Slashdot Mirror
Three Snort Books Reviewed
I ran Snort at home for a while, using the online docs, but I could never get a handle on which output plugin to use (When to log? When to alert?), how to email alerts to myself (I later found out Snort doesn't natively do this), and how to create signatures from packet captures (no online docs at all for this). When I did get The Pig running, it filled up my log directory with thousands of small alert files, which ended up being in tcpdump format. This frustrated the hell out of me, so I decided I needed to find a good book on Snort, as the online docs simply did not describe how to use Snort from start to finish.
In the past few months, an assortment of books have come out on Snort. Because it has begun to eclipse closed-source, multimillion dollar IDSes in terms of raw performance and features, much attention is currently focused on Snort. Naturally, when an open source project achieves this level of notoriety, publishers, venture capitalists, and corporations want to get in on the game. The flood of Snort books is a testament to this, but it doesn't mean they were all created equally. This book review covers the three books on Snort currently available (we will see another two Snort books later this winter). It covers what is good about them, what is bad, and who the target audience is for each. If you are looking to learn intrusion detection the open source way, or simply do not have a million-dollar IT security budget, these books are a good starting point.
Each of these three books serves a different purpose and consequently is appropriate for a different reader. In summary, Rafeeq Rehman's Intrusion Detection with Snort: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID presents a concise, quick-start guidebook to getting Snort up and running fast. He doesn't delve into the details of Snort, and this book makes a perfect choice for a reader who wants to get The Pig up and running quickly and move on to something else.
The whole gaggle of authors that put together Snort 2.0 Intrusion Detection created a much-needed user manual for Snort. This book makes for good desktop reference, but assumes you understand the core concepts of intrusion detection, or have significant field experience with Snort. It is also somewhat convoluted to read; I suppose it's inevitable when you have 12 authors working on a single book, it is going to come out somewhat disjointed and jumbled. If I hadn't read the other two books first, I doubt I would have been able to piece together what this book is talking about in places. (Such as referring to Barnyard logs in one chapter and "unified binary format" in another; how is the reader going to know they are the same?)
Lastly, Jack Koziol's Intrusion Detection with Snort is a guidebook for using Snort in the real world, either on small networks or in large corporate settings. Like any security tool, Snort is only as effective as its operator. Snort can do an enormous number of things, but if you don't understand the "how and why" you aren't going to be able to apply your knowledge in unexpected, different, or new situations. Koziol's book bridges the gap and teaches you the nitty-gritty Snort details not found in online docs, as well as how to apply your newfound IDS knowledge in practice. This book does lack in terms of screenshots and diagrams, which can be frustrating at points. Instead of a paragraph of text, a simple diagram would have sufficed.
Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID author Rafeeq Rehman pages 288 publisher Prentice Hall rating 7/10 ISBN 0131407333
I first picked up Rehman's Intrusion Detection with Snort: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID. Rehman's book is also a member of the Bruce Perens Open Source Series. All of the books in his series are published under the OPL. Overall, Rehman's book served as a good intro to Snort. I followed the examples, used some of the custom startup and log-rotation scripts, and got Snort working for the first time. I also learned of ACID, which is a PHP-based GUI for Snort, put out by Carnegie Mellon's CERT/CC. It makes managing alerts from Snort much less time-intensive. It was an exciting experience, but the book left me in the dark on a number of concepts that I knew I needed to learn. I still didn't understand what I was getting out of Snort; I had so many alerts I couldn't "tune out the noise." I didn't know when to use log or alert plugins, so I just turned on both for safety's sake. I also found that Snort was dropping packets (meaning it wasn't able to keep up with the traffic load going to my webservers hosted at home), but didn't find any way to fix this problem. This setup was fine for experimenting at home, but I didn't feel I would be able to use Snort in a mission-critical corporate setting yet.
Intrusion Detection with Snort author Jack Koziol pages 400 publisher SAMS Publishing rating 9/10 ISBN 157870281X
I thumbed through Jack Koziol's Intrusion Detection with Snort at the bookstore, and it seemed to have some more detailed descriptions of using Snort. It also had a lot of the planning, deployment, and maintenance activities you never think of until you are faced with one at 2 a.m. (such as how to upgrade Snort in an organized manner after a vicious integer overflow exploit is released for a core Snort component). It is also the most popular Snort book, so I figured I would buy it. When I took it home, I learned where to place Snort on a network, and what advantages and disadvantages there are to different IDS sensor placement strategies, something I had never considered.
