Tip

Snort: A capable network intrusion prevention tool

Most security practitioners have heard of Sourcefire or its open source network intrusion prevention system, Snort. For those who haven't, Snort can be used to analyze traffic in real time, perform

    Requires Free Membership to View

packet logging, protocol analysis and much more. It's especially useful in detecting a wide variety of attacks and probes, including buffer overflows, stealth port scans and CGI attacks. In fact, this freeware tool is so capable, it's not a stretch to say that Snort is one of the best network-based intrusion detection systems (IDS), free or otherwise. Let's take a closer look at why Snort's network intrusion prevention capabilities really blow away (ahem) the competition.

Learn about other open source security tools

Visit our resource center for news, tips and expert advice on the latest open source tools.

Check out our Information Security IT Downloads section and review other freeware tools
Snort is a rule-based intrusion detection system, which means that Snort compares incoming (or outgoing) traffic to known rules (or signatures) that represent hostile payloads (i.e. hostile intent). If the traffic matches against a rule, the traffic is flagged and the console operator is alerted. Sourcefire subscribers have the ability to receive rules when they are available, or they can opt to receive them every five days. It's worth mentioning however that although Snort and its rules are free, getting up-to-the minute rules requires a reasonable annual fee.

Snort is typically deployed as a sensor on a mirrored switch port, or off a tap, behind the firewall but in front of the high value servers that need protection. Taps replicate data right off the wire, but most practitioners will opt for an available span port on a switch (or even use a hub). A word of caution if you do use this approach: do not overload the capacity of the span port, or dropped packets will never make it to the Snort sensor.

And as a bonus, since manually reviewing logs can be tiresome, administrators can use a third-party GUI, like Basic Analysis and Security Engine (BASE) to query and analyze the alerts that come from Snort. BASE makes use of user authentication and role-based management, helping the IDS administrator decide what and how much additional information users can see, essentially making Snort more user-friendly.

**Scott Sidel, CISSP, is an Information Systems Security Officer (ISSO) for Lockheed Martin.

More information:

  • Check out SearchSecurity.com's Snort Technical Guide.
  • Read Sidel's previous review: Comodo Firewall: An intelligent way to protect against application attacks.

    This was first published in February 2007

  • There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.