A Comparison of Snort Books

Title:
Intrusion
Detection with Snort: Advanced IDS Techniques with Snort, Apache,
MySQL, PHP, and
ACIDAuthor:
Rafeed Ur RehmanPublisher:
Prentice HallISBN:
0131407333Title:
Intrusion
Detection with
SnortAuthor:
Jack KoziolPublisher:
SAMsISBN: 157870281xOne indication that an idea's time has come is when two
publications on the topic arrive at the same time. Based on the two
titles reviewed here, it's apparent that Snort is going mainstream.
These two books plus Snort 2.0 Intrusion
Detection and Snort: The Complete Guide to
Intrusion Detection all have been released this
year.Rafeed Ur Rehman' Intrusion Detection with Snort:
Advanced IDS Techniques with Snort, Apache, MySQL, PHP, and
ACID is part of Bruce Peren's Open Source Series. It
reads like a more user-friendly version of the documentation that
comes with Snort or that is accessible through the
Snort Web site. The level
and language of the book and documentation are similar, although
the books assumes less and has more material than a cursory search
of the Web reveals. The book also offers the convenience of having
the information all in one place, along with a table of contents
and an index. Spending $39.99 on this book is a better use of my
resources than spending an afternoon running down similar content
on the Web, printing it, stuffing it into a binder and then
figuring out how all the pieces fit together. Of course, if your
major source of income is a paper route, your mileage will vary. On
a scale of Snort knowledge from zero to 100, this book covers from
10 to 50.Jack Koziol's Intrusion Detection with
Snort covers 30 to 75 on the same scale. This book does
not have as much installation hand-holding as does Rehman's. If you
have installed several packages from source tarballs, this lack
isn't an obstacle. If installing an RPM or .deb package from the
command line is stretching your comfort zone, however, the Rehman
book is better for you. That said, either book will get you up and
running.Koziol's book is much better at explaining the types of
attacks Snort is looking for. For example, Koziol writes (NIDS
stands for Network Intrusion Detection System, a hardware/software
entity that watches all traffic on a network, not only to one
computer):Hackers have discovered numerous methods for
hiding malicious traffic in ways an NIDS cannot detect.
One such method takes advantage of the process that occurs
when a network connection exceeds the maximum allowable size for a
packet. When this situation occurs, the data is split up and sent
in multiple packets. This process is called
fragmentation. When the host receives these
fragmented packets, it must reassemble them to correctly interpret
the data. Different operating systems reassemble the packets in
different orders: Some start with the first packet and work
forward, whereas others do the reverse. Reassembly order is
insignificant if the fragments are consistent and do not overlap as
expected. If the reassembly overlaps, the results differ from each
other, depending on the reassembly order. Choosing the correct
reassembly order to detect a fragmentation attack can be
problematic for NIDSs.This type of detail I can use.One of the differences between these two books lies at the
heart of a controversy surrounding IDSs. Out of the box, Snort does
nothing to increase your security. Someone has to be looking at the
alerts, they have to understand what they are seeing (false alarms
are an unavoidable part of a properly functioning IDS), someone has
to decide how to respond to attacks and compromises (preferably
ahead of time), and Snort needs to be tuned, maintained and
updated. As both books make clear, out-of-the-box Snort definitely
leans towards accepting false alarms (false positives) as part of
the cost of minimizing missed attacks (false negatives).There always is a certain amount of trading off false
negatives for reduced false positives in using Snort. For example,
it is difficult to write signatures that do not trip on legitimate
traffic. This is partly because attackers often try to hide within
legitimate traffic or break up the tell-tale part of the attack
with meaningless noise. This noise can be the fragmentation attacks
described above, inserting comments between or in the middle of
HTML or the TTL trick described below.Another part of the problem is an area where I firmly come
down on both sides of the fence (yes, it's uncomfortable). When
using Snort, all the supplied rules can be enabled, allowing me to
see all the garbage that washes up against my firewall. (Is an
alert about an Microsoft IIS exploit a false positive if I don't
run Windows?) But when all the rules are enabled, the real attacks
can get lost in all the noise; the peaks of the Code Red, Nimda and
MS SQL worm outbreaks saturated my logs. Alternatively, I carefully
