Snort Cookbook (Paperback)

by Angela Orebaugh (Author), Simon Biles (Author), Jacob Babbin (Author)
Key Phrases: intrusion detection, snort inline, sensor agent, Policy Manager, Administrative Tools, Click Next (more...)

Editorial Reviews

Product Description
If you are a network administrator, you're under a lot of pressure to ensure that mission-critical systems are completely safe from malicious code, buffer overflows, stealth port scans, SMB probes, OS fingerprinting attempts, CGI attacks, and other network intruders. Designing a reliable way to detect intruders before they get in is an essential--but often overwhelming--challenge. Snort, the defacto open source standard of intrusion detection tools, is capable of performing real-time traffic analysis and packet logging on IP network. It can perform protocol analysis, content searching, and matching. Snort can save countless headaches; the new Snort Cookbook will save countless hours of sifting through dubious online advice or wordy tutorials in order to leverage the full power of SNORT. Each recipe in the popular and practical problem-solution-discussion O'Reilly cookbook format contains a clear and thorough description of the problem, a concise but complete discussion of a solution, and real-world examples that illustrate that solution. The Snort Cookbook covers important issues that sys admins and security pros will us everyday, such as:

• installation
• optimization
• logging
• alerting
• rules and signatures
• detecting viruses
• countermeasures
• detecting common attacks
• administration
• honeypots
• log analysis

But the Snort Cookbook offers far more than quick cut-and-paste solutions to frustrating security issues. Those who learn best in the trenches--and don't have the hours to spare to pore over tutorials or troll online for best-practice snippets of advice--will find that the solutions offered in this ultimate Snort sourcebook not only solve immediate problems quickly, but also showcase the best tips and tricks they need to master be security gurus--and still have a life.

About the Author
Orebaugh has worked in information technology for 10 years. She is currently an Associate at Booz Allen Hamilton in the Washington, DC metro area. She is a graduate of James Madison University with a masters in computer science, and she is currently pursuing her Ph.D. with a concentration in information security at George Mason University.

Babbin works as a contractor with a government agency filling the role of Intrusion Detection Team Lead. He has worked in both private industry as a security professional and in government space in a variety of IT security roles. He is a speaker at several IT security conferences and is a frequent assistant in SANS Security Essentials Bootcamp, Incident Handling and Forensics courses.

Product Details

• Paperback: 400 pages
• Publisher: O'Reilly Media, Inc.; illustrated edition edition (March 29, 2005)
• Language: English
• ISBN-10: 0596007914
• ISBN-13: 978-0596007911
• Product Dimensions: 8.9 x 6.9 x 0.8 inches
• Shipping Weight: 15.5 ounces (View shipping rates and policies)
• Average Customer Review: 4.0 out of 5 stars See all reviews (5 customer reviews)
• Amazon.com Sales Rank: #271,329 in Books (See Bestsellers in Books)

  Popular in these categories: (What's this?)

  #30 in	Books > Computers & Internet > Networking > Network Programming
  #38 in	Books > Computers & Internet > Hardware > Internet & Networking
  #98 in	Books > Computers & Internet > Networking > Networks, Protocols & APIs > LAN

• This is item 24 in The O'Reilly Cookbooks Series.

Customer Reviews

Most Helpful Customer Reviews

17 of 18 people found the following review helpful:

3.0 out of 5 stars Good information overshadowed by outdated or poor advice, August 9, 2005

By	Richard Bejtlich "TaoSecurity.com" (Metro Washington, DC) - See all my reviews (TOP 500 REVIEWER)    (REAL NAME)

I read the Snort Cookbook because I am always trying to learn more about Snort. I've read almost every book on the open source intrusion detection system, so I hoped the Snort Cookbook might offer advice not found elsewhere. Unfortunately, whatever good material appears in the book is overshadowed by outdated or outright bad advice. The best Snort book is still Syngress' Snort 2.1, so I recommend reading that title.

The Snort Cookbook starts poorly with ch 1, which at 50 pages is the book's largest. After repeating installation instructions covered in online resources, the book turns to dubious packet collection recommendations. Item 1.10 suggests creating a listen-only Ethernet cable but never mentions disabling ARP traffic with ifconfig's -arp option. Item 1.11 describes how to build a homebrew tap but doesn't address signal regeneration problems that could result in traffic loss.

Item 1.12 gives terrible advice: "If your Snort machine has only one network interface, using the passive tap, run both lines to a small hub. Then from another port of the hub, run a cable to your IDS. This will combine and maybe even buffer the traffic for the IDS and give a full duplex connection." Wrong -- this is a nice way to never see traffic when full-duplex packets from the two transmit lines collide in the hub.

