SCOTT SIDEL'S DOWNLOADS
Snort: A capable network intrusion prevention tool
Scott Sidel
01.19.2007
Rating: -3.50- (out of 5)
|
Most security practitioners have heard of Sourcefire or its open source network intrusion prevention system, Snort. For those who haven't, Snort can be used to analyze traffic in real time, perform packet logging, protocol analysis and much more. It's especially useful in detecting a wide variety of attacks and probes, including buffer overflows, stealth port scans and CGI attacks. In fact, this freeware tool is so capable, it's not a stretch to say that Snort is one of the best network-based intrusion detection systems (IDS), free or otherwise. Let's take a closer look at why Snort's network intrusion prevention capabilities really blow away (ahem) the competition.
Snort is a rule-based intrusion detection system, which means that Snort compares incoming (or outgoing) traffic to known rules (or signatures) that represent hostile payloads (i.e. hostile intent). If the traffic matches against a rule, the traffic is flagged and the console operator is alerted. Sourcefire subscribers have the ability to receive rules when they are available, or they can opt to receive them every five days. It's worth mentioning however that although Snort and its rules are free, getting up-to-the min
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
ute rules requires a reasonable annual fee.
Snort is typically deployed as a sensor on a mirrored switch port, or off a tap, behind the firewall but in front of the high value servers that need protection. Taps replicate data right off the wire, but most practitioners will opt for an available span port on a switch (or even use a hub). A word of caution if you do use this approach: do not overload the capacity of the span port, or dropped packets will never make it to the Snort sensor.
And as a bonus, since manually reviewing logs can be tiresome, administrators can use a third-party GUI, like Basic Analysis and Security Engine (BASE) to query and analyze the alerts that come from Snort. BASE makes use of user authentication and role-based management, helping the IDS administrator decide what and how much additional information users can see, essentially making Snort more user-friendly.
**Scott Sidel, CISSP, is an Information Systems Security Officer (ISSO) for Lockheed Martin.
More information:
Check out SearchSecurity.com's Snort Technical Guide.
Read Sidel's previous review: Comodo Firewall: An intelligent way to protect against application attacks.
|
|
Rate this Tip
|
To rate tips, you must be a member of SearchSecurity.com.
Register now
to start rating these tips. Log in if you are already a member.
|
DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.
|
|
|
|
|
|
|
