes a particular process
name can mean trouble for system administrator, depending upon its purpose.
Protecting the integrity of the system files is another high priority task for Host-Based
Intrusion Detection Systems (IDS)
IDSs. An IDS agent can take an inventory of system files, along with their
permissions, and report any changes to the set. The same auditing tactic can be used
to watch user accounts. An IDS that witnesses a users permissions being changed, or
unauthorized user being created can indicate problems for a systems administrator.
All of these methods are classified as agent-based software, which makes up the
largest category of Host-Based IDSs. The other major category is the host
wrappers/personal firewalls. “Host wrappers or personal firewalls can be configured
to look at all network packets, connection attempts, or login attempts to the
monitored machine.” (http://www.sans.org/resources/idfaq/host_based.php)
Examples of these are dial-in attempts, non-network related communication ports,
or software other software on the host attempting to connect to the network.
(“http://www.sans.org/resources/idfaq/host_based.php”)
Network Based Intrusion Detection“Network-based ID involves looking at the packets on the network as they pass by
some sensor.” (“http://www.sans.org/resources/idfaq/network_based.php”)
Packets are only of interest if they happen to match a particular signature. There are
three main types of signatures:
String signatures – Look for strings, or combinations of strings, that could
potentially be an intrusion. Signatures containing sensitive file names may
cause an alarm.
Port signatures – Signatures that contain port numbers that are regularly
attached (i.e. telnet (TCP port 23), FTP (TCP port 21/20), SUNRPC (TCP/UDP
port 111), and IMAP (TCP port 143), or communications that are utilizing ports
that are not used may be reason for suspicion.
Header condition signatures – Signatures that contain illogical data or well
known, dangerous content. “The most famous example is Winnuke, where a
packet is destined for a NetBIOS port and the Urgent pointer, or Out Of Band
pointer is set. This resulted in the "blue screen of death" for Windows
systems.” (“http://www.sans.org/resources/idfaq/network_based.php“)
Intrusion Detection Systems (IDS)
The key to making this intrusion detection system successful lies within the
placement. Sensors need to be in a position that will exposed the sensors to the flow
of network packets.
ApproachesJust as with many other technologies today, no single approach is going to
give appropriate protection. Therefore, a combination of the two or more intrusion
detection techniques should be applied. “Within its limitations, it is useful as one
portion of a defensive posture, but should not be relied upon as a sole means of
protection.” (2) IDSs will never entirely replace the need for professional system
administrators, mainly because a large function of the IDS system is merely data
collections. Although the IDS can provide some help in data analysis, the need for
human interaction/analysis will probably never go away. Not all-suspicious behavior
should be assumed to be malicious, and IDSs would do just that.
The Need for Intrusion Detection SystemsA computer intrusion can be damaging in a variety of ways, depending on the
intent of the intrusion. If the intrusion amounts to a nuisance, then resources have
to be expended to alleviate the problem. This requires the system administrator to
divert their attention away from business, and to focus on the annoyance. Even if an
intrusion isn’t malicious, i.e. not damaging or theft related, the intrusion could bog
down the network, causing a loss of productivity among the employees. Intrusions
that are aimed at theft are particularly damaging to a company in terms of
competition. Companies go to great lengths to protect their Intellectual Property,
since it can be such a large source of income and market share. If this information
falls into the wrong hands, i.e. the competition, then the company can suffer greatly
due to lost revenue. Malicious damages may come about by a hacker who intends to
hurt a company by destroying data. This is the most damaging type of an attack
because it has a snowball effect. Not only does a company lose many records,
customer information, business contacts, etc., but they also take a huge hit in the
Intrusion Detection Systems (IDS)
productivity area. Until all the information is restored, much of the staff cannot work
efficiently. A company may also lose customers due to the fact that the company has
the target of a computer hacking. Customers tend to get very nervous when they
think that their personal data has the potential to fall into the wrongs hands.
