Snort 2.1 Intrusion Detection, Second Edition [Paperback]

Jay Beale (Author), Caswell (Author)

Book Description

ISBN-10: 1931836043 | ISBN-13: 978-1931836043 | Publication Date: May 2004 | Edition: 2nd

Called "the leader in the Snort IDS book arms race" by Richard Bejtlich, top Amazon reviewer, this brand-new edition of the best-selling Snort book covers all the latest features of a major upgrade to the product and includes a bonus DVD with Snort 2.1 and other utilities.

Written by the same lead engineers of the Snort Development team, this will be the first book available on the major upgrade from Snort 2 to Snort 2.1 (in this community, major upgrades are noted by .x and not by full number upgrades as in 2.0 to 3.0). Readers will be given invaluable insight into the code base of Snort, and in depth tutorials of complex installation, configuration, and troubleshooting scenarios. Snort has three primary uses: as a straight packet sniffer, a packet logger, or as a full-blown network intrusion detection system. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes. Snort uses a flexible rules language to describe traffic that it should collect or pass, a detection engine that utilizes a modular plug-in architecture, and a real-time alerting capability. A CD containing the latest version of Snort as well as other up-to-date Open Source security utilities will accompany the book.

Snort is a powerful Network Intrusion Detection System that can provide enterprise wide sensors to protect your computer assets from both internal and external attack.

* Completly updated and comprehensive coverage of snort 2.1
* Includes free CD with all the latest popular plug-ins
* Provides step-by-step instruction for installing, configuring and troubleshooting

Editorial Reviews

About the Author

Jay Beale is a security specialist focused on host lockdown and security audits. He is the Lead Developer of the Bastille project, which creates a hardening script for Linux, HP-UX, and Mac OS X, a member of the Honeynet Project, and the Linux technical lead in the Center for Internet Security. A frequent conference speaker and trainer, Jay speaks and trains at the Black Hat and LinuxWorld conferences, among others. A senior research scientist with the George Washington University Cyber Security Policy and Research Institute, Jay makes his living as a security consultant through the MD-based firm Intelguardians, LLC, where he works on security architecture reviews, threat mitigation and penetration tests against Unix and Windows targets. Jay has written a number of articles and book chapters on operating system security. He is a columnist for Information Security Magazine and previously wrote a number of articles for SecurityPortal.com and SecurityFocus.com. He co! -authored the Syngress international best-seller Snort 2.0 Intrusion Detection (ISBN: 1931836744) and serves as the series and technical editor of the Syngress Open Source Security series. Brian Caswell is a member of the Snort core team, where he is the primary author for the world's most widely used intrusion detection rulesets. He is a member of the Shmoo group, an international not-for-profit, non-milindustrial independent private think tank. He is a technical editor of Snort 2.0 Intrusion Detection (Syngress, ISBN: 1931836744). Currently, Brian is a Research Engineer within the Vulnerability Research Team for Sourcefire, a provider of one of the world's most advanced and flexible Intrusion Management solutions. Before Sourcefire, Brian was the IDS team leader and all around supergeek for MITRE, a government sponsored think tank.

Mike Poor is a Founder and Senior Security Analyst for the DC firm Intelgardians Network Intelligence. In his recent past life he has worked for Sourcefire, as a research engineer, and for the SANS Institute as a member of the technical staff. As a consultant, Mike conducts penetration tests, vulnerability assessments, security audits and architecture reviews. His primary job focus however is in intrusion detection, response, and mitigation. Mike currently holds both GSEC and GCIA certifications and is an expert in network engineering and systems, network and web administration. Mike is an Incident Handler for the Internet Storm Center.

