×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Three Snort Books Reviewed

timothy posted more than 10 years ago | from the harumph-harumph dept.

Security 123

Eric Stats writes "Working as a Network Engineer for web-hosting company that prides itself on uptime and network availability, and moonlighting as a part-time Linux administrator, my managers and clients are starting to expect a level of information security knowledge from me. I decided that if I wanted to take my career to the next level, I needed to develop some security-specific skills. I heard a lot about the open source Intrusion Detection System (IDS), Snort from friends and co-workers (mostly that it was a pain to get running, and an even bigger pain to understand what it was doing)." To get past those frustrations, Eric looked at two more books on Snort (and compares them to the already-reviewed Intrusion Detection with Snort ); read on below for his take on what each offers.

I ran Snort at home for a while, using the online docs, but I could never get a handle on which output plugin to use (When to log? When to alert?), how to email alerts to myself (I later found out Snort doesn't natively do this), and how to create signatures from packet captures (no online docs at all for this). When I did get The Pig running, it filled up my log directory with thousands of small alert files, which ended up being in tcpdump format. This frustrated the hell out of me, so I decided I needed to find a good book on Snort, as the online docs simply did not describe how to use Snort from start to finish.

In the past few months, an assortment of books have come out on Snort. Because it has begun to eclipse closed-source, multimillion dollar IDSes in terms of raw performance and features, much attention is currently focused on Snort. Naturally, when an open source project achieves this level of notoriety, publishers, venture capitalists, and corporations want to get in on the game. The flood of Snort books is a testament to this, but it doesn't mean they were all created equally. This book review covers the three books on Snort currently available (we will see another two Snort books later this winter). It covers what is good about them, what is bad, and who the target audience is for each. If you are looking to learn intrusion detection the open source way, or simply do not have a million-dollar IT security budget, these books are a good starting point.

Each of these three books serves a different purpose and consequently is appropriate for a different reader. In summary, Rafeeq Rehman's Intrusion Detection with Snort: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID presents a concise, quick-start guidebook to getting Snort up and running fast. He doesn't delve into the details of Snort, and this book makes a perfect choice for a reader who wants to get The Pig up and running quickly and move on to something else.

The whole gaggle of authors that put together Snort 2.0 Intrusion Detection created a much-needed user manual for Snort. This book makes for good desktop reference, but assumes you understand the core concepts of intrusion detection, or have significant field experience with Snort. It is also somewhat convoluted to read; I suppose it's inevitable when you have 12 authors working on a single book, it is going to come out somewhat disjointed and jumbled. If I hadn't read the other two books first, I doubt I would have been able to piece together what this book is talking about in places. (Such as referring to Barnyard logs in one chapter and "unified binary format" in another; how is the reader going to know they are the same?)

Lastly, Jack Koziol's Intrusion Detection with Snort is a guidebook for using Snort in the real world, either on small networks or in large corporate settings. Like any security tool, Snort is only as effective as its operator. Snort can do an enormous number of things, but if you don't understand the "how and why" you aren't going to be able to apply your knowledge in unexpected, different, or new situations. Koziol's book bridges the gap and teaches you the nitty-gritty Snort details not found in online docs, as well as how to apply your newfound IDS knowledge in practice. This book does lack in terms of screenshots and diagrams, which can be frustrating at points. Instead of a paragraph of text, a simple diagram would have sufficed.

Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID
author Rafeeq Rehman
pages 288
publisher Prentice Hall
rating 7/10
ISBN 0131407333

I first picked up Rehman's Intrusion Detection with Snort: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID. Rehman's book is also a member of the Bruce Perens Open Source Series. All of the books in his series are published under the OPL. Overall, Rehman's book served as a good intro to Snort. I followed the examples, used some of the custom startup and log-rotation scripts, and got Snort working for the first time. I also learned of ACID, which is a PHP-based GUI for Snort, put out by Carnegie Mellon's CERT/CC. It makes managing alerts from Snort much less time-intensive. It was an exciting experience, but the book left me in the dark on a number of concepts that I knew I needed to learn. I still didn't understand what I was getting out of Snort; I had so many alerts I couldn't "tune out the noise." I didn't know when to use log or alert plugins, so I just turned on both for safety's sake. I also found that Snort was dropping packets (meaning it wasn't able to keep up with the traffic load going to my webservers hosted at home), but didn't find any way to fix this problem. This setup was fine for experimenting at home, but I didn't feel I would be able to use Snort in a mission-critical corporate setting yet.

