Dallas/Ft. Worth Unix Users Group

"Managing Security with Snort and IDS Tools"

Title: Managing Security with Snort and IDS Tools
Authors: Kerry Cox and Christopher Greg
Published: August, 2004
Publisher: O'Reilly Media Inc
Pages: 269
Price: $39.95

Reviewed by: Gary Smith

Every security administrator at some time or the other must stare down the specter of Intrusion Detection at some point in their career. Either that, or drive that long haul rig from Tucumcari to Bartlesville. It's not an easy proposition setting-up an IDS (Intrusion Detection System), much less getting useful reports out of one. And then there's the cost of an IDS. These beastie's usually don't come cheap. What's a security administrator to do short of short of buying a seat cushion, and a CB for Peterbilt?

Enter Snort and the book by Messrs Cox and Greg. This book is not just about Snort, which is a large enough topic in itself, but many of the ancillary programs that plug into the IDS universe whose center is Snort.

For those completely new to IDS in general and network packet capture, Chapter 2, Network Traffic Analysis, gets the reader acquainted with TCP/IP packets and the fields within the packets.

For the impatient, Chapter 3, Installing Snort, will get you started with Snort and get your feet wet. Since the described installation uses the generic Snort rules file, it will not only get your feet wet, it will be like drinking through a fire hose.

Now that your eyes have been opened, the authors take you through the exercise of deploying Snort in Chapter 6. Nobody that I know uses the default Snort rules file without modifications. Hence, you are going to want to modify it to suit your purposes for your site, be that at home or at work.

Chapter 7 shows you how to create your own Snort rules and include other people's rules in your rules Like any other computer system or car for that matter, your Snort IDS will need to be tuned.

Chapter 9 is just what the mechanic ordered to get you IDS running smoothly down the Information Superhighway.

Chapters 10 and 11 provide techniques for turning that IDS into an IDS console capable of turning (or churning) out reports for presenting to management when you've discovered something had gone awry.

Finally, Chapter 13 could be titled "Snort on Steroids". This chapter is about using Snort in high bandwidth situations. Things I really liked about this book: Each chapter has a section at the end called "Sites of Interest." This handy little section has URLs for programs, papers, or information relevant to the chapter.

I thought Chapter 4, Know Your Enemy, was an excellent chapter. It is important to how the bad guys operate (probe, penetrate, persist, propagate, and paralyze) so you can effectively mount a counter- offensive against them. Snort and other IDS tools are just some of the weaponry at the security admin's disposal.

Something I didn't like about the book: Chapter 2, Network Traffic Analysis, was a little on the thin side. I have both Stephen Northcutt's book and Richard Steven's book for references on network traffic analysis and TCP/IP but not everyone trying to do intrusion detection may have these handy.

Overall, this is an excellent book on the subject of getting Snort up, running, and delivering useful information. Messrs Cox and Greg are to be congratulated on producing a great book on Snort and other related IDS tools. This book will make an excellent addition to any security administrator's library.

Return to Home Map and Directions Member Services Schedule of Talks Mailing Lists SIGs Roadmap to Wiki Free Books Membership/Individual Benefits Membership/Corporate Roster Benefits Organization Bylaws Policies Officers Other Talk Suggestions Volunteer! Member Blogs Member Profiles Historical Archives Newsletter Audio of Meetings Webmaster
	Top . Main . ManagingSecurityWithSnortAndIDSTools	Recent Changes Printable View Page History Edit Page
	Content Last Modified on January 13, 2005, at 12:42 AM CST "Managing Security with Snort and IDS Tools" Title: Managing Security with Snort and IDS Tools Authors: Kerry Cox and Christopher Greg Published: August, 2004 Publisher: O'Reilly Media Inc Pages: 269 Price: $39.95 Reviewed by: Gary Smith Every security administrator at some time or the other must stare down the specter of Intrusion Detection at some point in their career. Either that, or drive that long haul rig from Tucumcari to Bartlesville. It's not an easy proposition setting-up an IDS (Intrusion Detection System), much less getting useful reports out of one. And then there's the cost of an IDS. These beastie's usually don't come cheap. What's a security administrator to do short of short of buying a seat cushion, and a CB for Peterbilt? Enter Snort and the book by Messrs Cox and Greg. This book is not just about Snort, which is a large enough topic in itself, but many of the ancillary programs that plug into the IDS universe whose center is Snort. For those completely new to IDS in general and network packet capture, Chapter 2, Network Traffic Analysis, gets the reader acquainted with TCP/IP packets and the fields within the packets. For the impatient, Chapter 3, Installing Snort, will get you started with Snort and get your feet wet. Since the described installation uses the generic Snort rules file, it will not only get your feet wet, it will be like drinking through a fire hose. Now that your eyes have been opened, the authors take you through the exercise of deploying Snort in Chapter 6. Nobody that I know uses the default Snort rules file without modifications. Hence, you are going to want to modify it to suit your purposes for your site, be that at home or at work. Chapter 7 shows you how to create your own Snort rules and include other people's rules in your rules Like any other computer system or car for that matter, your Snort IDS will need to be tuned. Chapter 9 is just what the mechanic ordered to get you IDS running smoothly down the Information Superhighway. Chapters 10 and 11 provide techniques for turning that IDS into an IDS console capable of turning (or churning) out reports for presenting to management when you've discovered something had gone awry. Finally, Chapter 13 could be titled "Snort on Steroids". This chapter is about using Snort in high bandwidth situations. Things I really liked about this book: Each chapter has a section at the end called "Sites of Interest." This handy little section has URLs for programs, papers, or information relevant to the chapter. I thought Chapter 4, Know Your Enemy, was an excellent chapter. It is important to how the bad guys operate (probe, penetrate, persist, propagate, and paralyze) so you can effectively mount a counter- offensive against them. Snort and other IDS tools are just some of the weaponry at the security admin's disposal. Something I didn't like about the book: Chapter 2, Network Traffic Analysis, was a little on the thin side. I have both Stephen Northcutt's book and Richard Steven's book for references on network traffic analysis and TCP/IP but not everyone trying to do intrusion detection may have these handy. Overall, this is an excellent book on the subject of getting Snort up, running, and delivering useful information. Messrs Cox and Greg are to be congratulated on producing a great book on Snort and other related IDS tools. This book will make an excellent addition to any security administrator's library.
WikiHelp	Recent Changes Printable View Page History Edit Page