RE: snort.org recommended reading? (was Re: General Snort Help!)

["Hicks, John" <JHicks () JUSTICE GC CA>]

The 2 folowing books from Stephen Northcut et al (SANS/GIAC) are among my
top recommendations, mainly because it focuses on ID/IA, not just Snort. It
goes over logs from many devices as are usually found, however, it still
provides most examples in Snort format as it's most common.

Intrusion Signatures and Analysis
http://www.amazon.com/exec/obidos/tg/detail/-/0735710635/ref=pd_bxgy_text_1/
104-5618746-4066301?v=glance&s=books

Network Intrusion Detection (3rd Edition)
http://www.amazon.com/exec/obidos/tg/detail/-/0735712654/ref=pd_sim_books_1/
104-5618746-4066301?v=glance&s=books

cheers,
John

-----Original Message-----
From: twig les [mailto:twigles () yahoo com]
Sent: Tuesday, January 21, 2003 11:36 PM
To: Erek Adams; Lorraine Cannavale
Cc: 'snort-users () lists sourceforge net'
Subject: snort.org recommended reading? (was Re: [Snort-users] General
Snort Help!)


I was reading this message and thinking that maybe it
would be a good idea for snort.org to have a little
tab under the /docs page for recommended reading
(books).  I didn't want to suggest it since snort
developers may not want to seem to endorse certain
authors, but then Ereks reply named 4 books, the first
3 which had popped into my head.  Specifically the two
Northcutts and the Stevens books.

Just a thought.


--- Erek Adams <erek () snort org> wrote:
> On Tue, 21 Jan 2003, Lorraine Cannavale wrote:
>
> > Hello, I am very new at the whole Intrusion
> Detection Process and especially
> > snort.
> > There is a network administrator here that has
> installed an IDS utilizing
> > snort, etc and is responsible for maintaining the
> system.
> > I was hired by the Security Administrator to help
> monitor the alerts on a
> > daily basis, analyze the data, and help reduce the
> false positives.
> > So, I have the easy job, but I'm having major
> difficulties understanding
> > what the alerts actually mean and deciphering what
> is a false positive, true
> > intrusion, or just an informational alert.  I have
> read the Snort user
> > manual, understand how to read the rules, and have
> found some information on
> > the alerts, but it is still confusing to me.
> >
> > Can anyone recommend additional resources that
> would help me (books, on-line
> > manuals, or web sites)?
> > I've read emails from the Snort mailing list and
> this all seems to make a
> > lot of sense to everyone else, I'm curious how you
> all obtained your
> > knowledge and if there is anything you can share
> with me!?
>
> [...snip...]
>
> In my opinion, in order of need/usefulness:
>
> TCP/IP Illustrated, Volume 1 The Protocols by W.
> Richard Stevens
>      ISBN 0201633469
>
> Network Intrusion Detection An Analyst's Handbook by
>  Stephen Northcutt
>      ISBN 0735708681
>
> Intrusion Signatures and Analysis by Stephen
> Northcutt
>      ISBN 0735710635
>
> Intrusion Detection by Rebecca G. Bace
>      ISBN 1578701856
>
> The rest....  Well, just get on a .edu network and
> learn.  ;-)
>
> Hope that's of some help!
>
> -----
> Erek Adams
>
>    "When things get weird, the weird turn pro."  
> H.S. Thompson
-------------------------------------------------------
> This SF.net email is sponsored by: Scholarships for
> Techies!
> Can't afford IT training? All 2003 ictp students
> receive scholarships.
> Get hands-on training in Microsoft, Cisco, Sun,
> Linux/UNIX, and more.
> www.ictp.com/training/sourceforge.asp
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or
> unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
Know yourself and know your enemy and you will never fear defeat.         
-----------------------------------------------------------

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com


-------------------------------------------------------
This SF.net email is sponsored by: Scholarships for Techies!
Can't afford IT training? All 2003 ictp students receive scholarships.
Get hands-on training in Microsoft, Cisco, Sun, Linux/UNIX, and more.
www.ictp.com/training/sourceforge.asp
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users