Slashdot Mirror

Bert690 writes "To complement the recent dissection of Google Suggest's innovative front end, I investigated [Coral Link & mirror] the back end of the system in an effort to determine just how it generates suggestions. Along with some preliminary findings, you'll find a pointer to a program for enumerating all possible suggestions from a given starting point. I found the number of possible suggestions to be surprisingly small considering the immense scope of the web."

Eric Stats writes "Working as a Network Engineer for web-hosting company that prides itself on uptime and network availability, and moonlighting as a part-time Linux administrator, my managers and clients are starting to expect a level of information security knowledge from me. I decided that if I wanted to take my career to the next level, I needed to develop some security-specific skills. I heard a lot about the open source Intrusion Detection System (IDS), Snort from friends and co-workers (mostly that it was a pain to get running, and an even bigger pain to understand what it was doing)." To get past those frustrations, Eric looked at two more books on Snort (and compares them to the already-reviewed Intrusion Detection with Snort ); read on below for his take on what each offers. Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID; Intrusion Detection with Snort; Snort 2.0 Intrusion Detection author (See each) pages (See each) publisher (See each) rating (See each) reviewer Eric Stats ISBN (See each) summary (See each)

I ran Snort at home for a while, using the online docs, but I could never get a handle on which output plugin to use (When to log? When to alert?), how to email alerts to myself (I later found out Snort doesn't natively do this), and how to create signatures from packet captures (no online docs at all for this). When I did get The Pig running, it filled up my log directory with thousands of small alert files, which ended up being in tcpdump format. This frustrated the hell out of me, so I decided I needed to find a good book on Snort, as the online docs simply did not describe how to use Snort from start to finish.

In the past few months, an assortment of books have come out on Snort. Because it has begun to eclipse closed-source, multimillion dollar IDSes in terms of raw performance and features, much attention is currently focused on Snort. Naturally, when an open source project achieves this level of notoriety, publishers, venture capitalists, and corporations want to get in on the game. The flood of Snort books is a testament to this, but it doesn't mean they were all created equally. This book review covers the three books on Snort currently available (we will see another two Snort books later this winter). It covers what is good about them, what is bad, and who the target audience is for each. If you are looking to learn intrusion detection the open source way, or simply do not have a million-dollar IT security budget, these books are a good starting point.

Each of these three books serves a different purpose and consequently is appropriate for a different reader. In summary, Rafeeq Rehman's Intrusion Detection with Snort: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID presents a concise, quick-start guidebook to getting Snort up and running fast. He doesn't delve into the details of Snort, and this book makes a perfect choice for a reader who wants to get The Pig up and running quickly and move on to something else.

The whole gaggle of authors that put together Snort 2.0 Intrusion Detection created a much-needed user manual for Snort. This book makes for good desktop reference, but assumes you understand the core concepts of intrusion detection, or have significant field experience with Snort. It is also somewhat convoluted to read; I suppose it's inevitable when you have 12 authors working on a single book, it is going to come out somewhat disjointed and jumbled. If I hadn't read the other two books first, I doubt I would have been able to piece together what this book is talking about in places. (Such as referring to Barnyard logs in one chapter and "unified binary format" in another; how is the reader going to know they are the same?)

Lastly, Jack Koziol's Intrusion Detection with Snort is a guidebook for using Snort in the real world, either on small networks or in large corporate settings. Like any security tool, Snort is only as effective as its operator. Snort can do an enormous number of things, but if you don't understand the "how and why" you aren't going to be able to apply your knowledge in unexpected, different, or new situations. Koziol's book bridges the gap and teaches you the nitty-gritty Snort details not found in online docs, as well as how to apply your newfound IDS knowledge in practice. This book does lack in terms of screenshots and diagrams, which can be frustrating at points. Instead of a paragraph of text, a simple diagram would have sufficed.

Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID author Rafeeq Rehman pages 288 publisher Prentice Hall rating 7/10 ISBN 0131407333

I first picked up Rehman's Intrusion Detection with Snort: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID. Rehman's book is also a member of the Bruce Perens Open Source Series. All of the books in his series are published under the OPL. Overall, Rehman's book served as a good intro to Snort. I followed the examples, used some of the custom startup and log-rotation scripts, and got Snort working for the first time. I also learned of ACID, which is a PHP-based GUI for Snort, put out by Carnegie Mellon's CERT/CC. It makes managing alerts from Snort much less time-intensive. It was an exciting experience, but the book left me in the dark on a number of concepts that I knew I needed to learn. I still didn't understand what I was getting out of Snort; I had so many alerts I couldn't "tune out the noise." I didn't know when to use log or alert plugins, so I just turned on both for safety's sake. I also found that Snort was dropping packets (meaning it wasn't able to keep up with the traffic load going to my webservers hosted at home), but didn't find any way to fix this problem. This setup was fine for experimenting at home, but I didn't feel I would be able to use Snort in a mission-critical corporate setting yet.