Koziol's book also had the technical detail I was in desperate need of. I learned how to use Barnyard to spool alerts, which keeps Snort from dropping packets. I got to write my own attack signatures from scratch by using Ethereal packet captures in an controlled lab environment. I created a targeted ruleset; it enables specific attack signatures based on what I actually have running on my network, simply using nmap and some complicated perl scripts. The targeted ruleset went a long way to reducing false alerts, and is now a selling product from the Snort commercial vendor, Sourcefire. I finally got email alerts working using syslog-ng with Snort. The book ends with some more advanced content, namely using Snort as an Intrusion Prevention device. You can setup Snort to block packets that match a signature, using Inline Snort, or you can have Snort reconfigure routers and firewalls to block offending IP addresses, using SnortSam. I've experimented with Inline Snort as part of a honeypot, but, as the author points out, this is not yet production-safe, as it can easily be used by attackers to disrupt network availability.
Snort 2.0 Intrusion Detection authors Jay Beale, Anne Carasik, Aidan Carty, Scott Dentler, Adam M. Doxtater, Wally Eaton, Jeremy Faircloth, James C. Foster, Vitaly Osipov, Jeffrey Posluns, Ryan Russell, Brian Caswell pages 485 publisher Syngress rating 4/10 ISBN 1931836744The final Snort book in this review is Snort 2.0 Intrusion Detection. This book has a lot of the screenshots and figures that the Koziol and Rehman books leaves out. It also contains a lot of useful diagrams, about one for every other page, and a CD-ROM with all of the Snort source and a pdf version of the book. This book, and the Koziol book, cover Snort version 2.0, which isn't all that much different from version 1.9 covered in the Rehman book. Still, it is nice to have the most up-to-date documentation, but it doesn't make the Rehman book any less effective. This book has the most reference material in it, over 500 pages' worth, and it has very organized user manual-like descriptions of important Snort components (preprocessors, output plugins, and rules). Keep in mind that this book was created more as a user manual rather than an implementer's guide. You aren't going to see planning, deployment, and maintenance activities as well as technical deployment examples, as in the Koziol book. And, you aren't going to find a concise quick-start guide such as the Rehman book.
In summary, you aren't going to find anything in this book that isn't in the other two. What you will find is lengthy descriptions, and a lot more screenshots. As stated before, Snort 2.0 Intrusion Detection was written by 12 different people (one of them a Sourcefire employee and Snort.org website maintainer, Brian Caswell). This is obviously done by the publisher to get the book out as fast as possible, which is important for technology book publishers as books are outdated quickly, but has the end result of a disjointed book that contradicts itself in many areas. An example: one author stresses how deadly important it is for us to only use the latest Snort version, while another tells us to use the CDROM that comes with the book, which contains an outdated version of Snort.
You can clearly tell a different authors worked on different chapters, as the style and format change frequently. You can also tell that the authors didn't talk to each other much, as you will find one author referring to something in one chapter (unified binary format) that he expected to have been explained in a previous chapter. In print, the concept was not explained until later, which can be really frustrating if you are not a Snort pro. Additionally, there are enough grammatical errors in the book to be distracting, and, much like a vendor-provided user manual, the chapters don't logically flow from one to the next. If you do purchase this book, this slashdotter would recommend it as a supplement to either the Rehman or Koziol book.
You can purchase Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID , Intrusion Detection with Snort , and Snort 2.0 Intrusion Detection from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
Just put a teletype machine between your wall jack and your modem! DUH! If only FSF had this setup we wouldn't be in the pickle we're in!
Visualize the world of wine
Apparently the FSF could use a copy of this book...
bytesmythe
Hypocrisy is the resin that holds the plywood of society together.
-- Scott Meyer
"Three Short Books Reviewed"?
Check out Symantec's ManHunt. Besides getting great support, this uses open source software (snort) and now runs on Red Hat Linux!
I would have to agree, Intrusion Detection technology is by no means plug and play... You need more than just a user manual, you have to understand what is actually going on and tune your IDS appropriately.
I don't even need one book to snort properly.
why snort needs to be redesigned. <6 mos and there will be another gaping, remote root hole in it
BLOW: How a Small-Town Boy Made $100 Million with the Medellin Cocaine Cartel and Lost It All
Beware of the Gnu-Emacs hole.
"The Internet is a fad" -WB
A clever person solves a problem. A wise person avoids it. -- Einstein
Using SNORT, Apache, MySQL, PHP, and ACID
This somehow strikes me as a veiled reference to cocaine, peyote, qualuudes, phencyclidine, and LSD. No longer will pharmacologically-enhanced computing be restricted to the caffeine you get from a case of Jolt!
bytesmythe
Hypocrisy is the resin that holds the plywood of society together.
