[Snort-users] General Snort Help!

Erek Adams erek at ...950...
Tue Jan 21 19:06:03 EST 2003

On Tue, 21 Jan 2003, Lorraine Cannavale wrote:

> Hello, I am very new at the whole Intrusion Detection Process and especially
> snort.
> There is a network administrator here that has installed an IDS utilizing
> snort, etc and is responsible for maintaining the system.
> I was hired by the Security Administrator to help monitor the alerts on a
> daily basis, analyze the data, and help reduce the false positives.
> So, I have the easy job, but I'm having major difficulties understanding
> what the alerts actually mean and deciphering what is a false positive, true
> intrusion, or just an informational alert.  I have read the Snort user
> manual, understand how to read the rules, and have found some information on
> the alerts, but it is still confusing to me.
> Can anyone recommend additional resources that would help me (books, on-line
> manuals, or web sites)?
> I've read emails from the Snort mailing list and this all seems to make a
> lot of sense to everyone else, I'm curious how you all obtained your
> knowledge and if there is anything you can share with me!?


In my opinion, in order of need/usefulness:

TCP/IP Illustrated, Volume 1 The Protocols by W. Richard Stevens
     ISBN 0201633469

Network Intrusion Detection An Analyst's Handbook by  Stephen Northcutt
     ISBN 0735708681

Intrusion Signatures and Analysis by Stephen Northcutt
     ISBN 0735710635

Intrusion Detection by Rebecca G. Bace
     ISBN 1578701856

The rest....  Well, just get on a .edu network and learn.  ;-)

Hope that's of some help!

Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson

More information about the Snort-users mailing list