Intrusion Detection with Snort
author Jack Koziol
pages 400
publisher SAMS Publishing
rating 9/10
ISBN 157870281X

I thumbed through Jack Koziol's Intrusion Detection with Snort at the bookstore, and it seemed to have some more detailed descriptions of using Snort. It also had a lot of the planning, deployment, and maintenance activities you never think of until you are faced with one at 2 a.m. (such as how to upgrade Snort in an organized manner after a vicious integer overflow exploit is released for a core Snort component). It is also the most popular Snort book, so I figured I would buy it. When I took it home, I learned where to place Snort on a network, and what advantages and disadvantages there are to different IDS sensor placement strategies, something I had never considered.

Koziol's book also had the technical detail I was in desperate need of. I learned how to use Barnyard to spool alerts, which keeps Snort from dropping packets. I got to write my own attack signatures from scratch by using Ethereal packet captures in an controlled lab environment. I created a targeted ruleset; it enables specific attack signatures based on what I actually have running on my network, simply using nmap and some complicated perl scripts. The targeted ruleset went a long way to reducing false alerts, and is now a selling product from the Snort commercial vendor, Sourcefire. I finally got email alerts working using syslog-ng with Snort. The book ends with some more advanced content, namely using Snort as an Intrusion Prevention device. You can setup Snort to block packets that match a signature, using Inline Snort, or you can have Snort reconfigure routers and firewalls to block offending IP addresses, using SnortSam. I've experimented with Inline Snort as part of a honeypot, but, as the author points out, this is not yet production-safe, as it can easily be used by attackers to disrupt network availability.

Snort 2.0 Intrusion Detection
authors Jay Beale, Anne Carasik, Aidan Carty, Scott Dentler, Adam M. Doxtater, Wally Eaton, Jeremy Faircloth, James C. Foster, Vitaly Osipov, Jeffrey Posluns, Ryan Russell, Brian Caswell
pages 485
publisher Syngress
rating 4/10
ISBN 1931836744

The final Snort book in this review is Snort 2.0 Intrusion Detection. This book has a lot of the screenshots and figures that the Koziol and Rehman books leaves out. It also contains a lot of useful diagrams, about one for every other page, and a CD-ROM with all of the Snort source and a pdf version of the book. This book, and the Koziol book, cover Snort version 2.0, which isn't all that much different from version 1.9 covered in the Rehman book. Still, it is nice to have the most up-to-date documentation, but it doesn't make the Rehman book any less effective. This book has the most reference material in it, over 500 pages' worth, and it has very organized user manual-like descriptions of important Snort components (preprocessors, output plugins, and rules). Keep in mind that this book was created more as a user manual rather than an implementer's guide. You aren't going to see planning, deployment, and maintenance activities as well as technical deployment examples, as in the Koziol book. And, you aren't going to find a concise quick-start guide such as the Rehman book.

In summary, you aren't going to find anything in this book that isn't in the other two. What you will find is lengthy descriptions, and a lot more screenshots. As stated before, Snort 2.0 Intrusion Detection was written by 12 different people (one of them a Sourcefire employee and Snort.org website maintainer, Brian Caswell). This is obviously done by the publisher to get the book out as fast as possible, which is important for technology book publishers as books are outdated quickly, but has the end result of a disjointed book that contradicts itself in many areas. An example: one author stresses how deadly important it is for us to only use the latest Snort version, while another tells us to use the CDROM that comes with the book, which contains an outdated version of Snort.

You can clearly tell a different authors worked on different chapters, as the style and format change frequently. You can also tell that the authors didn't talk to each other much, as you will find one author referring to something in one chapter (unified binary format) that he expected to have been explained in a previous chapter. In print, the concept was not explained until later, which can be really frustrating if you are not a Snort pro. Additionally, there are enough grammatical errors in the book to be distracting, and, much like a vendor-provided user manual, the chapters don't logically flow from one to the next. If you do purchase this book, this slashdotter would recommend it as a supplement to either the Rehman or Koziol book.


