[Snort-users] Re: Snort Tool Evaluation

Richard Bejtlich taosecurity at ...11827...
Wed Sep 29 08:56:03 EDT 2004

M Shirk wrote:

There are differences between 2.0 and 2.1, but not enough to get the
[Syngress] 2.1 book.


I disagree.  I read and reviewed both 'Snort 2.0' [0] and 'Snort 2.1'
by Syngress. [1]  From my Amazon.com review of 'Snort 2.1':

'The table of contents for "Snort 2.1" is deceiving, as it is almost
exactly the same as "Snort 2.0." However, the new book is almost 200
pages larger than its predecessor, with many internal modifications.
Chapters 1, 2, 3, 4, 9, 11, 12 and 13 are either completely new or
substantially new. Chapters 5, 6, 7, 8, and 10 are either partial
rewrites or have some material added or dropped.'

'Snort 2.1' isn't perfect but it's still the best available Snort
reference outside of the project documentation.

My problem with O'Reilly's 'Managing Snort and IDS Tools' concerns its
coverage of Sguil.  The authors claim:

"Where connecting to ACID is easy since it is a web-based interface,
the only way to get a remote client to connect to a central server is
by using an exported X-session (a security no-no)...  A daunting
installation, poor client model, and lack of many new features make it
difficult to recommend Sguil. I advise sticking with ACID."

While I agree that Sguil's installation isn't simple, the O'Reilly
"Managing" book mangles Sguil beyond recognition.  While it is
technically possible to access the Sguil client via an exported X
session, that method has never been advocated nor documented.  Sguil
is inherently a client-server application, where the sguil.tk client
(On Windows, UNIX, or OS X) connects through an SSL-encrypted channel
to a sguild server (typically on a UNIX variant).  The fact that the
O'Reilly authors missed this crucial point demonstrates they didn't
put the time or effort into understanding Sguil well enough to comment
upon it in writing.

The "Managing" authors also fault Sguil for a "lack of many new
features" -- when compared to ACID?  Only thanks to the BASE project
are we seeing any innovation in ACID. [2]  The last official ACID
release was 0.9.6b23 in Jan 03, aside from CVS updates.

On the positive side, I liked seeing how the "Managing" authors tried to handle 
asymmetric routing in chapter 13.  These sorts of issues deserve more attention.



[1] http://www.amazon.com/gp/product/customer-reviews/1931836043/
[0] http://www.amazon.com/gp/product/customer-reviews/1931836744/
[2] http://sourceforge.net/projects/secureideas

More information about the Snort-users mailing list