BKINDTSN.RVW 20030901 "Intrusion Detection with Snort", Jack Koziol, 2003, 1-57870-281-X, U$45.00/C$69.99/UK#32.99 %A Jack Koziol %C 201 W. 103rd Street, Indianapolis, IN 46290 %D 2003 %G 1-57870-281-X %I Macmillan Computer Publishing (MCP) %O U$45.00/C$69.99/UK#32.99 800-858-7674 info@mcp.com %O http://www.amazon.com/exec/obidos/ASIN/157870281X/robsladesinterne http://www.amazon.co.uk/exec/obidos/ASIN/157870281X/robsladesinte-21 %O http://www.amazon.ca/exec/obidos/ASIN/157870281X/robsladesin03-20 %P 340 p. %T "Intrusion Detection with Snort" Chapter one is a good introduction to the basics of intrusion detection, although it is odd that the list of detection methods is missing some important entries, such as heuristic rule-based and statistical methods. The background overview of Snort, in chapter two, describes alerts, related applications, and even has recommendations for sensor net architecture. Most of the content in regard to the components of Snort, in chapter three, deals with the preprocessors, and various attack signatures. Chapter four's advice about planning for the installation of Snort is broadly based, addressing policy, architecture, and even incident response, but the material is quite abstract, and could have benefitted from more practical examples. Some of these missing considerations are dealt with in chapter five, which looks at hardware and operating system factors. The text concentrates on server and sensor performance, but also addresses the network connection. Directions on building a Snort server under Red Hat Linux version 7.3 are given in chapter six. The sensor and console instructions are provided in chapters seven and eight, respectively. A few optional architectures are described in chapter nine. Chapter ten deals with tuning various rulesets and components in order to reduce the level of false alarms. Creating real-time alert systems is discussed in chapter eleven. Chapter twelve is a major one, outlining the creation and modification of rules for filtering and analyzing traffic. Chapter thirteen is supposed to be about upgrading and maintaining Snort, but concentrates on ancillary management tools. Advanced or unusual configurations of Snort are described in chapter fourteen. The book is generally lucidly written and easy to study, but it contains many typographical errors and a great deal of clumsy wording in the text. Better copy editing word have improved readability, as well as confidence in the reliability of various commands and settings. However, the meaning is usually clear, even if the expression is sometimes jarring. For those planning to use Snort, this should be a serviceable introduction. copyright Robert M. Slade, 2003 BKINDTSN.RVW 20030901