Joined: 04 Mar 2003
|Posted: Sat Aug 09, 2003 5:42 pm Post subject: Book Review - Intrusion Detection with Snort
Intrusion Detection with Snort
Author: Jack Koziol
Book Specifications: Soft-cover, 340 pages, no CD-ROM
Category: Intrusion Detection
User Level: Intermediate-Advanced (Knowledge of tcp/ip principles required as well as package installation experience in either Win32 or Linux/BSD/Solaris)
Suggested Publisher Price: $45.00USA/$69.99CAN/£32.99 Net UK (inc of VAT)
Amazon.co.uk: Intrusion Detection with Snort
Amazon.com: Intrusion Detection with Snort
Info from Cover: "Intrusion Detection with Snort is a hands-on guide to designing, installing, and maintaining a Snort deployment in networks of all sizes. Real-world examples that you get through such critical tasks as sensor placement, real-time alerting, and tuning are presented in an easy-to-follow manner that allows you to develop a rapid understanding of how to use Snort"
I had been looking forward to receiving this book as I work in the network security field myself.
One of my primary functions is IDS monitoring, and tweaking of systems such as Snort. I was curious to see how closely my thoughts mirrored those of the authors in the setting up and customizing of the open source IDS Snort.
The author Jack Koziol has been working in the network security field since 1998, and has been published in prestigious security magazines such as Information Security Magazine. He currently holds the CISSP qualification, and teaches as well. He has also been responsible for large scale Snort IDS deployments in production environments.
This book is an excellent resource for people who desire to learn how to implement, and use Snort.
The book itself is of a technical nature as the subject itself indicates. The author has, however taken great care to make it as palatable as possible to a wide audience of varying skill levels.
The book itself is laid out over 14 chapters and two troubleshooting appendices. Chapter 1 itself provides a nice overview of Intrusion Detection itself. It goes over terminology used today in the industry, and explains the concepts of a malicious hacker attempting to gain entry.
Chapters 2 through 7 deal with Snort itself. These chapters cover Snort pre-processors, packet reassembly, and various snort output options. You will also be given an introduction to hardware considerations such as span ports, and cover how to actually build the sensor itself.
Chapters 8 through 11 then cover building the analysts console to other installation methods, tuning/reducing false postives, and will also cover real time alerting options.
Chapters 12 through 14 cover the writing of Snort rules, maintaining snort, as well as advanced topics such Intrusion Prevention.
Lastly there are the two appendices which go over troubleshooting, and rule documentation.
Run down of chapters/sections/contents(I beleive to be key)
Chapter 3: Dissecting Snort
This chapter is critical to understanding Snort itself and how it works. Within this chapter you will cover the much misunderstood topic of Snort's pre-processors. Also covered is stream4 and stream4_ reassemble. These are key area's to thoroughly understand if you want to get the most our of your Snort sensor.
Chapter 8: Building the Analysts Console
This is a key chapter as well for it is here that your interface to manage Snort itself, and to perform your IDS duties are covered in excellent detail. Within this chapter you also will cover the excellent ACID interface which allows you to interpret the Snort output in a nice, and easy to understand GUI.
Chapter 10: Tuning and Reducing False Positives
The bane of every IDS analyst is the false positive. In this chapter the author will show you ways in which to reduce these events. Key area's such as the frag pre-processor and stream4 are covered in detail. Also shown once again is the reason for these pre-processors, and what will trigger them. I advise you to pay special attention to this chapter, and make frequent reference to it.
Chapter 12: Basic Rule Writing
A great many people who use Snort unfortunately do not make use of one of it's greatest features. The ability to write your own custom signatures. This topic does require some analytical skills on the part of the IDS analyst. The writing of the rules themselves though is very well explained here, and can be grasped very quickly.
Style and Detail
This book was written in a format that I find very appealing. It is almost as if the author himself were speaking to you. This makes for an engaging read, as well as a clear, and concise format. There are many screen shots in the book itself which help the reader to visualize the topic being addressed. Also included by the author is command line syntax where required, as well as a programs output. These once again help one to visualize, and also supply a baseline reference for certain commands.
All told the book is laid out in a clear, and concise order of events. This greatly helps the reader understand the books concepts in an orderly fashion. Thus accomplishing what the author intended; a definitive how-to on the usage, and maintenance of Snort, and it's ancilliary topics.
This book is without a doubt an excellent collection of information on Snort put together by the author Jack Koziol. He covers in great detail most every aspect of Snort you may have questions on, and also covers Intrusion Detection itself. Do not be discouraged though if you are unable to cover, and implement every chapter that the author has written about. He has given a very large of information that will take time, and practice to digest. That being said don't assume that as a new comer to the field of intrusion detection systems that this book is for you. You will first need to cover other material such as TCP/IP first, as well as become familiar with installing packages on the platform of your choice.
To sum up I very much recommend this book to both novice, and advanced Snort users. There is something in this book for everyone.
I give it an 8 out of 10. It would of been a 9 had the book come with a cd or dvd with all the tools listed in the book on it.
This review is copyright 2003 by the author and Security-Forums Dot Com, and may not be reproduced in any form in any media without the express permission of the author, or Security-Forums Dot Com.