Snort 2.1 Intrusion Detection, Second Edition Review

Average Reviews:

(More customer reviews)Are you looking to buy Snort 2.1 Intrusion Detection, Second Edition? Here is the right place to find the great deals. we can offer discounts of up to 90% on Snort 2.1 Intrusion Detection, Second Edition. Check out the link below:

>> Click Here to See Compare Prices and Get the Best Offers

Snort 2.1 Intrusion Detection, Second Edition ReviewSyngress published "Snort 2.0" in Mar 03, and I gave it a four star review in Jul 03. Excerpts from that review appear on the back cover and first page of "Snort 2.1," published only 14 months later. I still think "Snort 2.1" is overall the best Snort book available, but I was disappointed by signs of rushed production and lack of coverage of key Snort features.
The table of contents for "Snort 2.1" is deceiving, as it is almost exactly the same as "Snort 2.0." However, the new book is almost 200 pages larger than its predecessor, with many internal modifications. Chapters 1, 2, 3, 4, 9, 11, 12 and 13 are either completely new or substantially new. Chapters 5, 6, 7, 8, and 10 are either partial rewrites or have some material added or dropped. Despite all of this work, "Snort 2.1" fails to spend time on key subjects, which I will mention during a chapter-by-chapter examination of the book.
First, I recommend skipping ch 1. Aside from some general IDS advice, it is haphazard and contributes nothing to the core Snort discussion. Ch 2 is a quick overview of Snort capabilities, and should have been the lead chapter. Ch 3 describes Snort installation, but suffers apparently swapped figures (3.1 and 3.2) and a wrong figure (3.5). Ch 3 is still a nice upgrade from its counterpart in "Snort 2.0," which gave hints for deploying Snort on Red Hat Linux 8.0. The new ch 3 covers Linux, OpenBSD, and Windows.
Ch 4, "Inner Workings," is one of the reasons "Snort 2.1" has an advantage over the competition. It's tough to go wrong when Snort's developers describe the tool's operation. Still, signs of rough editing appear on p. 170 and 191, and the "-a cmg" switch should be "-A cmg".
Ch 5 covers rules, and is a big disappointment. For most users, rules are the primary means to customize Snort. Like "Snort 2.0," ch 5 fails to help readers with some of the more important new Snort rule options, like byte_test, byte_jump, distance, and within (available since 2.0.rc1 in Mar 03). Ch 5 implies on p. 145 that running Snort with -v is a good idea, despite every other recommendation in the book that verbose mode is a performance killer. Also, the IP "sec" option mentioned on p. 205 is not "IPSec" -- see RFC 791. Overall, ch 5 spends too much time restating rule information found in Snort's manual, and not enough time on features available even in Snort 2.0.
Ch 6's discussion of preprocessors is a solid chapter, with new material on Snort's flow module, http_inspect, and perfmonitor. The telnet preprocessor section is one of the better examples of a "code walkthrough," where the author shows code while explaining what it does.
Ch 7 is really showing its age. "Snort 2.0" was behind the times when it said "Unified logs are the future of Snort reporting," and "Snort 2.1" makes the same mistake. Barnyard, a means to read unified logs, was available in Sep 01! Ch 7 also misses the boat on XML output, calling it "our favorite and relatively new logging format" on p. 322. The XML plug-in spo_xml wasn't even part of snort-2.0.0, never mind snort-2.1.0. Basic research would have revealed Joe McAlerney's announcement of Silicon Defense's snort-idmef XML plug-in in Jun 01, followed by Sandro Poppi's assumption of the project in Aug 03. A mention of Barnyard's "XML formatting capabilities" appears in ch 7 on p. 322, yet Barnyard does not offer this natively.
