Most security practitioners have heard of Sourcefire or its open source network intrusion prevention system, Snort. For those who haven't, Snort can be used to analyze traffic in real time, perform
Requires Free Membership to View
SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!
Michael S. Mimoso, Editorial Director
packet logging, protocol analysis and much more. It's especially useful in detecting a wide variety of attacks and probes, including buffer overflows, stealth port scans and CGI attacks. In fact, this freeware tool is so capable, it's not a stretch to say that Snort is one of the best network-based intrusion detection systems (IDS), free or otherwise. Let's take a closer look at why Snort's network intrusion prevention capabilities really blow away (ahem) the competition.
 |
||||
|
|
|||
|
||||
Snort is typically deployed as a sensor on a mirrored switch port, or off a tap, behind the firewall but in front of the high value servers that need protection. Taps replicate data right off the wire, but most practitioners will opt for an available span port on a switch (or even use a hub). A word of caution if you do use this approach: do not overload the capacity of the span port, or dropped packets will never make it to the Snort sensor.
And as a bonus, since manually reviewing logs can be tiresome, administrators can use a third-party GUI, like Basic Analysis and Security Engine (BASE) to query and analyze the alerts that come from Snort. BASE makes use of user authentication and role-based management, helping the IDS administrator decide what and how much additional information users can see, essentially making Snort more user-friendly.
**Scott Sidel, CISSP, is an Information Systems Security Officer (ISSO) for Lockheed Martin.
More information:
This was first published in February 2007