Three Snort Books Reviewed 123
| Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID; Intrusion Detection with Snort; Snort 2.0 Intrusion Detection | |
| author | (See each) |
| pages | (See each) |
| publisher | (See each) |
| rating | (See each) |
| reviewer | Eric Stats |
| ISBN | (See each) |
| summary | (See each) |
I ran Snort at home for a while, using the online docs, but I could never get a handle on which output plugin to use (When to log? When to alert?), how to email alerts to myself (I later found out Snort doesn't natively do this), and how to create signatures from packet captures (no online docs at all for this). When I did get The Pig running, it filled up my log directory with thousands of small alert files, which ended up being in tcpdump format. This frustrated the hell out of me, so I decided I needed to find a good book on Snort, as the online docs simply did not describe how to use Snort from start to finish.
In the past few months, an assortment of books have come out on Snort. Because it has begun to eclipse closed-source, multimillion dollar IDSes in terms of raw performance and features, much attention is currently focused on Snort. Naturally, when an open source project achieves this level of notoriety, publishers, venture capitalists, and corporations want to get in on the game. The flood of Snort books is a testament to this, but it doesn't mean they were all created equally. This book review covers the three books on Snort currently available (we will see another two Snort books later this winter). It covers what is good about them, what is bad, and who the target audience is for each. If you are looking to learn intrusion detection the open source way, or simply do not have a million-dollar IT security budget, these books are a good starting point.
Each of these three books serves a different purpose and consequently is appropriate for a different reader. In summary, Rafeeq Rehman's Intrusion Detection with Snort: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID presents a concise, quick-start guidebook to getting Snort up and running fast. He doesn't delve into the details of Snort, and this book makes a perfect choice for a reader who wants to get The Pig up and running quickly and move on to something else.
The whole gaggle of authors that put together Snort 2.0 Intrusion Detection created a much-needed user manual for Snort. This book makes for good desktop reference, but assumes you understand the core concepts of intrusion detection, or have significant field experience with Snort. It is also somewhat convoluted to read; I suppose it's inevitable when you have 12 authors working on a single book, it is going to come out somewhat disjointed and jumbled. If I hadn't read the other two books first, I doubt I would have been able to piece together what this book is talking about in places. (Such as referring to Barnyard logs in one chapter and "unified binary format" in another; how is the reader going to know they are the same?)
Lastly, Jack Koziol's Intrusion Detection with Snort is a guidebook for using Snort in the real world, either on small networks or in large corporate settings. Like any security tool, Snort is only as effective as its operator. Snort can do an enormous number of things, but if you don't understand the "how and why" you aren't going to be able to apply your knowledge in unexpected, different, or new situations. Koziol's book bridges the gap and teaches you the nitty-gritty Snort details not found in online docs, as well as how to apply your newfound IDS knowledge in practice. This book does lack in terms of screenshots and diagrams, which can be frustrating at points. Instead of a paragraph of text, a simple diagram would have sufficed.
| Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID | |
| author | Rafeeq Rehman |
| pages | 288 |
| publisher | Prentice Hall |
| rating | 7/10 |
| ISBN | 0131407333 |
I first picked up Rehman's Intrusion Detection with Snort: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID. Rehman's book is also a member of the Bruce Perens Open Source Series. All of the books in his series are published under the OPL. Overall, Rehman's book served as a good intro to Snort. I followed the examples, used some of the custom startup and log-rotation scripts, and got Snort working for the first time. I also learned of ACID, which is a PHP-based GUI for Snort, put out by Carnegie Mellon's CERT/CC. It makes managing alerts from Snort much less time-intensive. It was an exciting experience, but the book left me in the dark on a number of concepts that I knew I needed to learn. I still didn't understand what I was getting out of Snort; I had so many alerts I couldn't "tune out the noise." I didn't know when to use log or alert plugins, so I just turned on both for safety's sake. I also found that Snort was dropping packets (meaning it wasn't able to keep up with the traffic load going to my webservers hosted at home), but didn't find any way to fix this problem. This setup was fine for experimenting at home, but I didn't feel I would be able to use Snort in a mission-critical corporate setting yet.
| Intrusion Detection with Snort | |
| author | Jack Koziol |
| pages | 400 |
| publisher | SAMS Publishing |
| rating | 9/10 |
| ISBN | 157870281X |
I thumbed through Jack Koziol's Intrusion Detection with Snort at the bookstore, and it seemed to have some more detailed descriptions of using Snort. It also had a lot of the planning, deployment, and maintenance activities you never think of until you are faced with one at 2 a.m. (such as how to upgrade Snort in an organized manner after a vicious integer overflow exploit is released for a core Snort component). It is also the most popular Snort book, so I figured I would buy it. When I took it home, I learned where to place Snort on a network, and what advantages and disadvantages there are to different IDS sensor placement strategies, something I had never considered.