-- Scott Meyer
for an integrated Intrusion Prevention System (IPS). Detecting the treat is one thing. But detecting then bit-bucketing it (I know, another made up verb) is another matter. Also, false-pos's? "White Noise"?
Oh well, another topic.
.sig
At first, I thought the infamous spelling ability of our editors managed to munge the article title of "Three Short Books Reviewed"!
...and that's the way the cookie crumbles.
Did anybody read that word as "snort" instead of "short?" I thought for a moment that I was losing my mind.
[crickets chirp]
Oh, wait...
I read this headline and first thought it was about reading a few issues of Rip Snortin' Cocaine Comics
What a loser. BUY AN AD! (Oh wait, this isn't K5)
It would have taken me to read all three of those books just figure out where to place those damn rule files at. I could have RTFM, but no one has published that snort title yet.
Becides I rather setup a honeypot and watch the hackers break in. It's like watching ants trying to break out of the glass. You're going no where bub! >:D
This space is not for rent.
Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT - $4 CHEAPER
Apache, MySQL, PHP, and ACID, Intrusion Detection with Snort - $4.50 CHEAPER
Snort 2.0 Intrusion Detection - $5 cheaper
These documents where the baseline for many of the web-attacks.rules used in snort.
Fingerprinting port 80 attacks Part one
Fingerprinting port 80 attacks part two
Get a life
Windows XP firewall keeps my network safe.
(2,3-Benzopyrrole)
mjmalone just needs to get back to school...the lack of drinking and women is forcing him to find alternate means of entertainment....yech...like pounceposting and politics.
Doot!
>Check out Symantec's ManHunt. Besides getting great support, this uses open source software (snort) and now runs on Red Hat Linux!
I'd also recommended Puresecure Professional it's been a godsend.
Plus, they have a free version for homeusers.
Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID - $5.74 CHEAPER
Intrusion Detection with Snort - $3.55 CHEAPER
Snort 2.0 Intrusion Detection - $6.72 CHEAPER
Who in their right mind makes a post about security on August 13th?
Whee! I'm so high I feel like investing in VA Software!
Anybody have any nasal spray?
Nice theory, of course you do need a qualys account which costs a bunch (they do lead the field though), but they reckon it cuts down false alarms by a huge chunk. They launched this at Blackhat this year (along with the law of vulnerabilities) and it's been open sourced (yay!).
I wasn't a big fan of the online book idea until I tried Safari for the first time a few months ago. A quick search for snort reveals 38 different books that focus on or have chapters dealing with snort, included the one book "Intrusion Detection with Snort" that was mentioned in this review. The retail cost of these three books alone would cover a safari subscription for a year (10 books out at any given time). There is a free 14 day trial, it got me hooked. I ended up selling 20+ books in my bookshelf that were already on Safari, covering my Safari fees for the next 2 years.
reported by Anonymous Cannibal
In developing news, Slashdot.org has released a non-SCO related article. Slashdotters are ecstatic at the incoming news "Oh man I really thought it was the end of the road there for a minute, I mean last week was bad, but as of Sunday, I don't know how many SCO based articles they posted. I think it's somewhere in the low hundreds though" stated a user who wished to remain anonymous.
"It's exciting for the moment, but I know these morons will just post some other sickening story about a company that's about to go under any god damned moment". stated fx0rspy.
Slashdot once upon a time was one of the hottest sites on the net, and the site which now boasts close to 600+ thousand users (most of which are duplicate users) is slowly going down the toilet. "Well I doubt if it is going to go away, if it did most of the admins there would likely commit suicide or something. I just want to see it go back to the basics and focus on news. Sure SCO is news, but do we really need it shoved down our throats four to five times?" stated another user via IRC who wished to remain anonymous.
So for those who are interested in real news, such as how China will replace every citizens ID cards with Digital Cards, you can read this here, or if you care about the NSA possibly backdooring all software, you can read that too by clicking here. The CIA's statement on WMD? Sure right here, however, if your looking for another SCO article, stay tuned one will be availble within the hour.
Numerous request were sent to Slashdot administrative staff who never responded to our e-mails. We feel for them, and will make sure to send them carfare when the company goes under so they'll be able to get to the unemployment office.
(c) 2003 Disgruntled Slashdotter
Wha? That sounded kind of interesting until I searched Google for "symantec manhunt pricing" and came back with $15,000! I think I'll go with a copy of Snort and one of those books.
