Home > Security Tips > Scott Sidel's Downloads > Snort: A capable network intrusion prevention tool
Security Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 

SCOTT SIDEL'S DOWNLOADS

Snort: A capable network intrusion prevention tool


Scott Sidel
01.19.2007
Rating: -3.00- (out of 5)


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


Most security practitioners have heard of Sourcefire or its open source network intrusion prevention system, Snort. For those who haven't, Snort can be used to analyze traffic in real time, perform packet logging, protocol analysis and much more. It's especially useful in detecting a wide variety of attacks and probes, including buffer overflows, stealth port scans and CGI attacks. In fact, this freeware tool is so capable, it's not a stretch to say that Snort is one of the best network-based intrusion detection systems (IDS), free or otherwise. Let's take a closer look at why Snort's network intrusion prevention capabilities really blow away (ahem) the competition.

Learn about other open source security tools

Visit our resource center for news, tips and expert advice on the latest open source tools.

Check out our Information Security IT Downloads section and review other freeware tools
Snort is a rule-based intrusion detection system, which means that Snort compares incoming (or outgoing) traffic to known rules (or signatures) that represent hostile payloads (i.e. hostile intent). If the traffic matches against a rule, the traffic is flagged and the console operator is alerted. Sourcefire subscribers have the ability to receive rules when they are available, or they can opt to receive them every five days. It's worth mentioning however that although Snort and its rules are free, getting up-to-the minute rules requires a reasonable annual fee.

Snort is typically deployed as a sensor on a mirrored switch port, or off a tap, behind the firewall but in front of the high value servers that need protection. Taps replicate data right off the wire, but most practitioners will opt for an available span port on a switch (or even use a hub). A word of caution if you do use this approach: do not overload the capacity of the span port, or dropped packets will never make it to the Snort sensor.

And as a bonus, since manually reviewing logs can be tiresome, administrators can use a third-party GUI, like Basic Analysis and Security Engine (BASE) to query and analyze the alerts that come from Snort. BASE makes use of user authentication and role-based management, helping the IDS administrator decide what and how much additional information users can see, essentially making Snort more user-friendly.

**Scott Sidel, CISSP, is an Information Systems Security Officer (ISSO) for Lockheed Martin.

More information:

  • Check out SearchSecurity.com's Snort Technical Guide.
  • Read Sidel's previous review: Comodo Firewall: An intelligent way to protect against application attacks.

    Rate this Tip
    To rate tips, you must be a member of SearchSecurity.com.
    Register now to start rating these tips. Log in if you are already a member.




    Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


    RELATED CONTENT
    Network Intrusion Detection (IDS)
    What are best practices for creating an IDS and maintaining a signature database?
    Network intrusion prevention systems: Should enterprises deploy now?
    RSA 2008: Sourcefire founder Roesch previews Snort 3
    Screencast: Opening up the Network Security Toolkit
    Can a firewall alone effectively block port-scanning activity?
    Should an intrusion detection system (IDS) be written using Java?
    What security risks do enterprise honeypots pose?
    What are the benefits of 'in-the-cloud' network security services?
    Screencast: Snort -- Tactics for basic network analysis
    Can Snort stop application-layer attacks?
    Network Intrusion Detection (IDS) Research

    Monitoring Network Traffic and Network Forensics
    Windows registry forensics guide: Investigating hacker activities
    More built-in Windows commands for system analysis
    Is security improved when the number of Internet gateways is reduced?
    Screencast: Using Nessus to scan for vulnerabilities
    What are the pros and cons of shaping P2P packets?
    Built-in Windows commands to determine if a system has been hacked
    How will the centralized logging of network flow data benefit an enterprise?
    The forensics mindset: Making life easier for investigators
    Data Loss Prevention Tools Offer Insight into Where Data Lives
    vPro: Making the case for network security on a chip

    Scott Sidel's Downloads
    Ophcrack: Password cracking made easy
    Nipper audits routers, reveals insecure settings
    Enigmail: Wrapping email in a digital security blanket
    Secure file copying with WinSCP
    FreeRADIUS: Acing a secure connection
    Spiceworks: Free network monitoring and management with a little zest
    VirusTotal: On-demand antivirus service scans malicious files
    Shining a spotlight on rootkits
    Closing the case on network firewall security with IPCop
    Eliminating the threat of spam email attacks

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    computer forensics  (SearchSecurity.com)
    Diffie-Hellman key exchange  (SearchSecurity.com)
    Einstein  (SearchSecurity.com)
    HIDS/NIDS  (SearchSecurity.com)
    intrusion detection  (SearchSecurity.com)
    network behavior analysis  (SearchSecurity.com)
    ultrasound  (SearchSecurity.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary

    DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

    • TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




    All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts