Saturday, September 22, 2007

Review of Snort IDS and IPS Toolkit and One Prereview

Amazon.com just posted my three star review of Snort IDS and IPS Toolkit. From the review:

Syngress published "Snort 2.0" in Mar 03, and I gave it a four star review in Jul 03. Syngress followed with "Snort 2.1" in May 04, and I gave it a four star review in Jul 04. I recommend reading those reviews, since the latest edition -- "Snort IDS and IPS Toolkit" (SIAIT) -- makes many of the same mistakes as its predecessors. Worse, it includes material that was already outdated in BOTH previous editions. If you absolutely must buy a book on Snort, this edition is your only real choice. Otherwise, I would stick with the manual and online articles.

SIAIT looks impressive page-wise, but it suffers from the multiple-author, no-editing, rush-to-production problems unfortunately inherent in many Syngress titles. One would think that including many contributing authors (11, apparently) would make for a strong book. In reality, the book contributes very little beyond what appears in "Snort 2.1," despite the fact that "only" chapters 8, 10, 11, and 13 appear to be repeats or largely rehashes of older material. Comparing to "Snort 2.1," these compare to old chapters 7, 10, 12, and 11, respectively.

The absolute worst part of this book is the re-introduction of all the outdated information in chapters 8 and 10. It is 2007 and we are STILL reading on p 353 that XML output is "our favorite and relatively new logging format" and on p 367 that "Unified logs are the future of Snort reporting." (I cited both of these as being old news in Jul 04!) I should note that these chapters are not entirely duplicates; if you compare output such as that on page 335 of "Snort 2.1" with page 365 in SIAIT you'll see the author replaced the original 2003 timestamps with 2006! This is the height of lazy publishing. Chapter 10 features similar tricks, where traffic is the same except for global replacements of IP addresses and timestamps; notice the ACK numbers are still the same and the test uses Snort 1.8.


You can read my reviews of Snort 2.1 and Snort 2.0 for reference. If I see Syngress publish another Snort book based on this line of material, I won't bother next time.

On a more positive note, thank you to O'Reilly for sending me a review copy of Security Power Tools. This book looks like it deserves a grunt from Tim the Toolman Taylor. The book appears to have lots of useful information, although why in Pete's name is there a chapter (11) on BO2k? Let it die, already. It's 2007.

2 comments:

Anonymous said...

Hi Richard,

I'm also currently reading "Snort IDS and IPS Toolkit" and can understand the multiple author issue as well as some sloppy editing. For example, in Chapter 3 when discussing installing Snort under Debian, the author suggests that you use: "apt-get install snort" Back in June 2007 (after the book was published), the snort package in the Debian repository (sid/unstable) was still v 2.3. Also, unless I'm mistaken, the entire chapter doesn't mention the issue of removing compilers, etc. from production servers although they mentioned it in a previous chapter. They only mention it as a footnote at the very end of the chapter, where people might overlook it.

I appreciate the fact that they point out that Snort is not multi-threaded and cannot explicitly take advantage of multiple CPUs by itself. However, although they say that you can take advantage of multiprocessor systems by running multiple instances with BPF to direct traffic to each instance, it would have been much nicer if they'd actually given an example of this in real life. Also, the use of BPFs could have been elaborated on.

I have a bunch of other comments and I'm still only in Chapter 4. It's sad that a book that looked so promising isn't turning out to be so. Perhaps you can step in and write your own Snort book :)

Anonymous said...

I guess I agree with your reviews. There are a couple of chapters, however, which have some new and very interesting content. The chapter on data analysis for example, seems to be updated. Even the installation of Sguil has been updated. I couldn't find a more up to date manual anywhere. Also the new approaches of data analysis that are presented are very refreshing and interesting.