Sabtu, 22 September 2007

Review of Snort IDS and IPS Toolkit and One Prereview

19.01    No comments

Amazon.com just posted my three star review of Snort IDS and IPS Toolkit. From the review:

Syngress published "Snort 2.0" in Mar 03, and I gave it a four star review in Jul 03. Syngress followed with "Snort 2.1" in May 04, and I gave it a four star review in Jul 04. I recommend reading those reviews, since the latest edition -- "Snort IDS and IPS Toolkit" (SIAIT) -- makes many of the same mistakes as its predecessors. Worse, it includes material that was already outdated in BOTH previous editions. If you absolutely must buy a book on Snort, this edition is your only real choice. Otherwise, I would stick with the manual and online articles.

SIAIT looks impressive page-wise, but it suffers from the multiple-author, no-editing, rush-to-production problems unfortunately inherent in many Syngress titles. One would think that including many contributing authors (11, apparently) would make for a strong book. In reality, the book contributes very little beyond what appears in "Snort 2.1," despite the fact that "only" chapters 8, 10, 11, and 13 appear to be repeats or largely rehashes of older material. Comparing to "Snort 2.1," these compare to old chapters 7, 10, 12, and 11, respectively.

The absolute worst part of this book is the re-introduction of all the outdated information in chapters 8 and 10. It is 2007 and we are STILL reading on p 353 that XML output is "our favorite and relatively new logging format" and on p 367 that "Unified logs are the future of Snort reporting." (I cited both of these as being old news in Jul 04!) I should note that these chapters are not entirely duplicates; if you compare output such as that on page 335 of "Snort 2.1" with page 365 in SIAIT you'll see the author replaced the original 2003 timestamps with 2006! This is the height of lazy publishing. Chapter 10 features similar tricks, where traffic is the same except for global replacements of IP addresses and timestamps; notice the ACK numbers are still the same and the test uses Snort 1.8.

You can read my reviews of Snort 2.1 and Snort 2.0 for reference. If I see Syngress publish another Snort book based on this line of material, I won't bother next time.

On a more positive note, thank you to O'Reilly for sending me a review copy of Security Power Tools. This book looks like it deserves a grunt from Tim the Toolman Taylor. The book appears to have lots of useful information, although why in Pete's name is there a chapter (11) on BO2k? Let it die, already. It's 2007.

0 komentar:

Posting Komentar

Langganan: Posting Komentar (Atom)