Snort Books

Introduction

Snort has reached the critical mass where lots of people suddenly decide that a book is needed. There are now 4 Snort books of which I am aware. Since I like Snort and I like books, I decided to read all of them and post my reviews here.

See also these two reviews on Slashdot: Three Snort Books Reviewed, and Intrusion Detection with Snort.

Which book is right for you?

Snort 2.1 offered significant advantages, but no book covers it (yet).

Title Pro Con Verdict
Snort 2.0 Intrusion Detection Covers Snort 2.0 Not much practical implementation advice Great for learning about Snort, not ideal for learning to use Snort
Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID Mid-level practical implementation advice for UNIX/Linux, Open Source book Does not cover Snort 2.0 (especially talks about some output modules that are gone, like SMB and SNMP) Useful for learning how to use Snort, if you are already pretty comfortable with UNIX/Linux
Intrusion Detection with Snort

Snort 2.0 Intrusion Detection

By Jay Beale, James C. Foster, Jeffrey Posluns, Ryan Russell, Brian Caswell, et. al., from Syngress. [Bookpool] [B&N]

In the interest of full disclosure (sorry no 'sploit code available... :-) I should note that one of the authors is a friend of mine. However, given the collaborative nature of the book I'm not 100% sure which parts he wrote. And anyway, I think I have remained objective.

If you want to understand how Snort works and why it works that way, this is the book for you. If you are looking for a practical guide to enterprise deployment, with lots of real-world sample scripts and configurations, you may want to look elsewhere. Having said that, this book helped me understand Snort much better than I did before. There is some excellent discussion and advice on configuring and changing various defaults (especially for the preprocessors) but it's in-line in the text--not called out in "ready to run" sample configuration directives. There is also a lot of discussion of the genesis, evolution and future direction of Snort which will give you a firm understanding on which to base your decision of whether to invest time and effort in Snort. To implement any IDS requires a significant commitment of time and effort (and one way or the other--money) and this book is a great due diligence resource.

Snort can compare and compete successfully against commercial offerings that cost tens of thousands of dollars. This book will "teach you how to fish" with Snort. It does a good job of introducing the concept and details of intrusion detection to beginners without boring the pants off of experienced analysts. There are sections for all skill levels and interests, including some source code listings (inexplicably double-spaced) dissecting how an input plugin works and other sections detailing source code header files to get a flavor for how things work. I especially enjoyed the sections on "Policy-Based IDS," "Inline IDS (Hogwash)," "Optimizing Snort," "Preprocessors" (which is the sample chapter available for free download!) and writing rules. I also liked the included CD-ROM, mostly because it has the entire book on it in PDF. Forget about the hardcopy index--full text searching in Acrobat Reader rules!!!

Finally, in all fairness I must say I was very disappointed with the production quality of this book. I made typographical corrections as I read, and by my count about 10% of the pages had at least 1 typo! Most were very simple (missing or incorrect word), but there were a small number of misplaced spaces or other errors that broke the sample configuration or command. There was a least one references to an appendix that is NOT in my copy of the book, some missing footnotes, and quite a few references to subdirectories or programs that were not on my copy of the CD. I also found some sections choppy and redundant, which is an inherent problem in a collaborative work like this. Still, I'd think the final editing could have smoothed this out more.

I have reported these issues to Syngress and they were very receptive and have promised corrections on the errata web page for the book and in future printings. I suspect they rushed publication following the release of Snort v2, which was itself rushed by the discovery of an "Integer Overflow in Stream4" vulnerability in the code up to the version 2.0.0 beta.


Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID

By Rafeeq Rehman, from Prentice Hall. [Bookpool] [B&N] This is part of Bruce Perens' Open Source [Book] Series and so is freely available in PDF and RTF.

This book is intended to help you install Snort from start to finish. There are a lot more concise and up-to-date guides on the web with the same goal (see my Snort page) but none of them offer as much detail. Which you prefer will depend on your level of experience and general preferences. Having said that, I'm not sure this book has achieved the middle of the road balance for which it seems to be striving. I thought it was a little too high level in some places and a little too detailed in others. But since it's Open Source, you can't possibly lose by downloading it and checking it out. And if you do like it and fine it useful, buy a paper copy to support the Open Source series.

There is nothing in this book you can't find elsewhere, but it is conveniently collected all in one place. There is some useful code, such as startup scripts, but before the electronic version was available that was useless unless you wanted to re-type it. It also has some useful packet header tables in the back.

I thought it could be misleading to newer users however, since it talks about some features that have been removed from the main program, such as SMB and SNMP alerting.

The bottom line on this boot is that you should download it and give it a try. It may not be perfect, but it's a good overall picture of installation. With the addition of more up-to-date materials from the web, you should be up and Snorting in no time


Intrusion Detection with Snort

By Jack Koziol from New Riders. [Slashdot] [Bookpool] [B&N]

I'm only a few pages into this one...


Snort 2.0: The Complete Guide to Intrusion Detection

By Jeff Nathan and Dragos Ruiu from Wiley&Sons. [B&N]

This one seems to have gone away. I ordered it, but I was never charged, and it never shipped and it's "not avilable" at B&N.