Reviewed in the United States on July 12, 2004
Syngress published "Snort 2.0" in Mar 03, and I gave it a four star review in Jul 03. Excerpts from that review appear on the back cover and first page of "Snort 2.1," published only 14 months later. I still think "Snort 2.1" is overall the best Snort book available, but I was disappointed by signs of rushed production and lack of coverage of key Snort features.
The table of contents for "Snort 2.1" is deceiving, as it is almost exactly the same as "Snort 2.0." However, the new book is almost 200 pages larger than its predecessor, with many internal modifications. Chapters 1, 2, 3, 4, 9, 11, 12 and 13 are either completely new or substantially new. Chapters 5, 6, 7, 8, and 10 are either partial rewrites or have some material added or dropped. Despite all of this work, "Snort 2.1" fails to spend time on key subjects, which I will mention during a chapter-by-chapter examination of the book.
First, I recommend skipping ch 1. Aside from some general IDS advice, it is haphazard and contributes nothing to the core Snort discussion. Ch 2 is a quick overview of Snort capabilities, and should have been the lead chapter. Ch 3 describes Snort installation, but suffers apparently swapped figures (3.1 and 3.2) and a wrong figure (3.5). Ch 3 is still a nice upgrade from its counterpart in "Snort 2.0," which gave hints for deploying Snort on Red Hat Linux 8.0. The new ch 3 covers Linux, OpenBSD, and Windows.
Ch 4, "Inner Workings," is one of the reasons "Snort 2.1" has an advantage over the competition. It's tough to go wrong when Snort's developers describe the tool's operation. Still, signs of rough editing appear on p. 170 and 191, and the "-a cmg" switch should be "-A cmg".
Ch 5 covers rules, and is a big disappointment. For most users, rules are the primary means to customize Snort. Like "Snort 2.0," ch 5 fails to help readers with some of the more important new Snort rule options, like byte_test, byte_jump, distance, and within (available since 2.0.rc1 in Mar 03). Ch 5 implies on p. 145 that running Snort with -v is a good idea, despite every other recommendation in the book that verbose mode is a performance killer. Also, the IP "sec" option mentioned on p. 205 is not "IPSec" -- see RFC 791. Overall, ch 5 spends too much time restating rule information found in Snort's manual, and not enough time on features available even in Snort 2.0.
Ch 6's discussion of preprocessors is a solid chapter, with new material on Snort's flow module, http_inspect, and perfmonitor. The telnet preprocessor section is one of the better examples of a "code walkthrough," where the author shows code while explaining what it does.
Ch 7 is really showing its age. "Snort 2.0" was behind the times when it said "Unified logs are the future of Snort reporting," and "Snort 2.1" makes the same mistake. Barnyard, a means to read unified logs, was available in Sep 01! Ch 7 also misses the boat on XML output, calling it "our favorite and relatively new logging format" on p. 322. The XML plug-in spo_xml wasn't even part of snort-2.0.0, never mind snort-2.1.0. Basic research would have revealed Joe McAlerney's announcement of Silicon Defense's snort-idmef XML plug-in in Jun 01, followed by Sandro Poppi's assumption of the project in Aug 03. A mention of Barnyard's "XML formatting capabilities" appears in ch 7 on p. 322, yet Barnyard does not offer this natively.
I was happy to see Sguil addressed in ch 8, but sad to see Sguil's use of session and full content data not appreciated for its true worth. Ch 9 does a good job describing Oinkmaster and gives sound advice on avoiding the "not any" rule negation problem. Ch 10 covers really old testing tools like Sneeze, whose stateless operation cannot fool stream4's stateful inspection.
Ch 11, explaining Barnyard, is clearly the book's shining moment. This is the reason I read "Snort 2.1": Barnyard's author, Andrew Baker, describes Barnyard's history, the format of unified logs, and how best to use his contribution to Snort. Bravo. Ch 12 was also very good, using case studies to compare three different "active response" choices. Ch 13 was new but not exceptionally helpful.
I would enjoy seeing three improvements in the third edition. First, thoroughly scrub the book for old information. Watch out for people writing about "Cerebus" or http_decode or offerings from Silicon Defense, whose Web site disappeared in early 2004. Second, tell people to read the excellent Snort manual before reading the book. There's no need to address topics well-covered in the manual, like all of the IP- and TCP-based rule options. Third, ditch the existing rules chapter in favor of two new ones, one explaining principles via existing rules, and one showing advanced rule development.
I still recommend buying this book, but you might guide your reading choices by the comments in this review.