We here at Slashdot do not approve of inhaling or "snorting" drugs. The following alternatives are suggested:
Jolt Gum
Chocolate covered espresso beans
Black-black chewing gum
Information on these alternatives can be found here and here
Thank you!
Slashdot Administrators
In C++, friends can touch each others private parts.
The parent is funny, but apparently its more important around this dump to smack something down as offtopic than to appreciate how clever it is -- or let others' appreciation of it stand as-is.
Lighten up, moderators. Put down your kona blend, peel yourselves out of the chair, and consider what's more important than whether or not people are clinging to the "topic."
Just what is a snort anyway? Sure, I've read numerous descriptions, but does anyone have a sample, or even better a movie clip?
I'm really curious.
Cig? No, thank you.
since snort is such a nice IDS and a good example of OSS components becoming more than their sum, it's nice to see books coming out.
it certainly isn't plug-n-play, but it's not super techical to install - it's just tedious and open to stupid installation mistakes. i've had a newb trainee install it in a couple of days... not bad for just diving in, but an automated installation would make snort the bomb. anyone know of progress in this area (on any platform)?
They caught him infringing on their IP property by using 12 lines of SCO code in his homebrew linux computer's kernel. Please help us save this young man. Check out The Mike Green Challenge site today, to help rescue this young man from the oppressive clutches of SCO and Micro$oft.
Artificial intelligence ?
Great Got a URL?
Is this it?
http://quidscor.sourceforge.net/
You also misread yourpost as "orignal."
I stare at a screen enough during the day... I generally prefer the pulpy versions of any kind of book.
So long, michael. Don't let the door hit you...
"(we will see another two Snort books later this winter)"
Anyone know who will be doing these?
Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID - $8.00 MORE
Intrusion Detection with Snort - $9.00 MORE
Snort 2.0 Intrusion Detection - $9.99 MORE
I can't even pretend to be a great "network administrator" or "software engineer", but I don't see how anyone can even pretend that Snort is difficult to set up with some of the documentation on the website. The most foolproof one there goes by the name of something like "RedHat 9 + Snort + Acid + MySQL + Apache", and RH9 is only used in the "base packages" sense (except for sharutils, which doesn't seem to install by default, but comes in handy when installing Nessus with the installer script).
If you can't install Snort with that type of docum.... hold on... the late 90s called, they wanted to congratulate you on beating the odds.
heh we're probably going to buy a book or two here at work. the problem with snort is not getting it installed and up and running. we even have scripts running that e-mail out the daily (and then a monthly compilation) logs of snort detections and then archive the old ones and junk. (rvennell@dbu.edu if you want them) thats the easy part. the hard part is getting everything up and running and then being able to decode : [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 07/31-10:09:33.337662 148.223.223.41 -> 10.1.1.67 ICMP TTL:240 TOS:0x0 ID:25562 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: 10.1.1.67:7700 -> 159.16.131.56:59859 TCP TTL:113 TOS:0x0 ID:52194 IpLen:20 DgmLen:52 Seq: 0xE9B061C5 Ack: 0x0 ** END OF DUMP And how does one stop the aformentioned from happening if it happens to be bad? ya need to book to know what to do with the output....setup is nothing...
for getting me all worked up. My fiance snorts when she laughs. I was hoping one of these books would help her(me?) out...
Rosanne Rosanadanna bit.
A goal is a dream with a deadline
To paraphrase a commercial: "This is a good place for a Knoppix disk".
Intrusion detection were'ever it's needed, and unhackable to boot.
If you are interested in detecting and preventing web attacks specifically then you should have a look at mod_security. It is an Apache module (both branches are supported) that allows for some very interesting HTTP-specific filtering. It even supports POST method analysis, and can reject an offending request. Since it works as part of the web server it makes it much easier to detect attackes carried out through an SSL channel.
These reviews are more helpful. A copy of the Koziol book is on the way to the Amazon.com reviewer so he should be able to rate it against the Caswell and Rehman books.
And those ratings -- 4/10 for Caswell, currently selling at #423 at Amazon.com, compared to 7/10 for Rehman, currently #5691 at Amazon.com? Popular opinion isn't everything, but people are clearly buying the better book -- despite its faults.
Helevius
Wasn't that the name of the big truck in Are You My Mother?
when I first read the headline, I thought "three snort" was a rating of how funny something was.
:-)
for example, this post is about a half-snort.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
So cheap it's free.
Everyone is entitled to their own opinion. It's just that yours is stupid.