March 11, 2005 - Pleasant Hill, California Computer Hacker from "Deceptive
Duo" Guilty of Intrusions into Government Computers and Defacing Websites
($70,000)
September 9, 2004 - Ex-Official Of Local Computer Consulting Firm Pleads
Guilty To Computer Attack Charge ($100,000)
August 23, 2004 - Former Employee Of A Massachusetts High-Technology Firm
Charged With Computer Hacking ($26,400)
July 28, 2004 - Vallejo Woman Admits To Embezzling More Than $875,035 -
Not-For-Profit Organization Victim Of Computer Fraud ($875,035)
July 21, 2004 - Florida Man Charged With Breaking Into Acxiom Computer
Records - Intrusion and Theft of Data Result in Loss of More than $7 Million
($7,000,000)
May 1, 2001 - Creator of Melissa Computer Virus Sentenced to 20 Months in
Federal Prison ($80,000,000)
from http://www.usdoj.gov/criminal/cybercrime/cccases.html
Many of the attacks listed above were done by “insiders”, which are people
that had access to the company’s internal network. In the case of an insider attack, a
firewall can provide little protection. A common mistake occurs when companies
assume that a firewall will protect them from hackers. One must understand the
limitations of a firewall:
1. “Not all access to the Internet occurs through the firewall. The firewall cannot
mitigate risk associated with connections it never sees.” (5)
2. “Not all threat originates outside the firewall. Intrusion detection systems are
part of the infrastructure that is privy to the traffic on the internal network.
Intrusion Detection Systems (IDS)
Therefore, they will become even more important as security infrastructures
evolve.” (5)
IDS Location
The location of a Network Intrusion Detection System can be the deciding factor
between success and failure. The type of information collected can also vary greatly
depending on where the IDS sensor is placed. For example, in the figure below:
from
http://www.cisco.com/en/US/products/sw/cscowork/ps3990/products_user_guide_c
hapter09186a0080104f0c.html#145)
Sensor #1: This sensor monitors the communication between a protected
network and the internet. This is the most common type of
protection that is practiced.
Sensor #2: This sensor monitors the communication between a protected
network and remote access servers.
Sensor #3: This sensor monitors the communication between internal sites.
Sensor #4: This sensor monitors the communication between a protected
network and the extranet connection with a business partner.
Intrusion Detection Systems (IDS)
Having sensors at these various locations is necessary for complete coverage. Each
sensor is strategically placed to collect data that could be the site of an intrusion
attempt. A sensor should be placed in front of the firewall, so that the system
administrator can start collecting data about the types of attacks that are being
attempted against the network. A sensor should also be placed to aid the firewall (at
the firewall level) in preventing attacks. In the event that an intrusion makes it past
the firewall, another IDS agent should be there to intercept/divert the intrusion, or at
least log the event. Lastly, a sensor should be placed on the local network for traffic
that does no pass through the firewall. Statistics show that the most common type
of system misuse comes from “insiders”.
Intrusion Tactics
Fending off potential attackers is must easier when the attack tactics are known.
Listed below are the common hacking tactics used by computer hackers:
Password cracking – Discovery of user’s passwords.
Trojan horses - Malicious programs that are disguised as legitimate software
Interception of Communication - Gains unauthorized access or exceeds
authorized access.
Spoofing - A program used by a cracker to trick a computer system into
thinking it is being accessed by an authorized user.
Packet Sniffer - A software or hardware tool that monitors data packets on a
network. Generally used to discover user passwords.
Hacking - Taking advantage of system weaknesses to gain access to resources
or privileges
from Intrusion Detection Systems (IDS) Part I
(http://www.windowsecurity.com/articles/Intrusion_Detection_Systems_IDS_Part_I_
_network_intrusions_attack_symptoms_IDS_tasks_and_IDS_architecture.html)
These are just a few of the many types of attacks that a systems administrator may
have to face. Due to the vast size of today’s networks, many companies are far more
Intrusion Detection Systems (IDS)
susceptible to attacks than they probably think. Comfort can no longer be found by
hiring experienced/over-priced system administrators to fend off all of these attacks.