Intrusion Detection with Snort author Jack Koziol pages 400 publisher SAMS Publishing rating 9/10 ISBN 157870281X

I thumbed through Jack Koziol's Intrusion Detection with Snort at the bookstore, and it seemed to have some more detailed descriptions of using Snort. It also had a lot of the planning, deployment, and maintenance activities you never think of until you are faced with one at 2 a.m. (such as how to upgrade Snort in an organized manner after a vicious integer overflow exploit is released for a core Snort component). It is also the most popular Snort book, so I figured I would buy it. When I took it home, I learned where to place Snort on a network, and what advantages and disadvantages there are to different IDS sensor placement strategies, something I had never considered.

Koziol's book also had the technical detail I was in desperate need of. I learned how to use Barnyard to spool alerts, which keeps Snort from dropping packets. I got to write my own attack signatures from scratch by using Ethereal packet captures in an controlled lab environment. I created a targeted ruleset; it enables specific attack signatures based on what I actually have running on my network, simply using nmap and some complicated perl scripts. The targeted ruleset went a long way to reducing false alerts, and is now a selling product from the Snort commercial vendor, Sourcefire. I finally got email alerts working using syslog-ng with Snort. The book ends with some more advanced content, namely using Snort as an Intrusion Prevention device. You can setup Snort to block packets that match a signature, using Inline Snort, or you can have Snort reconfigure routers and firewalls to block offending IP addresses, using SnortSam. I've experimented with Inline Snort as part of a honeypot, but, as the author points out, this is not yet production-safe, as it can easily be used by attackers to disrupt network availability.

Snort 2.0 Intrusion Detection authors Jay Beale, Anne Carasik, Aidan Carty, Scott Dentler, Adam M. Doxtater, Wally Eaton, Jeremy Faircloth, James C. Foster, Vitaly Osipov, Jeffrey Posluns, Ryan Russell, Brian Caswell pages 485 publisher Syngress rating 4/10 ISBN 1931836744

The final Snort book in this review is Snort 2.0 Intrusion Detection. This book has a lot of the screenshots and figures that the Koziol and Rehman books leaves out. It also contains a lot of useful diagrams, about one for every other page, and a CD-ROM with all of the Snort source and a pdf version of the book. This book, and the Koziol book, cover Snort version 2.0, which isn't all that much different from version 1.9 covered in the Rehman book. Still, it is nice to have the most up-to-date documentation, but it doesn't make the Rehman book any less effective. This book has the most reference material in it, over 500 pages' worth, and it has very organized user manual-like descriptions of important Snort components (preprocessors, output plugins, and rules). Keep in mind that this book was created more as a user manual rather than an implementer's guide. You aren't going to see planning, deployment, and maintenance activities as well as technical deployment examples, as in the Koziol book. And, you aren't going to find a concise quick-start guide such as the Rehman book.

In summary, you aren't going to find anything in this book that isn't in the other two. What you will find is lengthy descriptions, and a lot more screenshots. As stated before, Snort 2.0 Intrusion Detection was written by 12 different people (one of them a Sourcefire employee and Snort.org website maintainer, Brian Caswell). This is obviously done by the publisher to get the book out as fast as possible, which is important for technology book publishers as books are outdated quickly, but has the end result of a disjointed book that contradicts itself in many areas. An example: one author stresses how deadly important it is for us to only use the latest Snort version, while another tells us to use the CDROM that comes with the book, which contains an outdated version of Snort.

You can clearly tell a different authors worked on different chapters, as the style and format change frequently. You can also tell that the authors didn't talk to each other much, as you will find one author referring to something in one chapter (unified binary format) that he expected to have been explained in a previous chapter. In print, the concept was not explained until later, which can be really frustrating if you are not a Snort pro. Additionally, there are enough grammatical errors in the book to be distracting, and, much like a vendor-provided user manual, the chapters don't logically flow from one to the next. If you do purchase this book, this slashdotter would recommend it as a supplement to either the Rehman or Koziol book.

