Skip to main content

The Snort Book

Finally got my copies of my book today from the publisher. (Only took them a month!) There are alot of comments I could make about the book, positive and negative, but overall, it’s a great resource. In particular the preprocessors chapter (i know, I wrote it) has some good tuning steps and hints that you won’t find elsewhere.

Some chapters are better than others. Some chapters have errors in them (even mine! I mean, really, who begins a TCP conversation with a FIN, ACK? I swear, it was correct in the proof copy!)

I make mention of Stream5 in my chapter at one point, saying that we ‘took a peek at it’, even though I didn’t discuss it at all. At the time of writing Stream5 wasn’t out yet, so I couldn’t really put much in there about it since it was still in beta. I originally had some stuff in there about UDP session tracking being in Stream5, but I took it out. Hence why I “refer” back to it later.

I edited/rewrote another chapter in the book (which shall remain unknown for now), but none of my edits got in the book. When I asked the publisher why, turns out the publisher for this particular book quit in the middle of the book’s publish, so alot of edits didn’t get in there. Hm.. That sucks. Maybe they’ll do an edition two to add in that stuff.

I really like the book overall, I really liked the writing experience, however next time, if asked to write a book, or if I write my own book... i’d like more control over it. Our editors, did a GREAT job with the task that was set before them. I wrote my chapter on my laptop on flights and in hotels. I always got interesting looks when people would look over in a plane and see me just goin to TOWN on the keyboard. (You know how some people just work on excel spreadsheets and what not, it’s always interesting to see people going nuts on their keyboard.)

Go buy the book. You’ll learn alot. I promise. If you read the book, alot of the most common questions are answered. If that doesn’t work, then pop into #snort on and ask your question, or pop onto the snort-users mailing list. Chances are, your question not only has been asked already, but we’ll get you the answer right away. See you online!

Addendum --

It was pointed out in a blog comment here that my title was neither “Director” nor did I “develop” an IDS at my last job. (As listed in my bio.) Both true. I’ll admit it. The commenter even went so far as to call me a LIAR. (Yes all in caps). Let me correct/clarify. As I most definitely didn’t mean to ‘lie’.

There was no such thing as “Director” in my last job. My title was “Section Manager”. Originally the title given me at my was “Section Lead”, however, in the politics that ensued after I was ‘promoted’ to the position, it was pointed out to me that “Lead” was reserved for Government employees. I was a contractor. When I sent my bio to a couple of people for proofread, I also sent it to the publisher because of a deadline we had to meet. When the people I sent it to for proofread pointed out “Director”, I said, ‘ah yes’ and emailed the publisher with the correction. Why did I write it in there? In my present job, the equivalent title of the position would have been Director. No one knows what ‘Section Manager’ is. It’s not a real title. ‘Manager’ is a real title, ‘Section Manager’ is one of those made up Government titles. What were my responsibilities? I attended a weekly ‘managers’ meeting, and compiled a weekly report of what the guys did who ‘worked’ for me did. First of all, the guys that worked for me were on a different contract, so I couldn’t tell them what to do anyway. You didn’t get into our section unless you didn’t need to be managed. (You had to be self-sustainable) So, the title really meant nothing. Second of all, no one had one boss. Working on one project, a friend named Jamey was the lead on, Working for the section, I was the lead on, but then my contract lead (Joe) was my boss and wrote my reviews, except he didn’t give me my jobs, another person named Harry did that, his title was “Lead Contractor”, and he was everyones boss, but everyone reported to him directly. Then on top of all that, our Government rep at the office was our boss as well and she was over everyone. After I left, it just got worse with one more layer of boss in the middle there somewhere. As I said, the title didn’t mean much.

That’s what causes people to get other jobs. Some of the best employees I know have left that place because of all the politics.

As to the second point -- Developing an IDS. I did NOT develop an IDS. I DID develop a IDS system of tools that worked together (yes, of course, with some assistance from a couple of friends, mainly on the db side), for passive os fingerprinting, full traffic capture, and then yes, the IDS. Which was Snort. I developed how the tools worked together, and automated all the pieces and parts to keep them all up and running on the multiple sensors I had. When I was asked to help develop the system that is currently in place on a much much larger scale at a sister office, I did. That system is still in place today exactly how I designed it (at the sister office).

The system I developed at my home office has been dismantled and pieced apart and not all the pieces on it are running anymore, mainly because no one knew how it all worked after I left. Why? I am not sure. It was all documented. For the best comparison that I can make to the system I made is sguil. Except without the tcl/tk frontend.

Did I write ‘Director’? Yes. I sure did. To make myself look better and over-inflated and to lie? No, that was not the intention. The intention was to convert my ‘made up’ title into a commercial equivalent. When it was pointed out to me, I did make the correction, and the correction wasn’t published. (add that to the list of things that didn’t get corrected)

Now, the thing that concerns me is, only a few people knew the exact nature of my title while at the RCERT, and out of those people, only a couple would be rude enough to try and bust me out publicly. On my own blog nonetheless. All of those people, both the people I think it is, and the rest of the people at the RCERT have my email address and could have wrote me an email telling me the deal. Everyone has my email address. Hell, it’s on the front page of this blog.

I didn’t appreciate it, even though you were correct, it was rude.


Popular posts from this blog

Offset, Depth, Distance, and Within

Without going off the deep-end here and discussing every single Snort rule keyword, I just wanted to touch on a few modifiers that people sometimes misunderstand.  They aren't difficult, and hopefully after this explanation and a few examples, I can clear some of the air around these five modifiers.

The five modifiers that I am talking about are
OffsetDepthDistanceWithinnocaseThese five modifiers are not keywords of themselves, but rather they apply as modifiers to another keyword.  That keyword is "content". The content keyword is one of the easiest pieces of the Snort rules language as all it does is look for a particular string.  So for instance if I wanted to look for the word "joel" within a packet.  A simple:
content:"joel";Would allow me to do that.  The interesting part comes into play when you want to specify where inside of a particular packet you want the string "joel" to be looked for.  If you are running just a plain content ma…

Writing Snort Rules Correctly

Let me start off by saying I'm not bashing the writer of this article, and I'm trying not to be super critical.  I don't want to discourage this person from writing articles about Snort rules.  It's great when people in the Snort community step up and explain some simple things out there.  There are mistakes, it comes with the territory.  If you choose to be one of the people that tries to write Snort rules, you also choose to be someone who wants to learn how to do it better.  That's why I write this blog post, not to bash the writer, but to teach.

I noticed this post today over at the "Tao of Signature Writing" blog, and to be honest I glanced over most of it figuring it was a rehash of things I've already read or things that have already been written from countless people about "Here's how you write Snort rules!".  I scrolled down quickly skimming, not reading at all really, and noticed this part:
Now, let us look at the second questio…

Safari 5.1.4 now available

Safari 5.1.4 now available, fixes issues and improves performance | TUAW - The Unofficial Apple Weblog:

Improve JavaScript performanceImprove responsiveness when typing into the search field after changing network configurations or with an intermittent network connectionAddress an issue that could cause webpages to flash white when switching between Safari windowsAddress issues that prevented printing U.S. Postal Service shipping labels and embedded PDFsPreserve links in PDFs saved from webpagesFix an issue that could make Flash content appear incomplete after using gesture zoomingFix an issue that could cause the screen to dim while watching HTML5 videoImprove stability, compatibility and startup time when using extensionsAllow cookies set during regular browsing to be available after using Private BrowsingFix an issue that could cause some data to be left behind after pressing the "Remove All Website Data" button