Companies would go broke trying to compensate their resource pool of system
administrators.
Snort
Snort is a lightweight intrusion detection system. Martin Roesch, who was
aiming at creating an open source package that could rival the commercial systems,
developed Snort in 1998. Snort has had incredible success in the open source arena
and has been established as a true competitor to commercial solutions.
Snort Modes of Operation
Snort has two main modes of operation. This first is a packet sniffer mode,
which is similar to tcpdump. Packets are stored in a log file, which allows for later
analysis. The other mode of operation is a Network Intrusion Detection System
(NIDS). When Snort functional in this mode, rule sets are applied to packets, which
in turn, look for suspicious behavior. Both modes of operation are detailed below.
Packet Sniffer
Running Snort in packet sniffer mode will allow system administrators to
collect and store packet data. Snort can be configured to collect packet data in
varying detail, depending on how much detail is required. Although very similar to
tcpdump, Snort does have features that extend beyond the capability of tcpdump.
“The major feature that Snort has which tcpdump does not is packet payload
inspection. Snort decodes the application layer of a packet and can be given rules to
collect traffic that has specific data contained within its application layer.”
(http://www.snort.org/docs/lisapaper.txt) Snort also has a more readable display of
the packet data. One additional feature that Snort provides is that while logging to a
file, Snort will still log in a format that is compatible with tcpdump, so users can still
use tcpdump for analysis.
Intrusion Detection Systems (IDS)
Network Intrusion Detection Mode
Running Snort in Network Intrusion Detection Mode is quite different than
running in packet sniffer mode. Network Intrusion Detection mode does not
capture/log the network packets. Instead, it applies a set of rules on each passing
packet. The set of rules are managed by the system administrator and should reflect
common intrusion patterns. These patterns are a lot like virus definition files in that
they show a list of common packet patterns that generally indicate an intrusion or
misuse of the system. No action is taken if the packet does not meet one of the
implemented rules. If a packet does match one of the rules, then the packet is
logged, and may also generate an alert. An alert is a notification to the system
administrator that a questionable packet has just been received (or send out) from a
particular system.
Network Intrusion Detection Rules
The rules definition files can generally be found in the
/opt/snort/etc/snort.conf and can be activated with the “-c” command line option.
Snort rules contain two basic elements: a Rule Header and Rule Options. The Rule
Header is going to contain the criteria for packet matching. It also contains
instructions on what actions need to be taken in the event of a rule match. The Rule
Options part will contain supplemental information to be used for the matching
criteria. An example of a rule is provided below:
alert ip any any -> any any (msg: "IP Packet detected";)
In this example, an alert is generated every time as IP packet is detected, either
sending of receiving. This is a good rule to test Snort, but do not leave this rule in
place. The particular rule has the ability to fill up a users hard rive because of all the
excessive logging.
Intrusion Detection Systems (IDS)
Snort Rule Header
The rule header contains a lot of information that need to be broken down
into different sections. Below is a listing of the Snort Rule Header architecture:
Action Protocol Address Port Direction Address Port
Action: The action part of the rule determines the type of action taken
when criteria are met and a rule is exactly matched against a data packet.
Protocol: The protocol part is used to apply the rule on packets for a
particular protocol only.
Address: The address parts define source and destination addresses.
Port: In case of TCP or UDP protocol, the port parts determine the source
and destination ports of a packet on which the rule is applied. In case of
network layer protocols like IP and ICMP, port numbers have no
significance.
Direction: The direction part of the rule actually determines which address
and port number is used as source and which as destination. (3)
Snort Rule Options
Snort Rule Options can be found within the set of parenthesis contain in a Snort Rule.
Options generally follow the format of having a keyword (i.e. ACK, CLASSTYPE,
CONTENT, OFFSET, DEPTH, CONTENT-LIST, DSIZE, FLAGS, FRAGBITS, ICMP_ID,
ICMP_SEQ, ITYPE, ICODE, ID, IPOPTS, IP_PROTO, LOGTO, MSG, PRIORITY, REACT,
REFERENCE, RESP, REV, RPC, SAMEIP, SEQ, FLOW, SESSION, SID, TAG, TOS, TTL,
URICONTENT), followed by an argument. The options portion of the rules is capable
of AND logical. The options supplement the rule header’s matching criteria. With all
of these option available to the users, the search capability of Snort sets itself apart
from the competition.
