• List Price: CDN$ 51.86
  • You Save: CDN$ 10.57 (20%)
Temporarily out of stock.
Order now and we'll deliver when available. We'll e-mail you with an estimated delivery date as soon as we have more information. Your account will only be charged when we ship the item.
Ships from and sold by Amazon.ca. Gift-wrap available.
Snort Cookbook has been added to your Cart
+ CDN$ 6.49 shipping
Used: Like New | Details
Condition: Used: Like New
Comment: Our books ship from the USA and delivery time is 2 to 3 weeks.  Straight spine with no creases. Cover has no damage and pages show little wear. With pride from Motor City. All books guaranteed.
Have one to sell?
Flip to back Flip to front
Listen Playing... Paused   You're listening to a sample of the Audible audio edition.
Learn more
See all 2 images

Snort Cookbook Paperback – Apr 8 2005

See all 3 formats and editions Hide other formats and editions
Amazon Price
New from Used from
Kindle Edition
"Please retry"
"Please retry"
CDN$ 41.29
CDN$ 29.96 CDN$ 0.45

Harry Potter and the Cursed Child
click to open popover

Special Offers and Product Promotions

  • You'll save an extra 5% on Books purchased from Amazon.ca, now through July 29th. No code necessary, discount applied at checkout. Here's how (restrictions apply)

No Kindle device required. Download one of the Free Kindle apps to start reading Kindle books on your smartphone, tablet, and computer.
Getting the download link through email is temporarily not available. Please check back later.

  • Apple
  • Android
  • Windows Phone
  • Android

To get the free app, enter your mobile phone number.

Product Details

  • Paperback: 288 pages
  • Publisher: O'Reilly Media; 1 edition (April 8 2005)
  • Language: English
  • ISBN-10: 0596007914
  • ISBN-13: 978-0596007911
  • Product Dimensions: 17.8 x 1.8 x 23.3 cm
  • Shipping Weight: 440 g
  • Average Customer Review: Be the first to review this item
  • Amazon Bestsellers Rank: #2,005,925 in Books (See Top 100 in Books)
  •  Would you like to update product info, give feedback on images, or tell us about a lower price?

  • See Complete Table of Contents

Product Description

About the Author

Angela Orebaugh is an information security technologist, scientist, and author with a broad spectrum of expertise in information assurance. She synergizes her 15 years of hands-on experiences within industry, academia, and government to advise clients on information assurance strategy, management, and technologies.

Ms. Orebaugh is involved in several security initiatives with the National Institute of Standards and Technology (NIST), including technical Special Publications (800 series), the National Vulnerability Database (NVD), Security Content Automation Protocol (SCAP) project, and secure eVoting.

Ms. Orebaugh is an Adjunct Professor for George Mason University where she performs research and teaching in intrusion detection and forensics. She developed and teaches the Intrusion Detection curriculum, a core requirement for the Forensics program in the Department of Electrical and Computer Engineering. Her current research interests include peer-reviewed publications in the areas of intrusion detection and prevention, data mining, attacker profiling, user behavior analysis, and network forensics.

Ms. Orebaugh is the author of the Syngress best seller's Nmap in the Enterprise, Wireshark and Ethereal Network Protocol Analyzer Toolkit, and Ethereal Packet Sniffing. She has also co-authored the Snort Cookbook, Intrusion Prevention and Active Response, and How to Cheat at Configuring Open Source Security Tools. Angela is a frequent speaker at a variety of security conferences and technology events, including the SANS Institute and The Institute for Applied Network Security.

Ms. Orebaugh holds a Masters degree in Computer Science and a Bachelors degree in Computer Information Systems from James Madison University. She is currently completing her dissertation for her Ph.D. at George Mason University, with a concentration in Information Security.

Simon Biles is currently Director of Thinking Security Ltd. an Information Security Consultancy based near Oxford in the UK. The company deals with all aspects of InfoSec from Incident Response and Forensics through to ISO 27001 work. He is currently studying for his MSc in Forensic Computing at Shrivenham with Cranfield University. He holds a CISSP, is Certified as an ISO17799 Lead Auditor, is a Chartered IT Professional with the British Computer Society and is also a member of F3 - the UK's First Forensic Forum. Currently he is involved in a project to define and support best practices in Forensics - you can find out more about this at the Open Forensics Group.

