Snort mailing list archives
Re: Snort Tool Evaluation
From: Richard Bejtlich <taosecurity () gmail com>
Date: Wed, 29 Sep 2004 11:54:12 -0400
M Shirk wrote: There are differences between 2.0 and 2.1, but not enough to get the [Syngress] 2.1 book. -- I disagree. I read and reviewed both 'Snort 2.0' [0] and 'Snort 2.1' by Syngress. [1] From my Amazon.com review of 'Snort 2.1': 'The table of contents for "Snort 2.1" is deceiving, as it is almost exactly the same as "Snort 2.0." However, the new book is almost 200 pages larger than its predecessor, with many internal modifications. Chapters 1, 2, 3, 4, 9, 11, 12 and 13 are either completely new or substantially new. Chapters 5, 6, 7, 8, and 10 are either partial rewrites or have some material added or dropped.' 'Snort 2.1' isn't perfect but it's still the best available Snort reference outside of the project documentation. My problem with O'Reilly's 'Managing Snort and IDS Tools' concerns its coverage of Sguil. The authors claim: "Where connecting to ACID is easy since it is a web-based interface, the only way to get a remote client to connect to a central server is by using an exported X-session (a security no-no)... A daunting installation, poor client model, and lack of many new features make it difficult to recommend Sguil. I advise sticking with ACID." While I agree that Sguil's installation isn't simple, the O'Reilly "Managing" book mangles Sguil beyond recognition. While it is technically possible to access the Sguil client via an exported X session, that method has never been advocated nor documented. Sguil is inherently a client-server application, where the sguil.tk client (On Windows, UNIX, or OS X) connects through an SSL-encrypted channel to a sguild server (typically on a UNIX variant). The fact that the O'Reilly authors missed this crucial point demonstrates they didn't put the time or effort into understanding Sguil well enough to comment upon it in writing. The "Managing" authors also fault Sguil for a "lack of many new features" -- when compared to ACID? Only thanks to the BASE project are we seeing any innovation in ACID. [2] The last official ACID release was 0.9.6b23 in Jan 03, aside from CVS updates. On the positive side, I liked seeing how the "Managing" authors tried to handle asymmetric routing in chapter 13. These sorts of issues deserve more attention. Sincerely, Richard http://www.taosecurity.com [1] http://www.amazon.com/gp/product/customer-reviews/1931836043/ [0] http://www.amazon.com/gp/product/customer-reviews/1931836744/ [2] http://sourceforge.net/projects/secureideas ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Tool Evaluation Jo (Sep 28)
- Re: Snort Tool Evaluation Jose Maria Lopez (Sep 28)
- Re: Snort Tool Evaluation Ty Bodell (Sep 28)
- Re: Snort Tool Evaluation Dirk Geschke (Sep 28)
- Re: Snort Tool Evaluation Ty Bodell (Sep 29)
- Re: Snort Tool Evaluation Dirk Geschke (Sep 29)
- Re: Snort Tool Evaluation Dirk Geschke (Sep 28)
- <Possible follow-ups>
- RE: Snort Tool Evaluation Harper, Patrick (Sep 28)
- Re: Snort Tool Evaluation M Shirk (Sep 29)
- Re: Snort Tool Evaluation Richard Bejtlich (Sep 29)