Item 1.14 says "Snort itself is incapable of sniffing a wireless network," but it ignores the fact that while Snort doesn't understand 802.11 traffic, the sensor can join a wireless network and interpret what it sees. Item 1.15 demonstrates more ignorance of hardware issues by saying "Linux-compatible gigabit Ethernet cards are available with up to six ports. Coupled with machines that have space for three or four PCI cards, you could have as many as 24 Ethernet ports." This suggestion completely ignores the fact that a single gigabit NIC will saturate a 32 bit, 33 MHz PCI bus, and many BIOS will not be able to handle interrupts from more than about 8 NICs in a PC.

Item 1.25 says "two to four million records is the max for MySQL," which is odd. One MySQL database I use to collect session data on Sguil has over 31 million records. Item 1.25 also covers the often-repeated and incredibly naive method of having Snort log directly to a database, without utilizing Barnyard as an intermediary. Thankfully we see Barnyard covered in ch 2, but recommended for "high-speed network[s], such as 1 Gbps or greater." Barnyard is definitely appropriate when monitoring at less than gigabit speeds.

Throughout the book, the obsolete ACID Web-based alert console appears. BASE has been available since October 2004; it addresses stale code problems in ACID and should have been covered. I was disappointed to see the Sguil suite mentioned but never given any discussion, even though the older Snort 2.1 book introduces using Sguil. Item 4.2 mentions "RST scans" even though they are a fiction of one security researcher's imagination. Item 6.6 claims to offer ways to test Snort by showing three programs (Snot, Sneeze, Stick) that have had little effect on modern Snort implementations (e.g., 2001 on).

On the positive side, in many cases the Snort Cookbook properly addresses questions which frequently appear on the snort-users mailing list. Items 2.15 and 2.16 show how to send Snort alerts to email, a pager, or cell phone using Syslog and Swatch. Item 3.2 discusses rule updates with Oinkmaster. Rule issues in ch 3 were generally helpful, like dynamic rules (3.4), evasion issues (3.10), optimization (3.13), and even Spade (3.18). Perfmon coverage in items 4.6 and 7.0 help discover how well Snort is working. I also liked the policy-based IDS ideas in item 7.5.

The back cover of the Snort Cookbook says the book "can save you countless hours of sifting through dubious online advice or wordy tutorials." That online advice is frequently more correct than what appears in this book. While some of the book is helpful, often that material has already been introduced in online documentation or best covered in Syngress' Snort 2.1. Perhaps a second edition will address the concerns in this review and produce a more useful cookbook for future readers.

5 of 6 people found the following review helpful:

4.0 out of 5 stars rules are the core of Snort, April 24, 2005

By	W Boudville (Terra, Sol 3) - See all my reviews (TOP 50 REVIEWER)    (REAL NAME)

The core of this book is the chapter on Rules and Signatures. Snort is renowned for its rule language and its vast flexibility. It is a reasonably high level "script" that seems more declarative than procedural. Ok, I'm speaking a little figuratively, but if you scan the rules, you might see what I mean. The chapter explains how to build rules of varying levels of complexity, depending on your needs. One neat trait is the profuse range of options for detecting traffic around the machine running Snort.

Of course and inevitably, the default rules base has grown and it is regularly updated. Currently, these defaults number some 3000, and few sysadmins have the expertise to understand all of them. So one recipe tells you how to get and run an updater program (Oinkmaster). Though you are cautioned about letting it change your rules automatically.

Other recipes expand upon the rule scope in interesting ways, like looking for p2p or Instant Messaging traffic. You might be responsible for a corporate network that bans these, perhaps. Here is a simple way to show a supervisor how you can stay on top of the problem.

2 of 3 people found the following review helpful:

4.0 out of 5 stars Snort Cookbook a second glance!, September 28, 2005

By	PcolaLUG (Pensacola, FLorida) - See all my reviews

Snort Cookbook O'reilly
by: Orebaugh, Biles & Babbin

What can I say designing a reliable detection system is a challenge at best.
This book makes it seem easy! I thought this was the best layout of a tech.book I have ever saw.
Problem > Solution > Discussion. they gave you the information in a precise way with out overloading you
with material you did not need. The Rules section was espcially useful...
The only downside is I wanted to see more on rules with samples.
Overall this was a very useful Book. I already had snort in place this made it much more useful.

Brett Hoff