You can purchase Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID , Intrusion Detection with Snort , and Snort 2.0 Intrusion Detection from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

Eric Stats writes: "At one point in the not so distant past, Intrusion Detection Systems (IDSs) were network security applications reserved for Fortune 500 companies with enough IT budget to fork up the Big Dollar, or hard core packetheads willing to grep through tcpdump or shadow output. Over the past few years, a new pig on the block, Snort, has put that notion to rest. Instead of having to spring for hundreds of thousands of dollars for a feature-rich, state-of-the-art, IDS; open source fans now have an IDS that meets and beats most of the performance benchmarks and features of commercial, closed source IDSs. Jack Koziol's new book, Intrusion Detection with Snort, presents a comprehensive guide that those either novice to, or richly experienced with, the field of Intrusion Detection can use to get up to speed quickly on Snort." Read on for Eric's review. Intrusion Detection with Snort author Jack Koziol pages 400 publisher Sams rating 9 reviewer Eric Stats ISBN 157870281X summary Handbook on the open source Intrusion

What Koziol implies throughout Intrusion Detection with Snort, but never states outright, is that Snort holds an inherent advantage over closed source IDSs, in that the IDS itself can be tailored and customized for each individual deployment to a level not possible for closed source competitors. If you have had the displeasure of working with a rigid, uncustomizable, IDS you already know where this is going ...

In order for an IDS to be effective, or in some high-bandwidth cases, even usable, detailed network and business context must be applied to the IDS. In a nutshell, IDSs are not as plug-and-play as firewalls or other security applications. For example, if you know you are not running any HTTP traffic on the segment where the IDS is sniffing, you may not want your IDS to waste cycles looking for attacks on Apache. On the other hand, you may feel that the mere presence of HTTP traffic may indicate something innately suspicious, so it is of value to watch for any HTTP traffic. It all depends on what you feel are legitimate threats to the network you are attempting to protect. Snort gives you the power to "watch" for specific attacks, protocol anomalies, or other chatter that has no legitimate business running on your network. Other closed source IDSs don't, or can't, have the same flexibility. Only Snort can implement something as detailed as "Send a page to the CISO's phone if this particular subnet attacks these Apache servers with the chunked encoding exploit."

With Snort, novices can easily write attack signatures (called rules) enable or disable specific protocol decoders, and detect advanced attacks such as exploits utilizing polymorphic shellcode. Without this level of flexibility, you are likely to be flooded with alerts that are not relevant, or, even worse, miss an actual attack that causes irreparable data loss.

Like many open source applications, Snort's biggest downfall has been documentation. Who wants to write boring user manuals when he can write code, right? Well, that's all fine and dandy for Snort developers, but folks that want to actually use all of the neat features can't, unless you tell them they are there, and how to use them. Intrusion Detection with Snort bridges this gap, and offers a clear, concise, guideline that helps plan, implement and maintain Snort-based IDS.

Another oft-cited problem with Snort that Intrusion Detection with Snort addresses is the lack of Snort features that are not directly related to intrusion detection. In essence, Snort's developers have concentrated on creating the world's best application for detecting unauthorized activity, and left everything else to other applications. If you want to organize and manage the alerts generated by Snort you have to use another application (ACID). If you desire alerts via email or pager you need another tool (swatch or syslog-ng). If you want to centrally manage attack signatures for multiple Snort installations, guess what? You need another tool (IDS Policy Manager or SnortCenter). Finding, installing, and getting all of these tools to work right can be frustrating, so Koziol walks us through these issues, and in the end we have an IDS rivaling the expensive commercial solutions.

On to the nitty-gritty of the book. Essentially, this book is organized into logical three sections, even though the author did not choose to make these demarcations in print. The first section introduces us to intrusion detection in general and features of Snort. The second section is a detailed installation guide, which walks through setting up and installing the various components of a distributed Snort setup. The final section focuses on post-installation and maintenance tasks, as well as advanced topics.

In the first section, the different breeds of IDS (Host and Network) are honestly presented, Koziol acknowledging in great detail some of the major shortcomings of IDS technology. The book then moves to describing Snort in great detail in an unbiased fashion. Other books on this subject written by Snort contributors are less forthcoming with Snort's disadvantages. The inner workings of Snort (such as packet decoders and libpcap) and the largely undocumented preprocessors are described in detail, giving tons real world examples. The examples are somewhat current, and describe exploits commonly found 6-18 months ago. Although the actual exploits found in the wild may change over time, the strategies for discovering them with Snort should remain relatively constant. The book then moves into the activities required in planning for a Snort-based IDS installation. Some of this is common sense for experienced security practitioners, such as establishing an incident response plan (the "Oh shit, I've been hacked, what do I do now!?!?"), but is relevant for novices. Other topics introduced in this section are:

Sensor placement: where to place an IDS from a network design perspective for maximum benefit.

Inserting a sensor into an in place network: covers using taps, span ports, and dedicated hubs.

Specific hardware and OS considerations: basically, why a flavor of Unix is best for Snort.

Creating a unidirectional sniffing cable: allows network traffic to flow in a single direction, minimizing risk to an IDS segment.

