With so much free documentation available, the market for books on free software and open source software is always dicey. However, when I am looking to get an in depth knowledge of some utility, there's no substitution for a nice textbook to carry around and pour over when not at the computer. Also, some books are great to use as a reference.
Therefore, the barrier for acceptance is higher for books on open source. Quite honestly, I never would have thought it worth my while to purchase a book on only snort. Surprisingly, this Ïntrusion Detection with Snort" is well written and it does make for an interesting read.
The first section of the first chapter is aimed at those in the general audience who are interested in security. The later sections give some theory on how snort (and intrusion detection in general) is supposed to work.
Even though I had a working version of snort all ready, I found this to interesting and useful as I had just installed snort from a package and not thought about how it was supposed to work. It's always good to have a general idea of how and why one's tools are supposed to work.
The next chapter talks about installation of snort. Although I had snort installed all ready, this was still helpful as it had a section on troubleshooting. When I had installed this package I never checked to see if it was installed properly. Additionally, it teaches some snort tricks such as running snort on multiple network interfaces and running snort in stealth mode. Additionally, this chapter talks about the different modes that snort can run in. Since I was using this as a simple logger which worked out of the box, I had no idea that it could run in different modes.
The next chapter gets into the snort nity-gritty, discussing snort rules. This chapter is for hard core users, those users who need to know how to write their own snort rules. For the most part, I'd suggest just using the default rules. Still, this chapter greatly enhances the value of this book as a reference. I think that the placement of this chapter is odd, though. It would work better as an appendix.
The forth chapter was much more useful to the average user it talks about snort modules which are control what is done with packets detected by snort; it is the heart of snort configuration, and what makes it such a flexible intrusion system.
The next chapter explains how to make snort log to a mysql database which was the first chapter that I found to be very useful in my own work. Like the first chapter, the information is detailed and well-written, telling the beginner enough about mysql to get started which makes the book useful for more than just learning snort.
The last chapter seems to be like the crescendo that the book is building up to: Üsing ACID". This shows how one can view snort logs stored in a mysql database with a web browser. It also discusses alternate tools such as snort snarf which is a simpler approach to making snort logs available on the web.
The appendices add a lot of value to the book beyond an initial read to learn what snort can do and how to implement it. There are introductions to tcpdump, mysql, and header formats.
All and all this book is useful for sysadmins who are serious about deploying snort in secure environments. Casual users of snort can find enough documentation online that they won't need this book unless they wish to delve deeper into the world of snort. The book is aimed as a mid-level sysadmin. More experienced users will find themselves reading through a lot of information that they all ready know before getting to the book's real chestnuts, but there are points of interest for everyone save for the most hard-core snort experts.