James C. Foster, is the Deputy Director, Global Security Development for Computer Sciences Corporation where he is leading the task of developing and delivering managed, educational, informational, consulting, and outsourcing security services. Prior to joining CSC, Foster was the Director of Research and Development for Foundstone Inc. and was responsible for all aspects of product and corporate R&D including corporate strategy and international market expansion. Preceding Foundstone, Foster was a Senior Advisor and Research Scientist with Guardent Inc. (acquired by Verisign in 2004 for $135 Million) and an adjunct author at Information Security Magazine (acquired for an undisclosed amount by TechTarget in 2003.) He is commonly asked to comment on pertinent security issues and has been sited in USAToday, Information Security Magazine, Baseline, Computer World, Secure Computing, and the MIT Technologist. James has co-authored or contributed to Snort 2.0 Intrusion Detection (! Syngress, ISBN: 1931836744), and Special Ops Host and Network Security for Microsoft, Unix, and Oracle (Syngress, ISBN: 1931836698).

Product Details

• Paperback: 751 pages
• Publisher: Syngress; 2nd edition (May 2004)
• Language: English
• ISBN-10: 1931836043
• ISBN-13: 978-1931836043
• Product Dimensions: 9.2 x 7 x 1.5 inches
• Shipping Weight: 2.4 pounds
• Average Customer Review: 4.4 out of 5 stars  See all reviews (11 customer reviews)
• Amazon Best Sellers Rank: #1,048,053 in Books (See Top 100 in Books)

More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

Most Helpful Customer Reviews

51 of 53 people found the following review helpful:

4.0 out of 5 stars Still the best Snort book, but not as good as it should be, July 12, 2004

By 

Richard Bejtlich "TaoSecurity" (Metro Washington, DC) - See all my reviews
(REAL NAME)   

This review is from: Snort 2.1 Intrusion Detection, Second Edition (Paperback)

Syngress published "Snort 2.0" in Mar 03, and I gave it a four star review in Jul 03. Excerpts from that review appear on the back cover and first page of "Snort 2.1," published only 14 months later. I still think "Snort 2.1" is overall the best Snort book available, but I was disappointed by signs of rushed production and lack of coverage of key Snort features.

The table of contents for "Snort 2.1" is deceiving, as it is almost exactly the same as "Snort 2.0." However, the new book is almost 200 pages larger than its predecessor, with many internal modifications. Chapters 1, 2, 3, 4, 9, 11, 12 and 13 are either completely new or substantially new. Chapters 5, 6, 7, 8, and 10 are either partial rewrites or have some material added or dropped. Despite all of this work, "Snort 2.1" fails to spend time on key subjects, which I will mention during a chapter-by-chapter examination of the book.

First, I recommend skipping ch 1. Aside from some general IDS advice, it is haphazard and contributes nothing to the core Snort discussion. Ch 2 is a quick overview of Snort capabilities, and should have been the lead chapter. Ch 3 describes Snort installation, but suffers apparently swapped figures (3.1 and 3.2) and a wrong figure (3.5). Ch 3 is still a nice upgrade from its counterpart in "Snort 2.0," which gave hints for deploying Snort on Red Hat Linux 8.0. The new ch 3 covers Linux, OpenBSD, and Windows.

Ch 4, "Inner Workings," is one of the reasons "Snort 2.1" has an advantage over the competition. It's tough to go wrong when Snort's developers describe the tool's operation. Still, signs of rough editing appear on p. 170 and 191, and the "-a cmg" switch should be "-A cmg".

Ch 5 covers rules, and is a big disappointment. For most users, rules are the primary means to customize Snort. Like "Snort 2.0," ch 5 fails to help readers with some of the more important new Snort rule options, like byte_test, byte_jump, distance, and within (available since 2.0.rc1 in Mar 03). Ch 5 implies on p. 145 that running Snort with -v is a good idea, despite every other recommendation in the book that verbose mode is a performance killer. Also, the IP "sec" option mentioned on p. 205 is not "IPSec" -- see RFC 791. Overall, ch 5 spends too much time restating rule information found in Snort's manual, and not enough time on features available even in Snort 2.0.

Ch 6's discussion of preprocessors is a solid chapter, with new material on Snort's flow module, http_inspect, and perfmonitor. The telnet preprocessor section is one of the better examples of a "code walkthrough," where the author shows code while explaining what it does.