You can purchase Intrusion Detection with SNORT: Advanced IDS Techniques Using SNORT, Apache, MySQL, PHP, and ACID , Intrusion Detection with Snort , and Snort 2.0 Intrusion Detection from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

123 comments

Who needs snort? (2, Funny)

mjmalone (677326) | more than 10 years ago | (#6687663)

Just put a teletype machine between your wall jack and your modem! DUH! If only FSF had this setup we wouldn't be in the pickle we're in!

MJMALONE IS A POUNCEPOSTING KARMA WHOR (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#6687756)

Not that you didn't know that. Sorry for shouting, but his chutzpah is incredible... bro, you want hits for your site? Take out an ad. Please spare us the cut-n-paste pouncing. Go out and get some air or something.

He's just whoring for his website (his link/sig). (0)

Anonymous Coward | more than 10 years ago | (#6687795)

What a loser. BUY AN AD! (Oh wait, this isn't K5)

Re:MJMALONE IS A POUNCEPOSTING KARMA WHOR (-1)

Anonymous Coward | more than 10 years ago | (#6687879)

You don't get karma from funny mods.

As for his sig, he can say whatever he likes.

As for pounce posting, such are the benefits of subscribing.

Get some air yourself.

A benefit of subscribing is knowing that your $$$$ (-1)

Anonymous Coward | more than 10 years ago | (#6687910)

is going to help fund CmdrTaco's gay farmsex porn addiction. GO LINUX!

Re:A benefit of subscribing is knowing that your $ (0)

Anonymous Coward | more than 10 years ago | (#6687926)

Get a life

THAT'S AWESOME! (-1)

Anonymous Coward | more than 10 years ago | (#6687966)

Some anonyslashbot telling someone to "get a life"! I'm laughing my ass off as I type this

Re:THAT'S AWESOME! (-1)

Anonymous Coward | more than 10 years ago | (#6688055)

I'd post with my real name, but I'd just get modded "offtopic," even though I was responding to the parent :-\

Re:MJMALONE IS A POUNCEPOSTING KARMA WHOR (-1)

Anonymous Coward | more than 10 years ago | (#6687942)

chutzpah. wow thanks. i've added a new word to my vocabulary.

Re:MJMALONE IS A POUNCEPOSTING KARMA WHOR (-1)

Anonymous Coward | more than 10 years ago | (#6688077)

Its a good word. Not as cool as "braggadocio" though.

Re:MJMALONE IS A POUNCEPOSTING KARMA WHOR (-1)

Anonymous Coward | more than 10 years ago | (#6688206)

words are wonderful. take for example: badonkadonk
an ass of exceptional quality and bounce

Re:MJMALONE IS A POUNCEPOSTING KARMA WHOR (0)

scrollios (604767) | more than 10 years ago | (#6688027)

mjmalone just needs to get back to school...the lack of drinking and women is forcing him to find alternate means of entertainment....yech...like pounceposting and politics.

First Post (-1, Troll)

Anonymous Coward | more than 10 years ago | (#6687667)

See The Motherfucking topic!

*snort* (5, Funny)

bytesmythe (58644) | more than 10 years ago | (#6687677)

Apparently the FSF could use a copy of this book...

Re:*snort* (5, Funny)

mini me (132455) | more than 10 years ago | (#6687693)

You mean MD5 sums from random people on the internet isn't good enough?

Re:*snort* (-1, Offtopic)

bytesmythe (58644) | more than 10 years ago | (#6687866)

True... they probably need a companion book on how to securely back up your fscking data. I realize the FSF isn't a giant data warehouse, but if you're going to act as an authoritative source, especially for executable software or source code, you had BETTER have an offsite (or, at the least off-network) backup and be able to effectively rollback in case of problems like this. ;)

Re:*snort* (0)

Anonymous Coward | more than 10 years ago | (#6687743)

Or a copy of IIS, the FTP server included with that is better than wu-ftp.

