"Intrusion Detection with Snort: Advanced IDS, etc." (IDWS) was the second of this year's intrusion detection books I've reviewed. The first was Tim Crothers' "Implementing Intrusion Detection Systems" (4 stars). I was disappointed by IDWS, since I have a high opinion of Prentice Hall and the new "Bruce Perens' Open Source Series." (I'm looking forward to the book on CIFS, for example.) IDWS read poorly and doesn't deliver as much useful content as the competing Syngress book "Snort 2.0."
The most difficult aspect of reading IDWS is the author's grammar, particularly his avoidance of using definitive articles like "the", and other important words. For instance, p. 3 says "Apache web server takes help from ACID, etc." p. 133 claims "However, if you are using HTTP decode preprocessor, this attempt can detected." Beyond grammar, the author demonstrates weak knowledge of the IDS field, stating on p. 1 "Intrusion detection methods starting appearing in the last few years." James Anderson led the way in 1980, followed by Denning and Neumann in 1983 and Todd Heberlein in 1990! The author also repeatedly compares IDS to anti-virus signatures, which is simplistic and incorrect.
Technical errors further hamper IDWS. p. 89 makes the mistake of saying TCP sequence numbers count packets; they really count bytes of application data. p. 96-97 confuses the use of standard Boolean operators (AND, OR, NOT) with their use in Snort, which is different. (SF+ means SYN and FIN and zero or more other flags, not SYN AND FIN alone.) The fuzzy diagrams don't appear professional, and acronyms like "PHP" are defined incorrectly as "Pretty Home Page" (rather than the self-referencing "PHP Hypertext Processor.")
Coverage of important topics is lacking or outdated. First, Snort 1.9 is the basis for the text. However, 2.0 is available and covered by the Syngress book. The output system Barnyard and unified logging receive a total of one page. No meaningful mention is made of the effects of collecting traffic via hub, SPAN port, or tap. The port list on pp. 87-88 shows "well known ports," but doesn't say if they are TCP or UDP. The author makes odd claims about Snort "not [being] able to analyze application layer protocols," which is misleading. Snort rules aren't designed specifically for HTTP, for example, but they can be used to inspect HTTP requests and responses.
My favorite part of IDWS was the coverage of using the MySQL database. Appendix B provides helpful supplemental material on this subject also. Bottom line: I would pass on IDWS but keep an eye on the other titles in the PHPTR "Open Source Series."