Ch 7 is really showing its age. "Snort 2.0" was behind the times when it said "Unified logs are the future of Snort reporting," and "Snort 2.1" makes the same mistake. Barnyard, a means to read unified logs, was available in Sep 01! Ch 7 also misses the boat on XML output, calling it "our favorite and relatively new logging format" on p. 322. The XML plug-in spo_xml wasn't even part of snort-2.0.0, never mind snort-2.1.0. Basic research would have revealed Joe McAlerney's announcement of Silicon Defense's snort-idmef XML plug-in in Jun 01, followed by Sandro Poppi's assumption of the project in Aug 03. A mention of Barnyard's "XML formatting capabilities" appears in ch 7 on p. 322, yet Barnyard does not offer this natively.

I was happy to see Sguil addressed in ch 8, but sad to see Sguil's use of session and full content data not appreciated for its true worth. Ch 9 does a good job describing Oinkmaster and gives sound advice on avoiding the "not any" rule negation problem. Ch 10 covers really old testing tools like Sneeze, whose stateless operation cannot fool stream4's stateful inspection.

Ch 11, explaining Barnyard, is clearly the book's shining moment. This is the reason I read "Snort 2.1": Barnyard's author, Andrew Baker, describes Barnyard's history, the format of unified logs, and how best to use his contribution to Snort. Bravo. Ch 12 was also very good, using case studies to compare three different "active response" choices. Ch 13 was new but not exceptionally helpful.

I would enjoy seeing three improvements in the third edition. First, thoroughly scrub the book for old information. Watch out for people writing about "Cerebus" or http_decode or offerings from Silicon Defense, whose Web site disappeared in early 2004. Second, tell people to read the excellent Snort manual before reading the book. There's no need to address topics well-covered in the manual, like all of the IP- and TCP-based rule options. Third, ditch the existing rules chapter in favor of two new ones, one explaining principles via existing rules, and one showing advanced rule development.

I still recommend buying this book, but you might guide your reading choices by the comments in this review.

5 of 5 people found the following review helpful:

5.0 out of 5 stars Detailed information for IDS systems and Snort in particular, July 15, 2004

By 

Harold McFarland (Florida) - See all my reviews
(HALL OF FAME REVIEWER)    (VINE VOICE)    (REAL NAME)   

This review is from: Snort 2.1 Intrusion Detection, Second Edition (Paperback)

If you want to know about Snort 2.1, one of the best open source intrusion detections systems available, then "Snort 2.1 Intrusion Detection, Second Edition" is the book you will want to have. This is an extensive examination of the Snort program and includes Snort 2.1 on CD with the Book.

The authors start with defining what an intrusion detection system is, what it is not, and how placing it in your network at different points achieves different goals. This is followed by an introduction to Snort and a description of its capabilities and functions before getting into the nuts and bolts of installing and configuring it.

One of the more difficult parts of Snort to understand is how to write the rules that determine when an intrusion has occurred. The authors do an excellent job of describing exactly how to write good rules to achieve the results you want. They even include an excellent section on how to deal with all that information you will be collecting.

"Snort 2.1 Intrusion Detection, Second Edition" is highly recommended for anyone who wants a good, useful explanation of how an intrusion detection system should work and how to implement Snort to achieve that result.

1 of 1 people found the following review helpful:

5.0 out of 5 stars mighty impressive second edition, June 29, 2004

By 

Seth James (Austin, TX) - See all my reviews

This review is from: Snort 2.1 Intrusion Detection, Second Edition (Paperback)

I was concerned this book may fall into the "second edition trap" of search and replace 2.0 with 2.1. Upon thorough reading, this is obviously not the case. The authors have thoroughly documented all new/enhanced features of 2.1, but more importantly they again break new ground by by providing unique, creative, and thoroughly useful information on things like writing rules, the intricacises of preprocessors, etc. They don't just teach you how to USE snort, they teach you how to think about using Snort (and other tools) to better defend your network. The chapter on Barnyard in particular was very interesting, and it's obvious from following following the Snort site/list that a lot of the new features were develped in conjunction with the writing of this book. So, this book isn't a re-hash of information, it's the definitive work from the creators.