Re:*snort* (1)

saint10 (248611) | more than 10 years ago | (#6687760)

It looks like a lot of ISPs [salon.com] could use these book too. ;)

Re:*snort* (1)

bytesmythe (58644) | more than 10 years ago | (#6687817)

Hell, we all needed it for MSBLAST. A lot of people (myself included) didn't take this worm very seriously until everything around started breaking. OLE drag-n-drop screwed up, RPC servers failing, svchost.exe crashing, javascript not functioning correctly... The only thing nastier is probably buried in the video archive on consumptionjunction.

Anyone else read that as (1, Funny)

Steven Blanchley (655585) | more than 10 years ago | (#6687680)

"Three Short Books Reviewed"?

Re:Anyone else read that as (0)

Anonymous Coward | more than 10 years ago | (#6687778)

It must be those shitty linux fonts your using [gnome.org] . Back to windows until your a bearded gnu/hippy who's eyes are sharp as a goats vision.

Re:Anyone else read that as (0)

Anonymous Coward | more than 10 years ago | (#6688147)

Back to Windows for you until you learn to distinguish between "your" and "you're" you clit snorting ass face.

Commander Taco to Shutdown Slashdot (-1, Troll)

Anonymous Coward | more than 10 years ago | (#6687684)

Commander Taco to Shutdown Slashdot
By Colin Johnston
Fremont, CA - The maintainer of the popular news website has decided to call it quits. Commander Taco stated that, "I don't want my work to fall into the wrong hands, so I'm taking the whole thing down." The permanent shutdown is set September 1, 2003.

Eh? (-1, Redundant)

Anonymous Coward | more than 10 years ago | (#6687694)

I misread the title as Three Short books reviewed.

Re:Eh? (0)

Anonymous Coward | more than 10 years ago | (#6688393)

You also misread yourpost as "orignal."

If you need a commercial product with 24x7 support (3, Informative)

phaetonic (621542) | more than 10 years ago | (#6687696)

Check out Symantec's ManHunt [symantec.com] . Besides getting great support, this uses open source software (snort) and now runs on Red Hat Linux!

Re:If you need a commercial product with 24x7 supp (1)

Steven Blanchley (655585) | more than 10 years ago | (#6687769)

this uses open source software (snort)
What, you don't like open source for some reason?

Re:If you need a commercial product with 24x7 supp (1, Interesting)

Anonymous Coward | more than 10 years ago | (#6688050)

>Check out Symantec's ManHunt. Besides getting great support, this uses open source software (snort) and now runs on Red Hat Linux!

I'd also recommended Puresecure Professional [demarc.com] it's been a godsend.

Plus, they have a free version for homeusers.

Re:If you need a commercial product... (2, Insightful)

supersmike (563905) | more than 10 years ago | (#6688200)

Wha? That sounded kind of interesting until I searched Google for "symantec manhunt pricing" and came back with $15,000! I think I'll go with a copy of Snort and one of those books.

Re:If you need a commercial product with 24x7 supp (2, Funny)

Hatta (162192) | more than 10 years ago | (#6688871)

I also recommend Sierra's Manhunter [the-underdogs.org] . A solid cyberpunk adventure game from the glory days.

Re:If you need a commercial product with 24x7 supp (1)

RossCarlson (618297) | more than 10 years ago | (#6689032)

Are you guys sure this is using Snort and RedHat? We've been told that it's propietary... We use Border Guard (www.stillsecure.com)

Intrusion Detection is not plug and play (5, Insightful)

saint10 (248611) | more than 10 years ago | (#6687711)

I would have to agree, Intrusion Detection technology is by no means plug and play... You need more than just a user manual, you have to understand what is actually going on and tune your IDS appropriately.

Re:Intrusion Detection is not plug and play (0)

Anonymous Coward | more than 10 years ago | (#6687950)

But, what if all I want to do is connect a red light and siren to my computer, and have it go of if there is an intruder?

Re:Intrusion Detection is not plug and play (1)

Descartes (124922) | more than 10 years ago | (#6688842)

Ok, I'm not trying to brag, but I disagree. I set up a system where SNORT dropped data into a MySQL database and used ACID to generate reports. I can't remember where I found the howto (I think it was on the ACID webpage) but it was pretty straightforward.

