I bought Snort Cookbook written by Angela Orebaugh, Simon Biles & Jacob Babbin back in march but it was until yesterday that I read it.
I am disappointed by this book. It presents hints and receipts for installing snort, managing rules and alerts, administration, and third party tools in 270 pages. The problem is, that many hints are presented twice only under a slightly different topic. For example, using Snort with MySQL is covered in the logging section and in the management interface section where ACID is covered. The same text in both places. And this is not the only time you can find such double entries.
While I’m speaking of ACID, the authors do not tell you that ACID is not actively maintained and they do not presents any references to use BASE. Sguil is only mentioned once as a reference but should have made it’s way into this book if IDScenter, Snort-Center, Snortsnarf, IDS Policy Manager and HenWen are in it.
Also there are many screenshots and step-by-step instructions on how to install the Windows GUI tools. Does a security person, who buys a book about Snort really need a screenshot of how to click on “Finish” when an MSI application is successfully installed?
For me this and the double entries are just a way to fill pages.
But my biggest complain is this quote from page 21:
If your Snort machine has only one network interface, using the passive tap, run both lines to a small hub. Then from another port of the hub, run a cable to your IDS. This will combine and maybe even buffer the traffic for the IDS and give a full duplex connection.
This is just so wrong! Due to collisions your IDS will never see all the traffic. See Richard Bejtlich on this topic.
My conclusion is: stay away from this book. You maybe learn some good tips but also many bad ones.