The second section is a detailed guide to building a distributed or 3-tiered Snort IDS. Getting the three components, the sensor (where Snort is actually installed), the server (database, alert management, and reporting server), and the analyst console (secure place to access other components and store config files and scripts) up and working on Linux takes up the bulk of this section. The analyst console chapter walks through the ever-popular Analysis Console for Intrusion Databases (ACID). Attention is paid to configuring a secured setup that encrypts traffic between the various sensors, servers, and consoles. Various packages and tools are described, as well as condensing all of the Snort tiers onto one physical box. Installing and configuring on Windows is covered as well, although this choice of setup is not as thoroughly explained as the others. The third and final section picks up where most books that deal with a specific application or software package too often leave off, namely, keeping the damn thing working. A chapter is dedicated to tuning Snort, and what thresholds can be configured to maximize benefit and performance. Getting real-time alerting via email working with ancillary tools, is covered in a dedicated chapter. Developing a targeted ruleset (a set of automagically generated signatures that will only detect attacks that have the potential to be successful) using a custom shell script is described.

A very important topic in Snort administration, writing custom rules (attack signatures) gets its own chapter. The syntax for creating rules is clearly described, followed by concrete examples. The book works through writing rules by reading through raw packet captures (last year's Slapper worm is a particularly good example). This is followed by upgrading and managing rules, which is highly useful if you have a number of Snort installations to manage. Finally, Intrusion Detection with Snort closes with a chapter on advanced topics. The advanced topics chapter primarily covers the latest fad 'Intrusion Prevention.' Snort can be made into an IPS device via packet scrubbing or shunting. For packet scrubbing, the Snort Inline patch is used and the box is placed in between a trusted and untrusted network, dropping packets that match specifically created rules. Shunting is accomplished with SnortSam, which basically sends a request to a border router or firewall to block an attacking IP address for a predetermined period of time.

Overall Jack Koziol's Intrusion Detection with Snort is a viable text for learning Intrusion Detection with the worlds premier open source IDS, even if it is light on diagrams and pictures, but it still comes highly recommended from this reviewer.

You can purchase Intrusion Detection with Snort from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

ArmorFiend writes with this NYTimes article which "details the efforts of journalists to discern real reader-written letters from boilerplate form letters. Seems like there should be a centralized searchable DB of letters to the editor."

twilightzero asks: "Recently a friend of mine who is chief engineer at a medium size recording studio/radio station has become increasingly unhappy with Windows (and would like to stay away from Macs) and has asked me if there is any sort of professional audio solution for Linux. Has anybody, anywhere ever tried this? Is it possible to buy a pro audio card with Linux drivers and just run Sound Forge in WINE or do you need an entirely native package?" This is one of those questions that just needs to be answered. What Open Source sound packages out there are good enough for even the professionals to use when they need to make their squeaks, squeals, and whistles. Also, what can they use to put their created sounds together into some semblance of music? As an addendum, coasterfreak asks: "Being an avid Linux user and composer is a bit of a problem right now. I've never run across any decent music creation programs for Linux. I've used Finale and Cakewalk before, but have yet to see them for Linux. I've heard rumors of something coming from the Debain crew, but nothing more than rumors." Can anyone confirm or deny them?

Just as a bit of a helpful hint, how many of you have tried Audacity yet? It looks to be a fairly feature rich sound editor, and it supports mixing tracks, plugin sound effects, and is cross platform, to boot! Maybe this is a decent spring board for those of you looking to start experimenting with sound under Linux, but I'm not quite sure it's ready for professionals yet...this based on the version number of 0.97 rather than any actual experience, so I'd take the word of those who have said they have used it rather than mine. It would be great if Audacity is further along than it looks.

msassak writes: "Wired is carrying a short piece on a new patent bill introduced that hopes to cut down on "obvious" patents. It would also give the public the chance to challenge a patent before it was granted."

prac_regex asks: "I'm both lucky and unlucky. Unlucky that im in an NT proxy environment, but lucky that I am able to use Linux at work for all of my work requirements. I can talk to the file servers via Samba and get email from our exchange server via kmail, but for things that require talking to servers outside the proxy, I fail for nearly everything but web-browsers. My question is what solutions exist to communicate to the NT servers for applications that may or may not have proxy settings? Even things like xchat --with-socks I cant get to work. the NT server simply seems to ignore me. I know microsoft does make things difficult for everyone that doesnt use windows, but Im sure people have solved this. My goal in the longrun is to get the proxy off NT but in the meantime..."

prac_regex writes "Apache JServ v-1.1.1 is out and with it the retirement of JServ is publicized. The project is merging with the Jakarta project to create the most stable servlet production and development environment for everyone's favorite Webservers. Let's all pray for the best... " JServ will still be around until Tomcat becomes as well tested, so there's no need to panic :) ...

byoung writes "ZDNet is running an article about a new type of 3D display. It has twelve planes (vs. a conventional display with one) that produce "real" 3D without glasses. A desktop display is slated for ~6 months away and will cost "several thousand" dollars. "