I guess the one trick that made it easier was using Webmin to set the whole thing up, because there is a SNORT plugin.

The only hitch was figuring out if it was really catching intrusion attempts because you either have to wait for an attack or do it yourself. I eventually turned on the porn filter and had my coworkers browse for porn.

From my experience it was easier to set up than postfix, etc.

Idiots.. (2, Funny)

Anonymous Coward | more than 10 years ago | (#6687722)

I don't even need one book to snort properly.

Re:Idiots.. (0)

rcamans (252182) | more than 10 years ago | (#6688094)

He could have asked me how to snort. I have 100s of kbucks invested in that key learning and I would have told him everything I know for free:

Don't snort!

Cocaine, Ritalin, Paxil and Adderall! (0)

Anonymous Coward | more than 10 years ago | (#6688112)

Whee! I'm so high I feel like investing in VA Software!

Anybody have any nasal spray?

someone needs to write a snort book on (0)

Anonymous Coward | more than 10 years ago | (#6687724)

why snort needs to be redesigned. <6 mos and there will be another gaping, remote root hole in it

Re:someone needs to write a snort book on (1)

xchino (591175) | more than 10 years ago | (#6688771)

It's only a remote root exploit if you are running the process as root, and that would be stupid. You are an AC though.

Figures (-1, Redundant)

SirLantos (559182) | more than 10 years ago | (#6687729)

DOH!!

If only this had been posted a day or two earlier.....the FSF may have been able to save some face.

Left out one great snort book (0, Funny)

Anonymous Coward | more than 10 years ago | (#6687734)

Humorless slashbot dopes modded you down (0)

Anonymous Coward | more than 10 years ago | (#6688235)

The parent is funny, but apparently its more important around this dump to smack something down as offtopic than to appreciate how clever it is -- or let others' appreciation of it stand as-is.

Lighten up, moderators. Put down your kona blend, peel yourselves out of the chair, and consider what's more important than whether or not people are clinging to the "topic."

Drug related titles (5, Funny)

bytesmythe (58644) | more than 10 years ago | (#6687755)

From one of the book titles:
Using SNORT, Apache, MySQL, PHP, and ACID

This somehow strikes me as a veiled reference to cocaine, peyote, qualuudes, phencyclidine, and LSD. No longer will pharmacologically-enhanced computing be restricted to the caffeine you get from a case of Jolt!

Re:Drug related titles (0)

panda (10044) | more than 10 years ago | (#6687941)

Except that MySQL isn't quaaludes. MySQL is code speak for MDMA.

Re:Drug related titles (0)

Anonymous Coward | more than 10 years ago | (#6688495)

When the parent poster said MySQL is a reference to quaaludes, he was referring to their real name of Methaqualone.

I'm still waiting... (2, Insightful)

packethead (322873) | more than 10 years ago | (#6687758)

for an integrated Intrusion Prevention System (IPS). Detecting the treat is one thing. But detecting then bit-bucketing it (I know, another made up verb) is another matter. Also, false-pos's? "White Noise"?

Oh well, another topic.

Re:I'm still waiting... (2, Informative)

saint10 (248611) | more than 10 years ago | (#6687833)

The book ends with some more advanced content, namely using Snort as an Intrusion Prevention device. You can setup Snort to block packets that match a signature, using Inline Snort, or you can have Snort reconfigure routers and firewalls to block offending IP addresses, using SnortSam. I've experimented with Inline Snort as part of a honeypot, but, as the author points out, this is not yet production-safe, as it can easily be used by attackers to disrupt network availability.

Hey, Koziol's book covers Intrusion Prevention and IPS. Lots of detail.

Re:I'm still waiting... (4, Informative)

silas_moeckel (234313) | more than 10 years ago | (#6687872)

I guess you want a Cisco IDS tied to a Pix with shunning turned on? SNORT does one thing well detect nasty packets and flows it's then up to you to do something about it in an automated manner. A little scripting can generaly get this done.