I also recommend Sierra's Manhunter. A solid cyberpunk adventure game from the glory days.
Give me Classic Slashdot or give me death!
Are you guys sure this is using Snort and RedHat? We've been told that it's propietary... We use Border Guard (www.stillsecure.com)
Looking for IDS? try SHADOW, from Naval Surface Warfare Center - Dahlgren.
Not much to pay for a multi-million dollar corporation with interests to keep safe, if you ask me. And I think Symantec will be around for a while...
Are you guys sure this is using Snort and RedHat? We've been told that it's propietary... We use Border Guard (www.stillsecure.com)
Is a three snort book anything like a three beer woman (or man) in a bar? The number of snorts it takes one to see useful information in the book?
Libertarianism is rich wolves and poor sheep playing gambler's ruin for dinner.
He doesn't delve into the details of Snort, and this book makes a perfect choice for a reader who wants to get The Pig up and running quickly and move on to something else.
Anybody who makes a statement like that quite obviously has never gotten too serious about setting up and maintaining an IDS. Every IDS I've ever used has required quite a bit of care and feeding to make it useful.
First of all, most IDS's have so many false-positives right out of the box that you just have to do some tweaking to keep your sanity.
Next, for an IDS to be effective, it must be kept up to date. This means importing new rules from the vendor. Making sure those rules are not a whole new batch of false positives. And writing your own rules to tailor the IDS to effectively monitor your network.
These kind of things (and the above 2 are just a couple of examples of many different care/feeding aspects of IDS installations) are a must if you are even remotely serious about having an effective IDS. An IDS, by its very nature, is a system which is definitely NOT a 'set up and move on to something else' kind of system.
Sourcefire just plain rocks. :)
Cypherpunks: Civil Liberty Through Complex Mathematics. Those who live by the sword die by the arrow.
Some more reviews for these books by a professional IDS analyst:
Snort 2.0 Intrusion Detection
Intrusion Detection with Snort
More reviews here
He did say it was "for the reader who...," he did not say "it was perfect for me because i want to setup and forget." It's pretty clear from the review that the guy is looking to do exactly the opposite.
Anybody who makes a statement like that quite obviously has never gotten too serious about setting up and maintaining an IDS.
right, which is why he is picking up some books on the subject. the reviews were damn informative for me, who is in the same boat. I don't think that a person looking for knowledge and sharing what they gained is a bad thing.
"Other bands play, but Manowar KILLS"
First off, I'm not just Snort's author, I'm also the founder of Sourcefire. Sourcefire was started once it became apparent that enough commercial/governmental users wanted commercial support to make it a viable business model. Raising the VC was not easy, try going into a venture capatalist's office sometime and telling them about how you want to build a product company around a core technology that's free. I talked to something like 12 different investment firms before we got the time of day from anyone, VC wasn't really looking for the next big Open Source story in 2001, they were trying to figure out what the hell happened to all their investments.
Sourcefire eventually got funded, but we did it the old fashion way by building the product on a shoestring and then selling it into big accounts. Once we made a few hundred kilobucks from my living room (i.e. the original Sourcefire corporate campus), we finally got some attention and (eventually) money. Let me reiterate, it was not easy.
The author of the article could have saved some money on books (and so can you) if you simply read the USAGE file and the SnortUserManual.pdf file that should be incuded with your Snort download. Both of those files have quickstart information that will let you get up and running with Snort in about 15-30 minutes. Snort was designed to be easy for people who are used to using Linux, keep that in mind when using it for the first time. If you're getting lots of little log files, try using the -b switch at the command line, it'll log to a single file in pcap binary format (like ethereal/tcpdump). Additionally, read the FAQ and check out the mailing lists, they're invaluable.
Finally, the security vulnerabilities that were located in Snort this past spring led us to perform an internal and two external independent paid security audits of the Snort code base, funded by Sourcefire. We're also excersizing additional diligence when evaluating contributed code and looking at the code we're developing internally at Sourcefire. It should be noted, all the code that is developed for Snort at Sourcefire is released under the GPL, we're dedicated to always keeping Snort free and making it the best IDS we can.
Manhunt is an anomaly-based IDS. It contains a proprietary engine that 'looks' for anomalies, rather than a using a list of signatures. However, this platform can contain separate signatures running in conjunction with the anomaly engine. These signatures are in snort format .
actually there's much better in terms of performances and, most important, completely _free_ : check Prelude IDS combined with Nessus VA.
;)
man, snort is so much about stealing all the good ideas