Publisher: Prentice Hall PTR
When taking a look at the most used security tools, one of the most popular and praised ones is surely Snort. This heavily used product is an open source Network Intrusion Detection System (NIDS) and is available to anyone without any cost. The book I'm taking a look today is a guide through the Snort installation and usage the complete web server environment comprising of Apache, MySQL, PHP and ACID.
About the author
Rafeeq Ur Rehman received his bachelor and masters degrees in Electrical and Computer Engineering from the University of Engineering and Technology, Lahore. He has more than nine years of experience in UNIX system and network administration and TCP/IP. His interests include Linux, network protocols, and embedded systems programming. He is also a contributing writer for SysAdmin Journal and Linux Journal.
An interview with Rafeeq Ur Rehman is available here.
Inside the book
The book opens with a very brief IDS overview, with the purpose of just introducing the readers with the main components of an intrusion detection system. Here, the readers are introduced with some Snort specifics, such as the main components of this security system, as well as the general theory behind the intrusion detection systems. This first chapter also hosts one page long checklist discussing the steps of protecting the IDS itself.
Second chapter of the book features the topics surrounding Snort installation and some beginner usage. Snort can be used on its own, but the purpose of this book is to present one comprehensive system that utilizes the mentioned products for creating the web-based access to the Snort database. The MySQL database is used for storing the alerts Snort is actively producing, Apache is used as a web server, PHP is used as a link between the web server and the database and finally, Analysis Control for Intrusion Detection (ACID) is a PHP based package that offers the possibility of viewing and analyzing Snort's data through a web browser. Throughout the next 50 pages, the author covers all the needed steps in the successful Snort installation - from the initial download, over possible errors to the alert modes.
From anti virus scanners to firewalls, rules or signatures provide the most important base for effective attack detection. Because the rules are so important, Mr. Rehman gives them the spotlight in the third chapter. He notes that although Snort rules operate on the network and transport layer protocols, there are methods to detect anomalies in data and application layer protocols as well. Besides this kind of trivia, the author really succeeded into defining basically all the topics related to Snort's rules. As regards the process of writing the the new rules, author notes that there is a large list of predefined rules bundled with the Snort installation, so just by looking them, reader should understand how to write good rules.
As preprocessors and output modules are very important parts of the Snort infrastructure, the fourth chapter deals with their functions. After the packet is captured, it gets passed through the preprocessors so it can be ready for further usage. Following this opening procedure, the packet is closely examined by the detection engine where it is taken against the rules. Now, the program decides what kind of a message should be generated and uses the output modules to finalize the procedure. This chapter talks just about this, with scopes on important parts of this process.
After making the reader familiar with the way Snort does its job, it is time to examine the integration with the tools mentioned in the book's title. Snort can work with any ODBC compliant database, but because MySQL works perfectly in the Linux environment and is freely available for download, author focuses Snort's logging features via this database. Even if you are unfamiliar with MySQL, the author's guide on setting up Snort to work with this database will provide a great read, as the author details all the steps starting with creating the needed tables to optimizing the individual tables. The MySQL coverage is even strengthened with the addition of one of the book's appendixes that is intended for new MySQL users. In the same manner the author deal with the database, he presents the readers with ACID and SnortSnarf usage guides.
In the ending chapter of the "Intrusion Detection with SNORT", the author congratulates the readers on the newly built Snort system and presents some additional tools that could come quite handy. These tools include: Microsoft Windows based IDS Manager, SnortSam and Easy IDS.
Over and out
I presume if you are interested in the contents of this book, you are either a Snort user or someone that finally decided to take their chance and install this quality product. I would suggest this book the latter types - the ones that either installed Snort and stopped there because it was a little bit "complicated", or to those that always like to be sure that when they start installing something, the final result will be 100% successful.
Don't let the word "advanced" that is used in the book's title confuse you, as the advanced part of the book is that it covers the technique of implementing Snort logging to the MySQL database with a web based interface. This is indeed a nice book, especially when taking a look from the new Snort user's perspective.
For the end, I should note that the text of this book is open source licenced.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.