Koziol's book also had the technical detail I was in desperate need of. I learned how to use Barnyard to spool alerts, which keeps Snort from dropping packets. I got to write my own attack signatures from scratch by using Ethereal packet captures in an controlled lab environment. I created a targeted ruleset; it enables specific attack signatures based on what I actually have running on my network, simply using nmap and some complicated perl scripts. The targeted ruleset went a long way to reducing false alerts, and is now a selling product from the Snort commercial vendor, Sourcefire. I finally got email alerts working using syslog-ng with Snort. The book ends with some more advanced content, namely using Snort as an Intrusion Prevention device. You can setup Snort to block packets that match a signature, using Inline Snort, or you can have Snort reconfigure routers and firewalls to block offending IP addresses, using SnortSam. I've experimented with Inline Snort as part of a honeypot, but, as the author points out, this is not yet production-safe, as it can easily be used by attackers to disrupt network availability.
| Snort 2.0 Intrusion Detection | |
| authors | Jay Beale, Anne Carasik, Aidan Carty, Scott Dentler, Adam M. Doxtater, Wally Eaton, Jeremy Faircloth, James C. Foster, Vitaly Osipov, Jeffrey Posluns, Ryan Russell, Brian Caswell |
| pages | 485 |
| publisher | Syngress |
| rating | 4/10 |
| ISBN | 1931836744 |
The final Snort book in this review is Snort 2.0 Intrusion Detection. This book has a lot of the screenshots and figures that the Koziol and Rehman books leaves out. It also contains a lot of useful diagrams, about one for every other page, and a CD-ROM with all of the Snort source and a pdf version of the book. This book, and the Koziol book, cover Snort version 2.0, which isn't all that much different from version 1.9 covered in the Rehman book. Still, it is nice to have the most up-to-date documentation, but it doesn't make the Rehman book any less effective. This book has the most reference material in it, over 500 pages' worth, and it has very organized user manual-like descriptions of important Snort components (preprocessors, output plugins, and rules). Keep in mind that this book was created more as a user manual rather than an implementer's guide. You aren't going to see planning, deployment, and maintenance activities as well as technical deployment examples, as in the Koziol book. And, you aren't going to find a concise quick-start guide such as the Rehman book.
In summary, you aren't going to find anything in this book that isn't in the other two. What you will find is lengthy descriptions, and a lot more screenshots. As stated before, Snort 2.0 Intrusion Detection was written by 12 different people (one of them a Sourcefire employee and Snort.org website maintainer, Brian Caswell). This is obviously done by the publisher to get the book out as fast as possible, which is important for technology book publishers as books are outdated quickly, but has the end result of a disjointed book that contradicts itself in many areas. An example: one author stresses how deadly important it is for us to only use the latest Snort version, while another tells us to use the CDROM that comes with the book, which contains an outdated version of Snort.
You can clearly tell a different authors worked on different chapters, as the style and format change frequently. You can also tell that the authors didn't talk to each other much, as you will find one author referring to something in one chapter (unified binary format) that he expected to have been explained in a previous chapter. In print, the concept was not explained until later, which can be really frustrating if you are not a Snort pro. Additionally, there are enough grammatical errors in the book to be distracting, and, much like a vendor-provided user manual, the chapters don't logically flow from one to the next. If you do purchase this book, this slashdotter would recommend it as a supplement to either the Rehman or Koziol book.
You can purchase Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID , Intrusion Detection with Snort , and Snort 2.0 Intrusion Detection from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Who needs snort? (Score:2, Funny)
*snort* (Score:5, Funny)
Re:*snort* (Score:5, Funny)
Re:*snort* (Score:1)
Re:*snort* (Score:2)
Anyone else read that as (Score:1, Funny)
Re:Anyone else read that as (Score:1, Funny)
Yea, it's begging to be turned into a... (Score:1)
If you need a commercial product with 24x7 support (Score:3, Informative)
Re:If you need a commercial product with 24x7 supp (Score:1)
Re:If you need a commercial product with 24x7 supp (Score:1, Interesting)
I'd also recommended Puresecure Professional [demarc.com] it's been a godsend.
Plus, they have a free version for homeusers.
