Snort 2.0 Intrusion Detection
||Author: Brian Caswell, Jay Beale, James C. Foster, Jeremy Faircloth|
List Price: $49.95
Our Price: Click to see the latest and low price
Publisher: Syngress (February, 2003)
Sales Rank: 3,543
Average Customer Rating: 4.4 out of 5
Customer ReviewsRating: 2 out of 5
Too many mistakes
The technical content is ok, but I am extremely tired of reading books that contain so many grammatical mistakes that one gets irritated every time a page is turned. This publisher is notorious for this and emails I wrote to them were not answered. This is just not acceptable for an expensive book. Don't they have proofreaders?
Rating: 4 out of 5
The current leader in the Snort IDS book arms race
"Snort 2.0" offers content not found in other books on Snort, such as Tim Crothers' more generic "Implementing IDS" (4 stars) and Rafeeq Rehman's "Intrusion Detection with Snort." (3 stars) I've read the best IDS books, and used IDS technology, since 1998, and "Snort 2.0" is the first to give real insight into an IDS' inner workings. Thanks to the technical knowledge of the author team, "Snort 2.0" earns the reader's appreciation by explaining how and why the open source Snort IDS works its magic.
"Snort 2.0" starts well with a short history of Marty Roesch's favorite project, followed by solid explanations of the key elements of Snort's architecture in ch. 2. The actual workings of the Snort code is expanded upon in ch. 4 (modes), 5 (rules), and 6 (packet handling and preprocessors). One could read these sections and get a real sense of how the stream4 preprocessor works, for example. These sections are augmented by helpful tangents on compiling source code (ch. 3) and updates via CVS (ch. 9). This attention to detail and desire to include related information demonstrates a high level of commitment to the reader's education.
"Snort 2.0" has several technical errors or typos which prevented me from giving a 5 star review. p. 110's diagram of a TCP sessions should say "SYN, SYN-ACK, ACK", not "SYN, ACK, SYN-ACK". Later on that page, the author claims "The server replies with a SYN/ACK if the port is open, and a SYN/RST if the port is not listening." The correct closed response is "RST/ACK". p. 203 implies one can scan for open ports with the ACK flag set to evade stateless packet filters. This is wrong, as scanning with the ACK flag set only helps host discovery. I found the reprinting of multiple pages of C code unnecessary. I also wished the sections on building preprocessors had started from scratch, rather than explain an existing preprocessor.
Overall, I found "Snort 2.0" enlightening. The authors have a powerful understanding of the workings of Snort, and apply it in novel ways. "Policy-based IDS" in ch. 12 is one example, while the "rule categorization" chart in ch. 10 is another. Only the Wiley "Deploying Snort 2.0" book, due this fall, has a chance to displace "Snort 2.0" in the Snort-focused IDS book arena.
Rating: 3 out of 5
Useful but pricey
I recommend this book but ... there are numerous (sometimes confusing) copy-editing errors and the things I'm most interested in (using ACID, using unified logs and using ACID with unified logs) are the most confusing. Given the length (500 pages) I'm surprised at certain ommisions and puzzled why 20 pages are wasted on a program listing (the book comes with a comprehensive CD with includes the book in pdf format).
· Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID
· Inside Network Perimeter Security: The Definitive Guide to Firewalls, Virtual Private Networks (VPNs), Routers, and Intrusion Detection Systems
· Intrusion Detection with Snort
· Stealing the Network: How to Own the Box
· Network Intrusion Detection (3rd Edition)