Most security practitioners have heard of Sourcefire or its open source network intrusion prevention system, Snort. For those who haven't, Snort can be used to analyze traffic in real time, perform packet logging, protocol analysis and much more. It's especially useful in detecting a wide variety of attacks and probes, including buffer overflows, stealth port scans and CGI attacks. In fact, this freeware tool is so capable, it's not...
a stretch to say that Snort is one of the best network-based intrusion detection systems (IDS), free or otherwise. Let's take a closer look at why Snort's network intrusion prevention capabilities really blow away (ahem) the competition.
Snort is a rule-based intrusion detection system, which means that Snort compares incoming (or outgoing) traffic to known rules (or signatures) that represent hostile payloads (i.e. hostile intent). If the traffic matches against a rule, the traffic is flagged and the console operator is alerted. Sourcefire subscribers have the ability to receive rules when they are available, or they can opt to receive them every five days. It's worth mentioning however that although Snort and its rules are free, getting up-to-the minute rules requires a reasonable annual fee.
Snort is typically deployed as a sensor on a mirrored switch port, or off a tap, behind the firewall but in front of the high value servers that need protection. Taps replicate data right off the wire, but most practitioners will opt for an available span port on a switch (or even use a hub). A word of caution if you do use this approach: do not overload the capacity of the span port, or dropped packets will never make it to the Snort sensor.
And as a bonus, since manually reviewing logs can be tiresome, administrators can use a third-party GUI, like Basic Analysis and Security Engine (BASE) to query and analyze the alerts that come from Snort. BASE makes use of user authentication and role-based management, helping the IDS administrator decide what and how much additional information users can see, essentially making Snort more user-friendly.
**Scott Sidel, CISSP, is an Information Systems Security Officer (ISSO) for Lockheed Martin.
- Check out SearchSecurity.com's Snort Technical Guide.
- Read Sidel's previous review: Comodo Firewall: An intelligent way to protect against application attacks.