Re:If you need a commercial product... (Score:2, Insightful)
Re:If you need a commercial product with 24x7 supp (Score:3, Funny)
Re:If you need a commercial product with 24x7 supp (Score:1)
Re:If you need a commercial product with 24x7 supp (Score:1)
Re:If you need a commercial product with 24x7 supp (Score:1)
Re:If you need a commercial product with 24x7 supp (Score:1, Informative)
Intrusion Detection is not plug and play (Score:5, Insightful)
Re:Intrusion Detection is not plug and play (Score:2)
Re:Intrusion Detection is not plug and play (Score:2)
I guess the one trick that made it easier was using Webmin to set the whole thing up, because there is a SNORT plugin.
The only hitch was figuring out if it was really catching intrusion attempts because you either have to wait for an attack or do it yo
Re:Intrusion Detection is not plug and play (Score:3, Informative)
Idiots.. (Score:2, Funny)
Re:someone needs to write a snort book on (Score:2)
Drug related titles (Score:5, Funny)
Using SNORT, Apache, MySQL, PHP, and ACID
This somehow strikes me as a veiled reference to cocaine, peyote, qualuudes, phencyclidine, and LSD. No longer will pharmacologically-enhanced computing be restricted to the caffeine you get from a case of Jolt!
Re:Drug related titles (Score:1)
Re:Drug related titles (Score:1)
I'm still waiting... (Score:2, Insightful)
Oh well, another topic.
Re:I'm still waiting... (Score:2, Informative)
Hey, Koziol's book covers Int
Re:I'm still waiting... (Score:5, Informative)
A bit offtopic I know, but... (Score:1, Offtopic)
Did anybody read... (Score:2, Funny)
[crickets chirp]
Oh, wait...
The problem is... (Score:2, Interesting)
Becides I rather setup a honeypot and watch the hackers break in. It's like watching ants trying to break out of the glass. You're going no where bub! >:D
All 3 are cheaper at amazon (Score:4, Informative)
Apache, MySQL, PHP, and ACID, Intrusion Detection with Snort - $4.50 CHEAPER [amazon.com]
Snort 2.0 Intrusion Detection - $5 cheaper [amazon.com]
Even cheaper at Bookpool (Score:5, Interesting)
Intrusion Detection with Snort - $3.55 CHEAPER [bookpool.com]
Snort 2.0 Intrusion Detection - $6.72 CHEAPER [bookpool.com]
I've got you both beat (Score:1, Funny)
Intrusion Detection with Snort - $9.00 MORE [booksite.com]
Snort 2.0 Intrusion Detection - $9.99 MORE [booksite.com]
don't buy use safari (Score:5, Interesting)
Can you print the books you check out? (Score:2)
This one is even cheaper.. (Score:2)
Re:This one is even cheaper.. (Score:2)
Snort, Apache, PHP, MySQL, ACID on Redhat 9.0 Installation Guide [snort.org]
Also, throw snortcenter [pandora.be] in the mix and you've got a full solution in an easy to manage package.
Web attack Forensic documents (Score:4, Informative)
Fingerprinting port 80 attacks Part one [cgisecurity.net]
Fingerprinting port 80 attacks part two [cgisecurity.net]
I don't need snort (Score:4, Funny)
Re:I don't need snort (Score:2, Funny)
Re:I don't need snort (Score:1)
ms windows users, of all people, ought not to be too cocky about things like this.
Re:I don't need snort (Score:2)
Frustrated? (Score:2)
Re:Frustrated? (Score:2)
Re:Frustrated? (Score:2)
Integration With Vulnerability Assessment Engines (Score:3, Interesting)
Nice theory, of course you do need a qualys account which costs a bunch (they do lead the field though), but they reckon it cuts down false alarms by a huge chunk. They launched this at Blackhat this year (along with the law of vulnerabilities) and it's been open sourced (yay!).
Re:Integration With Vulnerability Assessment Engin (Score:2)
Is this it?
http://quidscor.sourceforge.net/
Three Cheers for Slashdot (Score:1, Interesting)
reported by Anonymous Cannibal
In developing news, Slashdot.org [slashdot.org] has released a non-SCO related article. Slashdotters are ecstatic at the incoming news "Oh man I really thought it was the end of the road there for a minute, I mean last week was bad, but as of Sunday, I don't know how many SCO based articles they posted. I think it's somewhere in the low hundreds though" stated a user who wished to remain anonymous.
"It's exciting for the moment, but I know these morons will just post
Dear Submitter: (Score:1)
We here at Slashdot do not approve of inhaling or "snorting" drugs. The following alternatives are suggested:
Jolt Gum
Chocolate covered espresso beans
Black-black chewing gum
Information on these alternatives can be found here [thinkgeek.com] and here [modulo26.net]
Thank you!