Jake Babbin works as a contractor with a government agency filling the role of Intrusion Detection Team Lead. He has worked in both private industry as a security professional and in government space in a variety of IT security roles. He is a speaker at several IT security conferences and is a frequent assistant in SANS Security Essentials Bootcamp, Incident Handling and Forensics courses. Jake lives in Virginia.

Customer Reviews

There are no customer reviews yet on Amazon.ca
5 star
4 star
3 star
2 star
1 star

Most Helpful Customer Reviews on Amazon.com (beta)

Amazon.com: HASH(0xa0ca0b34) out of 5 stars 5 reviews
24 of 25 people found the following review helpful
HASH(0xa0cce600) out of 5 stars Good information overshadowed by outdated or poor advice Aug. 9 2005
By Richard Bejtlich - Published on Amazon.com
Format: Paperback
I read the Snort Cookbook because I am always trying to learn more about Snort. I've read almost every book on the open source intrusion detection system, so I hoped the Snort Cookbook might offer advice not found elsewhere. Unfortunately, whatever good material appears in the book is overshadowed by outdated or outright bad advice. The best Snort book is still Syngress' Snort 2.1, so I recommend reading that title.

The Snort Cookbook starts poorly with ch 1, which at 50 pages is the book's largest. After repeating installation instructions covered in online resources, the book turns to dubious packet collection recommendations. Item 1.10 suggests creating a listen-only Ethernet cable but never mentions disabling ARP traffic with ifconfig's -arp option. Item 1.11 describes how to build a homebrew tap but doesn't address signal regeneration problems that could result in traffic loss.

Item 1.12 gives terrible advice: "If your Snort machine has only one network interface, using the passive tap, run both lines to a small hub. Then from another port of the hub, run a cable to your IDS. This will combine and maybe even buffer the traffic for the IDS and give a full duplex connection." Wrong -- this is a nice way to never see traffic when full-duplex packets from the two transmit lines collide in the hub.

Item 1.14 says "Snort itself is incapable of sniffing a wireless network," but it ignores the fact that while Snort doesn't understand 802.11 traffic, the sensor can join a wireless network and interpret what it sees. Item 1.15 demonstrates more ignorance of hardware issues by saying "Linux-compatible gigabit Ethernet cards are available with up to six ports. Coupled with machines that have space for three or four PCI cards, you could have as many as 24 Ethernet ports." This suggestion completely ignores the fact that a single gigabit NIC will saturate a 32 bit, 33 MHz PCI bus, and many BIOS will not be able to handle interrupts from more than about 8 NICs in a PC.

Item 1.25 says "two to four million records is the max for MySQL," which is odd. One MySQL database I use to collect session data on Sguil has over 31 million records. Item 1.25 also covers the often-repeated and incredibly naive method of having Snort log directly to a database, without utilizing Barnyard as an intermediary. Thankfully we see Barnyard covered in ch 2, but recommended for "high-speed network[s], such as 1 Gbps or greater." Barnyard is definitely appropriate when monitoring at less than gigabit speeds.

Throughout the book, the obsolete ACID Web-based alert console appears. BASE has been available since October 2004; it addresses stale code problems in ACID and should have been covered. I was disappointed to see the Sguil suite mentioned but never given any discussion, even though the older Snort 2.1 book introduces using Sguil. Item 4.2 mentions "RST scans" even though they are a fiction of one security researcher's imagination. Item 6.6 claims to offer ways to test Snort by showing three programs (Snot, Sneeze, Stick) that have had little effect on modern Snort implementations (e.g., 2001 on).

On the positive side, in many cases the Snort Cookbook properly addresses questions which frequently appear on the snort-users mailing list. Items 2.15 and 2.16 show how to send Snort alerts to email, a pager, or cell phone using Syslog and Swatch. Item 3.2 discusses rule updates with Oinkmaster. Rule issues in ch 3 were generally helpful, like dynamic rules (3.4), evasion issues (3.10), optimization (3.13), and even Spade (3.18). Perfmon coverage in items 4.6 and 7.0 help discover how well Snort is working. I also liked the policy-based IDS ideas in item 7.5.