Intrusion Detection Systems (IDS)
Snort Alerts
When a packet does meet the criteria of a rule, then Snort can either log the entry to
a log file, or it can send out an alert. Snort has a variety of alert modes, which are all
detailed below:
Fast Mode (“-A fast”) – This mode reports Timestamp, Alert message, Source
and destination IP addresses, and Source and destination ports. The actual
packet is not logged while using this mode.
Full Mode (“-A full”) – This mode reports the same information as in Fast
Mode, but it also includes the packet’s header.
UNIX Socket Mode (“-A unsock”) – This mode will allow a system
administrator to send alerts to other programs using a UNIX socket.
Alerts to Syslog (“-s”) – This mode will store the alert is the syslog, which is
where system level events are recorded.
SNMP Mode – Alerts can also be sent as SNMP messages, where Network
Management Systems can help system administrators identify and correct the
problem.
Installing Snort in Windows 7
Requirement for Snort in Window 7
Microsoft Windows 7 Professional:
http://store.microsoft.com/microsoft/Windows-7-Professional/product/B985134B?
WT.mc_id=winonlinetest_shop3_PROfull_r3
Mozilla Firefox 3.6:
http://www.mozilla.com/en-US/products/download.html?product=firefox-
3.6&os=win&lang=en-US
Microsoft Security Essentials:
http://www.microsoft.com/security_essentials/
COMODO Firewall 3.14:
http://www.comodo.com/home/download/download.php?prod=firewall
Microsoft Baseline Security Analyzer 2.1.1:
Intrusion Detection Systems (IDS)
http://www.microsoft.com/downloads/details.aspx?FamilyID=b1e76bbe-71df-41e8-
8b52-
c871d012ba78&displaylang=en
ActivePerl 5.10.1.1006:
http://www.activestate.com/activeperl/
Notepad++ 5.6.6
http://sourceforge.net/projects/notepad-plus/files/notepad%2B%2B%20releases
%20binary/npp
%205.6.6%20bin/npp.5.6.6.Installer.exe/download
Foxit Reader 3.1.4:
http://download.cnet.com/Foxit-Reader/3000-10743_4-10313206.html?part=dl-
116442&subj=dl&tag=button
Kiwi Syslog Server 9.0.3:
http://kiwisyslog.com/kiwi-syslog-server-download/
7-Zip 4.65:
http://sourceforge.net/projects/sevenzip/files/7-Zip/4.65/7z465.exe/download
WinPcap 4.1.1:
http://www.winpcap.org/install/default.htm
Snort 2.8.5.2
http://dl.snort.org/snort-current/Snort_2_8_5_2_Installer.exe
Oinkmaster 2.0
http://sourceforge.net/projects/oinkmaster/files/oinkmaster/2.0/oinkmaster-
2.0.tar.gz/download
1) After installing the Operating System and downloading all of the software
listed above, I would advise both copying of the software to an external drive
as well as creating a System Restore Point. This will shorten reinstall times
should something not work as expected.
2) With the exception of Oinkmaster, you should now systematically install all of
the downloaded software. Note that you may substitute some of the software
Intrusion Detection Systems (IDS)
(ex. Use IE instead of Firefox or skip installing the Foxit Reader), however
some software such as WinPcap are integral to running Snort in the method
used in this guide.
a) When installing the software, take note of the following:
1) I would recommend using the default options and allow the
applicable components to be run as a service/at startup.
2) When installing Kiwi, uncheck the Web Access, as it will expire after
30 days.
3) During the installation and running of software, the COMODO
Firewall will be triggered multiple times and you will need to Allow Kiwi
access.
b) I would now ensure that the Operating System and all software are
patched and updated. I would also run the Microsoft Baseline Security Analyzer and
correct any anomalies as you see fit. It is also recommended that you search the
Internet for guides on hardening the Windows 7 Operating System.