Slashdot Administrators
Re: (Score:1)
nice to see... (Score:5, Interesting)
it certainly isn't plug-n-play, but it's not super techical to install - it's just tedious and open to stupid installation mistakes. i've had a newb trainee install it in a couple of days... not bad for just diving in, but an automated installation would make snort the bomb. anyone know of progress in this area (on any platform)?
Re:nice to see... (Score:2)
Re:nice to see... (Score:2)
if someone knowledgeable put an installer together, i'd have more time to deploy sensors at different points in my networks without needing dedicated boxes or similar hardware.
Re:nice to see... (Score:1)
Local Linux user found trapped in woods. (Score:1)
They caught him infringing on their IP property by using 12 lines of SCO code in his homebrew linux computer's kernel. Please help us save this young man. Check out The Mike Green Challenge [mikegreenchallenge.com] site today, to help rescue this young man from the oppressive clutches of SCO and Micro$oft.
Direction of intrusion detection is....... (Score:1)
Re:Direction of intrusion detection is....... (Score:1)
A pain to get snort working? (Score:4, Interesting)
If you can't install Snort with that type of docum.... hold on... the late 90s called, they wanted to congratulate you on beating the odds.
thanks... (Score:2, Funny)
Web Intrustion Detection (Score:3, Informative)
This reviewer is clueless (Score:1)
These reviews [amazon.com] are more helpful. A copy of the Koziol book is on the way to the Amazon.com reviewer so he should be able to rate it against the Caswell and Rehman books.
And those r
Re:This reviewer is clueless (Score:2)
Re:This reviewer is clueless (Score:1)
Well... according to your logic, Windows the best possible desktop OS because it outsells everything else.
Number of Sales != Quality
Ever hear that "the best marketed product always wins, not the best product"????
I think you are the one who is clueless.
Snort? (Score:3, Funny)
funny (Score:2)
for example, this post is about a half-snort.
NSWC SHADOW (Score:1, Interesting)
Like 3-beer people? (Score:2)
IDS is not a set-up and forget kinda thing (Score:1)
He doesn't delve into the details of Snort, and this book makes a perfect choice for a reader who wants to get The Pig up and running quickly and move on to something else.
Anybody who makes a statement like that quite obviously has never gotten too serious about setting up and maintaining an IDS. Every IDS I've ever used has required quite a bit of care and feeding to make it useful.
First of all, most IDS's have so many false-positives right out of the box that you just have to do some tweaking to keep
granted, but (Score:1)
He did say it was "for the reader who...," he did not say "it was perfect for me because i want to setup and forget." It's pretty clear from the review that the guy is looking to do exactly the opposite.
Anybody who makes a statement like that quite obviously has never gotten too serious about setting up and maintaining an IDS.
right, which is why he is picking up some books on the subject. the reviews were damn informative for me, who is in the same boat. I don't think that a person looking for kn
Some comments (Score:3, Informative)
First off, I'm not just Snort's author, I'm also the founder of Sourcefire [sourcefire.com]. Sourcefire was started once it became apparent that enough commercial/governmental users wanted commercial support to make it a viable business model. Raising the VC was not easy, try going into a venture capatalist's office sometime and telling them about how you want to build a product company around a core technology that's free. I talked to something like 12 different investment firms before we got the time of day from anyone, VC wasn't really looking for the next big Open Source story in 2001, they were trying to figure out what the hell happened to all their investments.
Sourcefire eventually got funded, but we did it the old fashion way by building the product on a shoestring and then selling it into big accounts. Once we made a few hundred kilobucks from my living room (i.e. the original Sourcefire corporate campus), we finally got some attention and (eventually) money. Let me reiterate, it was not easy.
The author of the article could have saved some money on books (and so can you) if you simply read the USAGE file and the SnortUserManual.pdf file that should be incuded with your Snort download. Both of those files have quickstart information that will let you get up and running with Snort in about 15-30 minutes. Snort was designed to be easy for people who are used to using Linux, keep that in mind when using it for the first time. If you're getting lots of little log files, try using the -b switch at the command line, it'll log to a single file in pcap binary format (like ethereal/tcpdump). Additionally, read the FAQ and check out the mailing lists [snort.org], they're invaluable.
Finally, the security vulnerabilities that were located in Snort this past spring led us to perform an internal and two external independent paid security audits of the Snort code base, funded by Sourcefire. We're also excersizing additional diligence when evaluating contributed code and looking at the code we're developing internally at Sourcefire. It should be noted, all the code that is developed for Snort at Sourcefire is released under the GPL, we're dedicated to always keeping Snort free and making it the best IDS we can.