Tech Support > Computers & Technology > Computer Security > REVIEW: "Intrusion Detection with Snort", Jack Koziol
REVIEW: "Intrusion Detection with Snort", Jack Koziol
Posted by Rob Slade, doting grandpa of Ryan and Trevor on October 7th, 2003


BKINDTSN.RVW 20030901

"Intrusion Detection with Snort", Jack Koziol, 2003, 1-57870-281-X,
U$45.00/C$69.99/UK#32.99
%A Jack Koziol
%C 201 W. 103rd Street, Indianapolis, IN 46290
%D 2003
%G 1-57870-281-X
%I Macmillan Computer Publishing (MCP)
%O U$45.00/C$69.99/UK#32.99 800-858-7674 info@mcp.com
%O http://www.amazon.com/exec/obidos/AS...bsladesinterne
http://www.amazon.co.uk/exec/obidos/...bsladesinte-21
%O http://www.amazon.ca/exec/obidos/ASI...bsladesin03-20
%P 340 p.
%T "Intrusion Detection with Snort"

Chapter one is a good introduction to the basics of intrusion
detection, although it is odd that the list of detection methods is
missing some important entries, such as heuristic rule-based and
statistical methods. The background overview of Snort, in chapter
two, describes alerts, related applications, and even has
recommendations for sensor net architecture. Most of the content in
regard to the components of Snort, in chapter three, deals with the
preprocessors, and various attack signatures. Chapter four's advice
about planning for the installation of Snort is broadly based,
addressing policy, architecture, and even incident response, but the
material is quite abstract, and could have benefitted from more
practical examples. Some of these missing considerations are dealt
with in chapter five, which looks at hardware and operating system
factors. The text concentrates on server and sensor performance, but
also addresses the network connection. Directions on building a Snort
server under Red Hat Linux version 7.3 are given in chapter six. The
sensor and console instructions are provided in chapters seven and
eight, respectively. A few optional architectures are described in
chapter nine.

Chapter ten deals with tuning various rulesets and components in order
to reduce the level of false alarms. Creating real-time alert systems
is discussed in chapter eleven. Chapter twelve is a major one,
outlining the creation and modification of rules for filtering and
analyzing traffic. Chapter thirteen is supposed to be about upgrading
and maintaining Snort, but concentrates on ancillary management tools.
Advanced or unusual configurations of Snort are described in chapter
fourteen.

The book is generally lucidly written and easy to study, but it
contains many typographical errors and a great deal of clumsy wording
in the text. Better copy editing word have improved readability, as
well as confidence in the reliability of various commands and
settings. However, the meaning is usually clear, even if the
expression is sometimes jarring. For those planning to use Snort,
this should be a serviceable introduction.

copyright Robert M. Slade, 2003 BKINDTSN.RVW 20030901

--
======================
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@sun.soci.niu.edu
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
or mirror http://sun.soci.niu.edu/~rslade/
CISSP refs: [Base URL]mnbksccd.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
Security Educ.: http://groups.yahoo.com/group/comseced/
Review mailing list: send mail to techbooks-subscribe@egroups.com


Similar Posts