Anyone in information security knows the de facto standard for network intrusion detection is Snort. The problem is that while the documentation for Snort is ok, many of tha add-on functions, plugins, and associated applications are lacking or non-existent. This book tries to bring into one place all the things one could want to do with Snort and put it in one place. In a large part, it succeeds.
It does miss a few things along the way, such as management tools like BASE (the replacement for ACID which is not being developed anymore), and sguil. It also tends more to explain how to do things than why to do things, and I believe the section on sensor placement could be expanded. Lastly, I think the portion on legal aspects of intrusion detection and evidence can be expanded, but that might need to be taken with a grain of salt, because I am a legal wonk. To be fair, a book of this type can’t cover everything in great detail.
As someone who does run Snort and has been working on ways to expand some of the data I get to it, it has proven to be a valuable resource which far outweighs the few things I found lacking. It is the only resource of its kind I know to exist. It brings to light some tools which I haven’t thought of using the way it suggests, like perfmonitor and clamav. I came away from reading this book with solid ideas and tools which I plan to add into Snort. If you are looking for solid documentation on Snort and the tools and tricks you can use with it, this is your book.
Crossposted at Ravings of John C. A. Bambenek.