A bit offtopic I know, but... (0, Offtopic)

StringBlade (557322) | more than 10 years ago | (#6687763)

At first, I thought the infamous spelling ability of our editors managed to munge the article title of "Three Short Books Reviewed"!

Did anybody read... (2, Funny)

bersl2 (689221) | more than 10 years ago | (#6687770)

Did anybody read that word as "snort" instead of "short?" I thought for a moment that I was losing my mind.

[crickets chirp]

Oh, wait...

Snort (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#6687775)

SSSSSsssssnnnnoooooooooooooooooorrrrrrrrrrrrrttttt ttt!!!!

sniffs, rubs nose

What were we talking about, again?

The problem is... (2, Interesting)

TypoNAM (695420) | more than 10 years ago | (#6687819)

It would have taken me to read all three of those books just figure out where to place those damn rule files at. I could have RTFM, but no one has published that snort title yet.

Becides I rather setup a honeypot and watch the hackers break in. It's like watching ants trying to break out of the glass. You're going no where bub! >:D

don't buy use safari (4, Interesting)

asv108 (141455) | more than 10 years ago | (#6688148)

I wasn't a big fan of the online book idea until I tried Safari [oreilly.com] for the first time a few months ago. A quick search for snort reveals 38 different books that focus on or have chapters dealing with snort, included the one book "Intrusion Detection with Snort" that was mentioned in this review. The retail cost of these three books alone would cover a safari subscription for a year (10 books out at any given time). There is a free 14 day trial [safaribooksonline.com] , it got me hooked. I ended up selling 20+ books in my bookshelf that were already on Safari, covering my Safari fees for the next 2 years.

Can you print the books you check out? (1)

doc_traig (453913) | more than 10 years ago | (#6688397)

I stare at a screen enough during the day... I generally prefer the pulpy versions of any kind of book.

Drugs are bad mmmkay? (-1, Redundant)

GillBates0 (664202) | more than 10 years ago | (#6687881)

FSF FTP Site Cracked, Looking for MD5 Sums
Three Snort Books Reviewed

More /. headlines

Microsoft code at fault for half of all Windows Crashes. Bill Gates at an all time high.
Darl McBride OD's on pot, lands in hospital.

Frustrated? (1)

indole (177514) | more than 10 years ago | (#6687955)

To get past those frustrations...
This frustrated the hell out of me...
frustrating at points...
really frustrating...
Dude! Chill the fsck out. Its only computer book.

Re:Frustrated? (0)

Anonymous Coward | more than 10 years ago | (#6688145)

You actually read the article?

Re:Frustrated? (1)

timeOday (582209) | more than 10 years ago | (#6688151)

Simple question: have you used snort?

Re:Frustrated? (1)

indole (177514) | more than 10 years ago | (#6688271)

yeah when you look at it that way... If the review was from me it would be necessary to:
cat ARTICLE | sed 's/frustrat^/hopeless, so I gave up/g' > ARTICLE.NEW

Superstition.. (0)

Anonymous Coward | more than 10 years ago | (#6688108)

Who in their right mind makes a post about security on August 13th?

Re:Superstition.. (-1)

Anonymous Coward | more than 10 years ago | (#6688170)

I was thinking the same thing! It's an especially interesting question considering that today is also Friday, August 13th.

Integration With Vulnerability Assessment Engines (3, Interesting)

illectro (697914) | more than 10 years ago | (#6688127)

Qualys launched a neat Snort correlation system which works with their scanner - the idea is that if the IDS detects a potential exploit attempt against a target it can check up the vulnerability report on that machine and figure out whether the attack has any chance of working based on the Qualysguard tests.


Nice theory, of course you do need a qualys account which costs a bunch (they do lead the field though), but they reckon it cuts down false alarms by a huge chunk. They launched this at Blackhat this year (along with the law of vulnerabilities) and it's been open sourced (yay!).