The back cover of the Snort Cookbook says the book "can save you countless hours of sifting through dubious online advice or wordy tutorials." That online advice is frequently more correct than what appears in this book. While some of the book is helpful, often that material has already been introduced in online documentation or best covered in Syngress' Snort 2.1. Perhaps a second edition will address the concerns in this review and produce a more useful cookbook for future readers.
5 of 6 people found the following review helpful
HASH(0xa0cce654) out of 5 stars rules are the core of Snort April 24 2005
By W Boudville - Published on Amazon.com
Format: Paperback
The core of this book is the chapter on Rules and Signatures. Snort is renowned for its rule language and its vast flexibility. It is a reasonably high level "script" that seems more declarative than procedural. Ok, I'm speaking a little figuratively, but if you scan the rules, you might see what I mean. The chapter explains how to build rules of varying levels of complexity, depending on your needs. One neat trait is the profuse range of options for detecting traffic around the machine running Snort.

Of course and inevitably, the default rules base has grown and it is regularly updated. Currently, these defaults number some 3000, and few sysadmins have the expertise to understand all of them. So one recipe tells you how to get and run an updater program (Oinkmaster). Though you are cautioned about letting it change your rules automatically.

Other recipes expand upon the rule scope in interesting ways, like looking for p2p or Instant Messaging traffic. You might be responsible for a corporate network that bans these, perhaps. Here is a simple way to show a supervisor how you can stay on top of the problem.
2 of 3 people found the following review helpful
HASH(0xa0ccea8c) out of 5 stars Snort Cookbook a second glance! Sept. 28 2005
By PcolaLUG - Published on Amazon.com
Format: Paperback
Snort Cookbook O'reilly

by: Orebaugh, Biles & Babbin

What can I say designing a reliable detection system is a challenge at best.

This book makes it seem easy! I thought this was the best layout of a tech.book I have ever saw.

Problem > Solution > Discussion. they gave you the information in a precise way with out overloading you

with material you did not need. The Rules section was espcially useful...

The only downside is I wanted to see more on rules with samples.

Overall this was a very useful Book. I already had snort in place this made it much more useful.

Brett Hoff
0 of 2 people found the following review helpful
HASH(0xa0ccee4c) out of 5 stars Good but not a tutorial May 20 2005
By Anthony Lawrence - Published on Amazon.com
Format: Paperback
Actually, probably everything you'd need for a tutorial is in here; it just isn't put in one place up front. Therefor, for someone totally unfamiliar with Snort, the sudden jump from installation to cook-book recipes may be confusing and unsettling.

As there is plenty of material at [...] and as getting Snort running isn't all that complicated anyway, that's not a major flaw.

Like another reviewer here, I think the rules sections are probably the best part of the book, though I was also impressed by the attention given to the specifics of Windows and Mac OS X - it's nice to see that level of completeness.
0 of 12 people found the following review helpful
HASH(0xa0ccef30) out of 5 stars It's a Rough World Out There May 25 2005
By John Matlock - Published on Amazon.com
Format: Paperback
When the Internet was being set up, who could have possibly believed just how unfriendly a place it was going to be out there. After all, it was just a concept where scientists could exchange papers. Even if you would have told the original developers where it was going to go they would have just laughed at you.

Anyway, Snort is another tool in stopping the bad guys from coming into your system. In particular it is an intrusion detector. Note the word detector. Snort monitors your system to see what's happening. It is not an anti-virus like program that detects, quarantines, deletes, etc. an infected file. Instead it watches what is going on in the system and looks for behavior that is outside the rules.

Snort watches, records and reports on what the systems in you network might be doing. On a big network, running Snort could well be a full time job. It can produce volumes of information. Some of this information regarding your employees might be considered spying on them, there are also some words (a few more wouldn't hurt) on what you can do to outsiders vs. your own people.