Acquiring updated Rules and an Oinkcode:
If you haven't already done so, you will need to become a Registered member
on the Snort website.
Intrusion Detection Systems (IDS)
This is needed in order to download and use the Sourcefire VRT Certified
Rules. Snort will not be operating up to date without them (and Oinkmaster will not
work).
https://www.snort.org/signup
After you have created an account, log in to the Snort website and copy your
personalized Oinkcode (to be used by Oinkmaster). Also, download the Sourcefire
VRT Certified Rules (registered-user release) – be sure to grab the “snapshot”
version, as shown below.
Intrusion Detection Systems (IDS)
Applying our updated Rules:
**BEFORE APPLYING THESE UPDATED RULES, COPY THE FILE
C:\SNORT\ETC\SNORT.CONF TO YOUR DESKTOP**
Right-click on the snortrules-snapshot-2.8.tar.gz file that we downloaded and choose
“Extract Here”:
Right-click on the newly extracted file (snortrules-snapshot-2.8_s.tar) and choose
“Extract files...”.
Change the Path to C:\Snort and check “Overwrite without prompt”:
Configuring the snort.conf File:
Intrusion Detection Systems (IDS)
Edit the file you copied to your Desktop (snort.conf) with Notepad++ and perform
the following:
Change lines 120-121 to read:
Change line 204 to read:
Change line 214 to read:
Change line 324 to read:
Change line 683 to read:
Change line 771 to read:
Change line 779 to read:
Change (uncomment) line 863 to read:
Intrusion Detection Systems (IDS)
Now save and close this file. Copy this file to c:\snort\etc and overwrite the existing
one.
Keep in mind that you will need to tailor this file (especially the rule set section) and
any other configuration files to further suit your IDS/IPS needs.
Verifying Snort Operation:
Open a Command Prompt and run c:\snort\bin\snort -W (be sure to use a capital
“W”)
Now run c:\snort\bin\snort -v -iX (replace X with your Device Interface number found
from running the previous line)
After a couple of seconds you will see “Not Using PCAP_FRAMES”. Snort is
now running and will alert you if a Rule is triggered. If you have suspicious network
traffic going across your interface, the command prompt window will rapidly scroll
text.
Intrusion Detection Systems (IDS)
While still leaving the Snort command prompt window open, launch a second
command prompt window. From the new window, run the command ping
google.com If it hasn't occurred already, this ping command will trigger a Snort alert!
you can now close both command prompt windows, as we have verified that Snort is
installed and alerting correctly in verbose mode. To test that our configuration file is
correct, open a new command prompt window and type:
c:\snort\bin\snort -iX -s -l c:\snort\log\ -c c:\snort\etc\snort.conf (replace X with
your Device Interface number)
Intrusion Detection Systems (IDS)
If you have correctly entered all information, you should receive a graceful exit such
as the screen shot below. If you receive a fatal error, you should first verify that you
have typed all modifications correctly into the snort.conf file and then search
through the file for entries matching your fatal error message.
Verifying Kiwi Operation and Tying it to Snort:
Now open the Kiwi Syslog Server Console and type CTRL-T (you should see a test
message appear, which indicates Kiwi is working)
Using Notepad++, create a file on your Desktop called Snortstart.bat and place the
following line of code in it:
c:\snort\bin\snort -iX -s -l c:\snort\log\ -c c:\snort\etc\snort.conf (replace X with
your Device Interface number)
Also create a shortcut on your Desktop for the Kiwi Syslog Server Console Open the
Kiwi Syslog Server Console (if it isn't already) Now right-click and run Snortstart.bat
Intrusion Detection Systems (IDS)
as an Administrator. Wait (about thirty seconds) until you see the familiar line “Not
Using PCAP_FRAMES” at the end.
Finally, open another command prompt window and run: ping google.com and........
At this point you should see the Snort Alert outputting into Kiwi!!!!