Re:Integration With Vulnerability Assessment Engin (1)

szyzyg (7313) | more than 10 years ago | (#6688386)

Great Got a URL?
Is this it?
http://quidscor.sourceforge.net/

Three Cheers for Slashdot (1, Interesting)

Anonymous Coward | more than 10 years ago | (#6688152)

Slashdot strikes out
reported by Anonymous Cannibal

In developing news, Slashdot.org [slashdot.org] has released a non-SCO related article. Slashdotters are ecstatic at the incoming news "Oh man I really thought it was the end of the road there for a minute, I mean last week was bad, but as of Sunday, I don't know how many SCO based articles they posted. I think it's somewhere in the low hundreds though" stated a user who wished to remain anonymous.

"It's exciting for the moment, but I know these morons will just post some other sickening story about a company that's about to go under any god damned moment". stated fx0rspy.

Slashdot once upon a time was one of the hottest sites on the net, and the site which now boasts close to 600+ thousand users (most of which are duplicate users) is slowly going down the toilet. "Well I doubt if it is going to go away, if it did most of the admins there would likely commit suicide or something. I just want to see it go back to the basics and focus on news. Sure SCO is news, but do we really need it shoved down our throats four to five times?" stated another user via IRC who wished to remain anonymous.

So for those who are interested in real news, such as how China will replace every citizens ID cards with Digital Cards, you can read this here [cryptome.org] , or if you care about the NSA possibly backdooring all software, you can read that too by clicking here [nsa.gov] . The CIA's statement on WMD? Sure right here, [cia.gov] however, if your looking for another SCO article, stay tuned one will be availble within the hour.

Numerous request were sent to Slashdot administrative staff who never responded to our e-mails. We feel for them, and will make sure to send them carfare when the company goes under so they'll be able to get to the unemployment office.

(c) 2003 Disgruntled Slashdotter

Dear Submitter: (0)

Anti Frozt (655515) | more than 10 years ago | (#6688211)

We here at Slashdot do not approve of inhaling or "snorting" drugs. The following alternatives are suggested:

  • Jolt Cola

  • Jolt Gum
    Chocolate covered espresso beans
    Black-black chewing gum

Information on these alternatives can be found here [thinkgeek.com] and here [modulo26.net]

Thank you!
Slashdot Administrators

Snort? (0, Flamebait)

Black Noise (683584) | more than 10 years ago | (#6688244)

Just what is a snort anyway? Sure, I've read numerous descriptions, but does anyone have a sample, or even better a movie clip?

I'm really curious.

nice to see... (4, Interesting)

wwest4 (183559) | more than 10 years ago | (#6688306)

since snort is such a nice IDS and a good example of OSS components becoming more than their sum, it's nice to see books coming out.

it certainly isn't plug-n-play, but it's not super techical to install - it's just tedious and open to stupid installation mistakes. i've had a newb trainee install it in a couple of days... not bad for just diving in, but an automated installation would make snort the bomb. anyone know of progress in this area (on any platform)?

Re:nice to see... (1)

Jellybob (597204) | more than 10 years ago | (#6688391)

With something like Snort I think it's important to know exactly what it's doing, otherwise the first you know of a config problem is when someone walks into your "secure" network through a hole you left.

Re:nice to see... (1)

wwest4 (183559) | more than 10 years ago | (#6688454)

i know where you're coming from - i just wince when i think about sitting down and reinstalling those components again.

if someone knowledgeable put an installer together, i'd have more time to deploy sensors at different points in my networks without needing dedicated boxes or similar hardware.

nice to see...Portable nose. (0)

Anonymous Coward | more than 10 years ago | (#6688648)

To paraphrase a commercial: "This is a good place for a Knoppix disk". [slashdot.org]

Intrusion detection were'ever it's needed, and unhackable to boot.

Local Linux user found trapped in woods. (1)

Mike Green Chal (697920) | more than 10 years ago | (#6688346)

People, one of our own has been found. Trapped in the local woods of newtown square. He did not use the SNORT anti hacker software and was taken away by SCO goons late last evening. Truly a troubling loss.

They caught him infringing on their IP property by using 12 lines of SCO code in his homebrew linux computer's kernel. Please help us save this young man. Check out The Mike Green Challenge [mikegreenchallenge.com] site today, to help rescue this young man from the oppressive clutches of SCO and Micro$oft.

Direction of intrusion detection is....... (1)

DRWHOISME (696739) | more than 10 years ago | (#6688359)

Artificial intelligence ?

