Snort mailing list archives
Re: Snort Tool Evaluation
From: Dirk Geschke <Dirk_Geschke () genua de>
Date: Wed, 29 Sep 2004 09:41:34 +0200
Hi Ty,
I did read this book actually, and I'm not proclaiming it's a bible or anything. In fact, it's little more than a tool reference, listing switches to the tools and options in the interfaces for third party tools related to snort. But, it does cover a majority of the tools and this was why I was suggesting this to Jo. To get a handle on the tools mentioned in this book related to snort and extract pro's and con's for using each one.
but even this is not a good survey at all. Only ACID and SnortCenter are mentioned in some more detail. But most of it covers the topic how to install it and the basic usage. There are better guides for free out there. The really interesting parts like performance optimization or for example how to use ACID effectively are missing ob by far too short. The additional tools for snort IDS management in chapter 12 are mostly only mentioning additional tools mostly with a screenshot and covering less than a page for each tools. It does not mention any advantages or disadvantages of the tools at all. This is not really useful except that the tools where mentioned... The author does not even mention the memory mapped version of libpcap for linux. The usage of taps for monitoring a network are limited to one sentence where the existense is stated. The set of rule options is incomplete and not mentioning newer ones like byte_test, byte_jump, isdataat, distance, within,.... The given rule options are as precisely as the manual coming with snort. So if you don't understand them then this doesn't help you in any sense. The recommendation for most rules and preprocessors are to disable them if they generate too much false-positive Or really funny are the lists where rules are disabled and how to do this, simply put a # at the beginning of a line. But showing 30 lines with an disabled default flow-portscan prepocessor like this is really a waste of paper: --- ... This preprocessor is disabled by default (it can still be considered as test code). The lines will look something like this: # preprocessor flow-portscan: \ # talker-sliding-scale-factor 0.50 \ # talker-fixed-threshold 30 \ # talker-sliding-threshold 30 \ # talker-sliding-window 20 \ # talker-fixed-window 30 \ # scoreboard-rows-talker 30000 \ # server-watchnet [10.2.0.0/30] \ # server-ignore-limit 200 \ # server-rows 65535 \ # server-learning-time 14400 \ # server-scanner-limit 4 \ # scanner-sliding-window 20 \ # scanner-sliding-scale-factor 0.50 \ # scanner-fixed-threshold 15 \ # scanner-sliding-threshold 40 \ # scanner-fixed-window 15 \ # scoreboard-rows-scanner 30000 \ # src-ignore-net [192.168.1.1/32,192.168.0.0/24] \ # dst-ignore-net [10.0.0.0/30] \ # alert-mode once \ # output-mode msg \ # tcp-penalties on --- This is what I call ugly. And the whole other parts are similar like this, there are many printings of default snort.conf passages and so on. Or disabling all preprocessors and rules which would look for traffic which could not pass a firewall is really ugly. Or can you ensure that a firewall work perfect without any errors?
I also did read Snort 2.1 Intrustion Detection Second Edition Upgrade and yes, I must concurr with and second your opinion. There is no better reference or doc that covers snort in all the ways that an admin needs to know.
Oh, I think there are more good books on snort out there but the O'Reilly book is definitively not a good one. I don't understand O'Reilly here, normally they have very good books and most of the time - like this time - I buy their books blindly. This one is not worse the money... Best regards Dirk ------------------------------------------------------- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Tool Evaluation Jo (Sep 28)
- Re: Snort Tool Evaluation Jose Maria Lopez (Sep 28)
- Re: Snort Tool Evaluation Ty Bodell (Sep 28)
- Re: Snort Tool Evaluation Dirk Geschke (Sep 28)
- Re: Snort Tool Evaluation Ty Bodell (Sep 29)
- Re: Snort Tool Evaluation Dirk Geschke (Sep 29)
- Re: Snort Tool Evaluation Dirk Geschke (Sep 28)
- <Possible follow-ups>
- RE: Snort Tool Evaluation Harper, Patrick (Sep 28)
- Re: Snort Tool Evaluation M Shirk (Sep 29)
- Re: Snort Tool Evaluation Richard Bejtlich (Sep 29)