I was happy to see Sguil addressed in ch 8, but sad to see Sguil's use of session and full content data not appreciated for its true worth. Ch 9 does a good job describing Oinkmaster and gives sound advice on avoiding the "not any" rule negation problem. Ch 10 covers really old testing tools like Sneeze, whose stateless operation cannot fool stream4's stateful inspection.
Ch 11, explaining Barnyard, is clearly the book's shining moment. This is the reason I read "Snort 2.1": Barnyard's author, Andrew Baker, describes Barnyard's history, the format of unified logs, and how best to use his contribution to Snort. Bravo. Ch 12 was also very good, using case studies to compare three different "active response" choices. Ch 13 was new but not exceptionally helpful.
I would enjoy seeing three improvements in the third edition. First, thoroughly scrub the book for old information. Watch out for people writing about "Cerebus" or http_decode or offerings from Silicon Defense, whose Web site disappeared in early 2004. Second, tell people to read the excellent Snort manual before reading the book. There's no need to address topics well-covered in the manual, like all of the IP- and TCP-based rule options. Third, ditch the existing rules chapter in favor of two new ones, one explaining principles via existing rules, and one showing advanced rule development.
I still recommend buying this book, but you might guide your reading choices by the comments in this review.Snort 2.1 Intrusion Detection, Second Edition OverviewCalled "the leader in the Snort IDS book arms race" by Richard Bejtlich, top Amazon reviewer, this brand-new edition of the best-selling Snort book covers all the latest features of a major upgrade to the product and includes a bonus DVD with Snort 2.1 and other utilities.Written by the same lead engineers of the Snort Development team, this will be the first book available on the major upgrade from Snort 2 to Snort 2.1 (in this community, major upgrades are noted by .x and not by full number upgrades as in 2.0 to 3.0). Readers will be given invaluable insight into the code base of Snort, and in depth tutorials of complex installation, configuration, and troubleshooting scenarios. Snort has three primary uses: as a straight packet sniffer, a packet logger, or as a full-blown network intrusion detection system. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes. Snort uses a flexible rules language to describe traffic that it should collect or pass, a detection engine that utilizes a modular plug-in architecture, and a real-time alerting capability. A CD containing the latest version of Snort as well as other up-to-date Open Source security utilities will accompany the book.Snort is a powerful Network Intrusion Detection System that can provide enterprise wide sensors to protect your computer assets from both internal and external attack. * Completly updated and comprehensive coverage of snort 2.1* Includes free CD with all the latest popular plug-ins* Provides step-by-step instruction for installing, configuring and troubleshooting