Re:Direction of intrusion detection is....... (0)

Anonymous Coward | more than 10 years ago | (#6688636)

Mobile Agents.

What other books? (0)

Anonymous Coward | more than 10 years ago | (#6688444)

"(we will see another two Snort books later this winter)"

Anyone know who will be doing these?

A pain to get snort working? (3, Interesting)

Rahga (13479) | more than 10 years ago | (#6688524)

I can't even pretend to be a great "network administrator" or "software engineer", but I don't see how anyone can even pretend that Snort is difficult to set up with some of the documentation on the website. The most foolproof one there goes by the name of something like "RedHat 9 + Snort + Acid + MySQL + Apache", and RH9 is only used in the "base packages" sense (except for sharutils, which doesn't seem to install by default, but comes in handy when installing Nessus with the installer script).

If you can't install Snort with that type of docum.... hold on... the late 90s called, they wanted to congratulate you on beating the odds.

*sniff* (0)

rwven (663186) | more than 10 years ago | (#6688572)

heh we're probably going to buy a book or two here at work. the problem with snort is not getting it installed and up and running. we even have scripts running that e-mail out the daily (and then a monthly compilation) logs of snort detections and then archive the old ones and junk. (rvennell@dbu.edu if you want them) thats the easy part. the hard part is getting everything up and running and then being able to decode : [**] [1:485:2] ICMP Destination Unreachable (Communication Administratively Prohibited) [**] [Classification: Misc activity] [Priority: 3] 07/31-10:09:33.337662 148.223.223.41 -> 10.1.1.67 ICMP TTL:240 TOS:0x0 ID:25562 IpLen:20 DgmLen:56 Type:3 Code:13 DESTINATION UNREACHABLE: ADMINISTRATIVELY PROHIBITED, PACKET FILTERED ** ORIGINAL DATAGRAM DUMP: 10.1.1.67:7700 -> 159.16.131.56:59859 TCP TTL:113 TOS:0x0 ID:52194 IpLen:20 DgmLen:52 Seq: 0xE9B061C5 Ack: 0x0 ** END OF DUMP And how does one stop the aformentioned from happening if it happens to be bad? ya need to book to know what to do with the output....setup is nothing...

thanks... (2, Funny)

Overbyte (226279) | more than 10 years ago | (#6688629)

for getting me all worked up. My fiance snorts when she laughs. I was hoping one of these books would help her(me?) out...

Web Intrustion Detection (3, Informative)

ivan.ristic (631774) | more than 10 years ago | (#6688651)

If you are interested in detecting and preventing web attacks specifically then you should have a look at mod_security [modsecurity.org] . It is an Apache module (both branches are supported) that allows for some very interesting HTTP-specific filtering. It even supports POST method analysis, and can reject an offending request. Since it works as part of the web server it makes it much easier to detect attackes carried out through an SSL channel.

This reviewer is clueless (1)

Helevius (456392) | more than 10 years ago | (#6688653)

Try reviewing Snort books when you know something about Snort. For example, saying "This book, and the Koziol book, cover Snort version 2.0, which isn't all that much different from version 1.9 covered in the Rehman book" shows you know nothing about Snort's internals. Snort 2.0 offers several new features [snort.org] -- check them out!

These reviews [amazon.com] are more helpful. A copy of the Koziol book is on the way to the Amazon.com reviewer so he should be able to rate it against the Caswell and Rehman books.

And those ratings -- 4/10 for Caswell, currently selling at #423 at Amazon.com [amazon.com] , compared to 7/10 for Rehman, currently #5691 at Amazon.com [amazon.com] ? Popular opinion isn't everything, but people are clearly buying the better book -- despite its faults.

Helevius

funny (1)

sootman (158191) | more than 10 years ago | (#6688736)

when I first read the headline, I thought "three snort" was a rating of how funny something was.

for example, this post is about a half-snort. :-)

Note to moderators (-1, Troll)

Anonymous Coward | more than 10 years ago | (#6688908)

Every time you moderate one of my posts down as "Overrated", I will initate a Shitstorm crapflood of the thread and/or story.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...