can disable rules for attacks on operating systems and servers I am
not running. The Rehman book leans toward the "let me see it all
and I'll sort it out" approach. The greater depth of the Koziol
book is necessary to fully understand the supplied rules and to
write your own rules to minimize the false positives without
letting real threats go undetected.There are two reasons to run Snort, for information (FYI) and
for action (FYA). The solution is to run two instances of Snort
logging to separate syslog facilities. One shows nearly everything,
while the other shows only the threats to which my system may be
vulnerable. Snort is configurable enough at run time to allow this;
that is, the configuration file and syslog facility can be set at
run-time and are not hard coded at compile time.Configuring two Snorts is the easy part. The startup scripts
for double Snorting are a hassle, because they often take care to
not start a dæmon if it already is running. The startproc and
killproc programs should not be used for the second
instance.The other major factor in deciding which Snort book you
should get is whether you need to support Windows. Koziol covers
installing Snort on Windows, and Rehman doesn't. Both authors
recommend against using Windows for Snort itself because of
security concerns. On the other hand, both authors like IDS Policy
Manager, which runs only on Windows. IDS Policy Manager is used for
managing Snort attack signature rule sets. It does not need to run
on the same computer as Snort. All the pieces--Snort, MySQL, PHP
and ACID--run on Windows, Linux and most Unixes. The farther the
Windows machine is from the hostile environment being monitored,
the more acceptable using Windows is. At the level where the IDS
analyst sits, any OS with a graphical Web browser is fine.Koziol targets the industrial-strength audience. He highly
recommends a three-tiered setup: sensors (first tier) connected to
the hostile environment to be monitored feeding a database server
(second tier) through a separate monitoring network. The IDS
analyst (third tier) connects through the monitoring network to the
database server. The separate monitoring network requires an
attacker to compromise the sensor before they can attack the
database or the analyst workstation. Koziol does mention a
single-tier setup and when to use it, basically, only in SOHO
environments. The rest of the book describes three or two-tier
setups, and the single-tier case is left as an exercise for the
reader.Rehman mentions the multi-tier case and gives some examples,
but he basically covers the single-tier case and leaves the
multi-tier case as an exercise for the reader.Both books are well written; the language is clear, easy to
read and transparent. Neither book is a good vacation read, though.
After the first chapter or two, it is best to be within reach of
your computer. I read the Rehman book first, and it was fine for
getting all the pieces installed. I had put off installing ACID (an
IDS analysis tool), because wading through the separate bits of
documentation didn't seem worth the probable benefits. With this
book, installation was a breeze, and I wish I had not waited so
long to get ACID. ACID makes it easy to look at the Snort alerts in
ways you simply don't get from watching the logs. For example, a
slow scan, such as Nmap's paranoid mode, stretches a portscan out
over several days. It is difficult to catch this in the syslogs,
but it's easy to see with ACID.If you need to get serious about IDS, however, you need to
read Koziol. And plan to return to it to tune your system. He not
only describes Snort's parameters, he gives recommended values and
when you might want to adjust them further. He also explains why
you might change them from the default. It is relatively obvious
that ttl is setting a time to live threshold,
but why would you want to change it? Koziol gives the reason:
packets with low ttl values can be inserted in the middle of an
attack to break up the telltale signature. The ttl expires between
the sensor and the target, and the meaningless noise drops out. As
a result, the target sees a different stream of packets than Snort
does. Setting the ttl value to be equal or less than the number of
hops between Snort and the target system lets both see the same
data stream.So which do I recommend? If you have Rehman's book, don't
wait for Koziol's to arrive--install everything. Snort out of the
box generally is better than nothing. When or if you decide to get
serious, get a copy of Koziol's book. If you are in a Windows-only
shop, skip Rehman altogether. Rehman's book is open-source
licensed, so you could print it off the Web if someone else is
paying for the paper and ink. Either book can get you started. Or
read one of the other books, and let us know how it
compares.