Want to learn more information about Snort 2.1 Intrusion Detection, Second Edition?

>> Click Here to See All Customer Reviews & Ratings Now

Read More...

Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century Review

Average Reviews:

(More customer reviews)Are you looking to buy Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century? Here is the right place to find the great deals. we can offer discounts of up to 90% on Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century. Check out the link below:

>> Click Here to See Compare Prices and Get the Best Offers

Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century ReviewI must start this review by stating the lead author lists me in the Acknowledgments and elsewhere in the book, which I appreciate. I also did consulting work years ago for the lead author's company, and I know the lead author to be a good guy with a unique eye for applying geography to network security data. Addison-Wesley provided me a review copy.
I did not participate in the writing process for Practical Intrusion Analysis (PIA), but after reading it I think I know how it unfolded. The lead author had enough material to write his two main sections: ch 10, Geospatial Intrusion Detection, and ch 11, Visual Data Communications. He realized he couldn't publish a 115-page book, so he enlisted five contributing authors who wrote chapters on loosely related security topics. Finally the lead author wrote two introductory sections: ch 1, Network Overview, and ch 2, Infrastructure Monitoring. This publication-by-amalgamation method seldom yields coherent or helpful material, despite the superior production efforts of a company like Addison-Wesley. To put a point on PIA's trouble, there's only a single intrusion analyzed in the book, and it's in the lead author's core section. The end result is a book you can skip, although it would be good for chapters 4 and 10 to be published separately as digital "Short Cuts" on InformIT.
Chapters 1 and 2 are not needed. Anyone who needs to learn about networking can read a basic book already published. Ch 2 does mention that 802.1AE (if ever implemented) will hamper network traffic inspection, but you could read that online.
Ch 3 is odd because it begins by mentioning well-worn methods to evade network detection, followed by a discussion of the merits of Snort vs Bro. Someone who had to read the material in chapters 1 and 2 is not going to understand the Snort discussion, especially when it mentions byte_test, depth, regex, http_inspect, uricontent, Structured Exception Handlers, and 16 line Snort signatures. I liked seeing Bro mentioned, but the people who are going to be able to follow the sample Bro policy scripts on pages 75-78 are not the ones reading this book.
Ch 4 outlines several examples of writing signatures for Snort. This section is actually interesting, but you have to know Snort and certain advanced topics pretty well to get value from this section. Readers need to compensate for the far-too-small screenshots and lack of supporting details while reading the examples. Readers also need to figure out what the author is doing, such as when he sets up a client-side exploit against FlashGet by starting a malicious FTP server with flashget-overflow.pl. By the second example he's dropping warnings like "Had Core's advisory told you from where the size of the call to memcpy was coming, you might have to refine the signature to check for the appropriate behavior; unfortunately, the disassembly left out that argument:" [cue the ASM]. The bottom line with this chapter is this: know your audience, and write for them -- not your buddies. People who can follow contributions like this "at line speed" aren't going to read this book.
By ch 5 the "practical" aspect of this book has been left behind, with a discussion of "proactive intrusion prevention and response via attack graphs, which is really an academically-derived discussion of "topological vulnerability analysis." No one does this in the operational world, and no one will. Pages 143-144 talk about IDMEF, even though that specification died years ago. (There is still an independently-maintained -- as of Feb 09 -- Snort-IDMEF plugin. I don't know anyone in industry using it.)
Ch 6 is a generic overview of using network flows. The only new material is less than a page on IPFIX, which is just a table comparing that newer format with NetFlow. Ch 7 is called "Web Application Firewalls," but it's just an overview. Read Ivan Ristic's Apache Security or Ryan Barnett's Preventing Web Attacks with Apache if you want to know this topic. Ch 7 is titled "Wireless IDS/IPS," which is an even shallower overview than the previous topic. In none of these chapters do we have anything practical nor any intrusions analyzed. Ch 9 discusses physical security, but I didn't think it fit with the intended theme for the book.
I thought chapter 10 was interesting. Geospatial and visualization techniques do have a role in many operations, and ch 10 had the only example of an intrusion analysis. Unfortunately I don't think readers could take ch 10 and implement their own operational system. Ch 11 seemed irrelevant in light of the excellent visualization books by Raffy Marty and Greg Conti.
The book finishes with ch 12, Return on Investment: Business Justification. It was totally unnecessary: cite some regulations, list some breach costs, then compare ROI, NPV, and IRR. Talk a little about MSSPs and cyber liability insurance, then end. If you really want the best discussion of security costs, read Managing Cybersecurity Resources by Gordon and Loeb.
The subtitle for PIA is "Prevention and Detection for the Twenty-First Century." Readers will not find that in PIA. The lead author started with a kernel of a good idea, but the end result does not deliver enough real value to to readers. The lead author's material, and the chapter on Snort signature writing, could have been published as digital Short Cuts, or including in a compendium of chapters in a "survey" book. If you want to read a book intrusion analysis, you're more likely to be satisfied reading a book on intrusion forensics.Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century Overview"Practical Intrusion Analysis provides a solid fundamental overview of the art and science of intrusion analysis." –Nate Miller, Cofounder, Stratum SecurityThe Only Definitive Guide to New State-of-the-Art Techniques in Intrusion Detection and PreventionRecently, powerful innovations in intrusion detection and prevention have evolved in response to emerging threats and changing business environments. However, security practitioners have found little reliable, usable information about these new IDS/IPS technologies. In Practical Intrusion Analysis, one of the field's leading experts brings together these innovations for the first time and demonstrates how they can be used to analyze attacks, mitigate damage, and track attackers. Ryan Trost reviews the fundamental techniques and business drivers of intrusion detection and prevention by analyzing today's new vulnerabilities and attack vectors. Next, he presents complete explanations of powerful new IDS/IPS methodologies based on Network Behavioral Analysis (NBA), data visualization, geospatial analysis, and more.Writing for security practitioners and managers at all experience levels, Trost introduces new solutions for virtually every environment. Coverage includesAssessing the strengths and limitations of mainstream monitoring tools and IDS technologies

Want to learn more information about Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century?

>> Click Here to See All Customer Reviews & Ratings Now

Read More...