[Snort-users] Snort Tool Evaluation

Dirk Geschke Dirk_Geschke at ...1344...
Wed Sep 29 00:51:41 EDT 2004


Hi Ty,

> I did read this book actually, and I'm not proclaiming it's a bible or
> anything.  In fact, it's little more than a tool reference, listing
> switches to the tools and options in the interfaces for third party
> tools related to snort.  But, it does cover a majority of the tools
> and this was why I was suggesting this to Jo.  To get a handle on the
> tools mentioned in this book related to snort and extract pro's and
> con's for using each one.

but even this is not a good survey at all. Only ACID and SnortCenter
are mentioned in some more detail. But most of it covers the topic
how to install it and the basic usage. There are better guides for
free out there.

The really interesting parts like performance optimization or for
example how to use ACID effectively are missing ob by far too short.

The additional tools for snort IDS management in chapter 12 are 
mostly only mentioning additional tools mostly with a screenshot 
and covering less than a page for each tools. It does not mention
any advantages or disadvantages of the tools at all. This is not
really useful except that the tools where mentioned...

The author does not even mention the memory mapped version
of libpcap for linux. The usage of taps for monitoring a
network are limited to one sentence where the existense is
stated.

The set of rule options is incomplete and not mentioning newer
ones like byte_test, byte_jump, isdataat, distance, within,....

The given rule options are as precisely as the manual coming with 
snort. So if you don't understand them then this doesn't help you
in any sense.

The recommendation for most rules and preprocessors are to 
disable them if they generate too much false-positive

Or really funny are the lists where rules are disabled and
how to do this, simply put a # at the beginning of a line.

But showing 30 lines with an disabled default flow-portscan
prepocessor like this is really a waste of paper:

---
... This preprocessor is disabled by default (it can still be
considered as test code). The lines will look something like
this:

# preprocessor flow-portscan: \
#       talker-sliding-scale-factor 0.50 \
#       talker-fixed-threshold 30 \
#       talker-sliding-threshold 30 \
#       talker-sliding-window 20 \
#       talker-fixed-window 30 \
#       scoreboard-rows-talker 30000 \
#       server-watchnet [10.2.0.0/30] \
#       server-ignore-limit 200 \
#       server-rows 65535 \
#       server-learning-time 14400 \
#       server-scanner-limit 4 \
#       scanner-sliding-window 20 \
#       scanner-sliding-scale-factor 0.50 \
#       scanner-fixed-threshold 15 \
#       scanner-sliding-threshold 40 \
#       scanner-fixed-window 15 \
#       scoreboard-rows-scanner 30000 \
#       src-ignore-net [192.168.1.1/32,192.168.0.0/24] \
#       dst-ignore-net [10.0.0.0/30] \
#       alert-mode once \
#       output-mode msg \
#       tcp-penalties on
---

This is what I call ugly. And the whole other parts are similar
like this, there are many printings of default snort.conf passages
and so on.

Or disabling all preprocessors and rules which would look for traffic
which could not pass a firewall is really ugly. Or can you ensure that
a firewall work perfect without any errors? 
 
> I also did read Snort 2.1 Intrustion Detection Second Edition Upgrade
> and yes, I must concurr with and second your opinion.  There is no
> better reference or doc that covers snort in all the ways that an
> admin needs to know.

Oh, I think there are more good books on snort out there but the
O'Reilly book is definitively not a good one. I don't understand
O'Reilly here, normally they have very good books and most of the
time - like this time - I buy their books blindly. This one is not
worse the money...

Best regards

Dirk





More information about the Snort-users mailing list