Intrusion Detection with Snort

Intrusion Detection with Snort, by Rafeeq Rehman, ISBN 0131407333

Reviewed by: Jim Huddle, CNE5 CBS MCSE ES-RC, send e-mail
Published by: Prentice Hall, go to the web site
Requires: N/A
MSRP: $39.95

The security of an organization's Internet connection must be one of the primary concerns of the system administrator. This doesn't just apply to larger shops, but to the small office/home office (SOHO) environment and the individual broadband user as well. While the SOHO and individual user may not need a high end, hardware-based firewall, each should be using a router that at a minimum provides Network Address Translation (NAT) to mask their internal network. For the individual who connects their cable modem or DSL line directly to their PC, they should have some kind of personal firewall operating. For those of you out there who don't think you need protection, should take the time to monitor the traffic coming to your connection. You may be surprised, or more likely dismayed, by the amount of malicious traffic actually coming at you. If you are curious or needing to monitor multiple outside connections to your LAN, Intrusion Detection with Snort will walk you through the setup and use of an Intruder Detection System (IDS).

The book was written by Rafeeq Ur Rehman and is one of the well-known Open Source Series edited by Bruce Perens. It focuses on setting up the IDS using Snort, Apache, MySQL, PHP and ACID. While it sounds intimidating, it's remarkably easy to do following the book's procedures. The setups cover Linux and Windows primarily, but I personally don't recommend using a Windows based box for any security based service.
<MAP NAME="boxmap-p8"><AREA SHAPE="RECT" COORDS="14, 200, 103, 207" HREF="http://rcm.amazon.com/e/cm/privacy-policy.html?o=1" ><AREA COORDS="0,0,10000,10000" HREF="http://www.amazon.com/exec/obidos/redirect-home/kickstartnews-20" ></MAP><img src="http://rcm-images.amazon.com/images/G/01/rcm/120x240.gif" width="120" height="240" border="0" usemap="#boxmap-p8" alt="Shop at Amazon.com">

The book begins with a short but clear explanation of Intruder Detection, the components of Snort and information on dealing with hardware (such as switches) when combined with an IDS.

From the second chapter on, it's all about how to set up Snort and glean information from what Snort actually detects or picks up. The author provides considerable information on setting up an IDS in various ways. Because of that I recommend a complete read through prior to starting the actual implementation. Depending on your needs for the IDS, you may need to install and configure the various parts of the system differently. A read-through will allow you to note differences in setups required for various scenarios. It will also give you a better understanding of the internals of using Snort and linking it with the other parts of the system.

While not the focus of the book, the author also shows how to set up MySQL to work with Snort. It certainly is not a primer for MySQL, but the procedures given will allow you to install, set up and use MySQL as a database repository for the alerts Snort creates. Used with ACID, a PHP based tool for presenting Snort data via a web interface, a user-friendly method for accessing and analyzing the Snort data can be set up.

I can recommend this book on two levels. The first is if you are just interested in IDS in genera - the book supplies enough information to give you a good feel for what an IDS is and what benefits you can get from it. The second level is for the system administrator who wants or needs to get a working, viable IDS up and running. The best part is that the book is worthwhile and won't break that budget.

Letters to the Editor are welcome and occasionally abused in public. Send e-mail to: whine@kickstartnews.com