Note that the reason why we have to run our batch file as an Administrator is that, in
our current configuration, we need to maintain rights to not only output our alerts to
Kiwi, but to write them to a log file.
At this point we have successfully installed Snort and have our Alerts being output to
two sources. Our final step will be to configure Oinkmaster to help us update and
manage our Rules.
Intrusion Detection Systems (IDS)
Configuring Oinkmaster and Verifying its Operation:
Right-click on the oinkmaster-2.0.tar.gz file that we downloaded and choose “Extract
Here”
Right-click on this new file (oinkmaster-2.0.tar) and choose “Extract Here”
Now we have a new folder called oinkmaster-2.0. Move this new folder into c:\snort
Go to c:\snort and create a folder named: temp
Go to c:\snort\oinkmaster-2.0\contrib and copy the oinkgui file to your Desktop.
Rename this file to:
Update Snort Rules
Now we have an additional module we need to download and install:
Once the file has been downloaded, open a command prompt window and type the
line as shown
below (note that your path name might be different. Once the installation has been
complete, you can close the command prompt window.
Intrusion Detection Systems (IDS)
Now double-click on our Update Snort Rules file we have on the desktop and
configure Oinkmaster to match the screen shots shown:
Intrusion Detection Systems (IDS)
Note that your “Editor” path may be different than that shown.
Now go back to the “Required files and directories” tab and click “Edit” (to the right
of the oinkmaster.conf file entry).
Change line 52 to read:
Where <oinkcode> is equal to the personal Oinkcode you downloaded from
Snort.org earlier in this guide.
Now save your oinkmaster.conf file and close Notepad++
You are now back at the main Oinkmaster GUI page
Click “Save current settings”
Click “Update rules!”
After a few minutes of watching the rule update process, it will read: done.
Click “Exit” to close out of the Oinkmaster GUI.
Intrusion Detection Systems (IDS)
Conclusion
Intrusion Detection Systems place a lot of emphasis on network-based attacks,
although statistics have shown that “insider” attacks are far more common. IDS
development should work towards addressing this attack trend. One possible
suggestion is to adopt a more “neighborhood” type of protection. By this I mean
that each computer on a network should look out for one another. If a system is
monitoring another system, and it look like it’s under attack, then the monitoring
system can draw the attention of other systems to help monitor the activity, and try
and catch the intruder. Hackers will often attack the IDS, causing it to report
incorrect status, allowing the hackers to get away without being caught.
Implementing the “neighborhood” type architecture would make it very difficult to
succeed using this tactic. ID systems could also benefit from standards. This was
being said in 1999, when there was a lot of buzz about ID systems, and it’s still being
said today.
Intrusion Detection Systems (IDS)
References
1. Bace, Becky, “An Introduction to Intrusion Detection and Assessment
for System and Network Security Management,” ICSA, Inc.
http://downloads.securityfocus.com/library/intrusion.pdf, 2002.
2. John McHugh , Alan Christie , Julia Allen, “Defending Yourself: The Role
of Intrusion Detection Systems”, IEEE Software, v.17 n.5, p.42-51,
September 2000
3. Rehman, Rafeeq Ur, “Intrusion Detection Systems with Snort: Advanced
IDS Techniques with Snort, Apache, MySQL, PHP, and ACID”, Prentice
Hall PTR,
http://www.mialug.org/downloads/static/documentation/security/Intr
usion%20Detection%20with%20Snort.pdf, 2003.
4. Riordan, James, “Intrusion Detection”, Global Security Analysis Lab
Global Security Analysis Lab,
http://www.cnec.org/CONFERENCES/cnec10/praesentationen/riordan.
pdf, 2001.
5. Rosendahl, Mauri, “Deploying Intrusion Detection in large networks”,
Helsinki University of Technology,
http://www.helsinki.fi/~mrosenda/netsec_2002_IDS.pdf, 2002.
6. T. Chen, "Intrusion detection for viruses and worms," chapter in IEC
Annual Review of Communications, vol. 57, Fall 2004