Snort Cookbook · 12 September 2005, 07:53 by Admin
Snort is deceptively simple to get started with. On many platforms, you don’t even have to compile anything; you can get current binaries for Linux, Mac OS X and even Windows. Nor do many users have to bother with any configuration: the defaults are often perfectly suitable.
This book presents recipes for those who want to do more. I liked that it gave space to Windows, Linux and Mac issues, but I did find this a bit jumbled and disorganized. To some extent, that’s the nature of “cookbook” style books, and it’s not that there was no attempt at gathering these into major chapter sections like Installation, Logging, etc. I just felt it could have been done better.
I was also a bit disappointed with the coverage of rules in general. Rules are the heart of Snort and this book doesn’t do a very good job explaining them. Snort rules aren’t particularly difficult (see http://packetstormsecurity.nl/papers/IDS/snort_rules.htm for a good intro), and the authors probably just assumed that you are already at least somewhat familiar with them.
On the other hand, there are a lot of useful tips here. I was not previously aware of the “resp:” mechanism which allows you to close of a session that Snort has identified. None of the rules included with Snort use that, and I must not have gotten that far in the docs, so this was news to me. I also was unaware of http://oinkmaster.sourceforge.net/ for rule updates; the Snort site doesn’t mention that. There was more, but these two stand out in my memory.
If you are using Snort, this book might help you get more use out of it.
Taken from http://aplawrence.com