Is intrusion detection the missing piece in your information security puzzle? Many organizations evaluate products like ISS RealSecure and the Cisco Intrusion-Detection System but choose not to implement them for financial reasons. Fortunately, there's an open source alternative -- Snort.
Snort was originally developed as a
Network intrusion-detection system. When ran in this mode, Snort is capable of detecting potential network intrusions using a rule-based intrusion-detection mechanism.
Packet sniffer. Snort's packet sniffing mode allows it to capture and display all network traffic to the administrator. It provides you with the flexibility to display either the entire packet or only certain header information. This can be quite useful when you need to view raw packets while troubleshooting network issues.
- Packet logger. If you'd like to log the activity to disk rather than have it scroll by on the screen, Snort's packet logging mode performs the same functionality as the packet sniffing mode but creates a traffic data file.
Of course, most people who download and install Snort do so to utilize its network intrusion detection capability. If you're taking advantage of the IDS capability, be certain that you update your rulebase frequently. Just as with an antivirus package, Snort's rules can quickly become dated. If you don't update your rulebase, you run the risk of a newly discovered attack sneaking by your IDS.
One of the greatest advantages (or disadvantages, depending upon your point of view!) to Snort is the fact that its open-source nature allows security professionals around the world to develop customized rules and contribute them to the community's knowledge. The Snort Web site always offers the most recent community consensus rulebase at http://www.snort.org/dl/rules/. You may either choose to download this rulebase as-is or fine-tune it to include threats specific to your own environment.
If you choose to install Snort, don't be deceived by the fact that it's very easy to get it up and running. Take the time to sit down and pick through the configuration files line-by-line. As with any security tool, if you don't have a thorough understanding of what makes Snort tick, you won't be able to effectively integrate it into your environment or interpret its output.
For more information on Snort or to download your own copy of the source code or binaries, visit http://www.snort.org.
About the author
Mike Chapple, CISSP, currently serves as Chief Information Officer of the Brand Institute, a Miami-based marketing consultancy. He previously worked as an information security researcher for the U.S. National Security Agency. His publishing credits include the TICSA Training Guide from Que Publishing, the CISSP Study Guide from Sybex and the upcoming SANS GSEC Prep Guide from John Wiley. He's also the About.com Guide to Databases.
The following comments were sent in by users regarding this tip:
The author of this tip leaves out the fact that there are other "modes" that snort can run in. There is in-line, real time or schedule checks. It can be active and it can be passive when monitoring. It has add-ons and plug-ins which add to the diversity of the configurations. At our enterprise, we use the "barnyard" tool for handling Snort output and directing as necessary. More was left out of this tip, than was put in.
I agree Snort is open source, however I think it would be misleading to describe it as a poor-man's IDS. Many very-well resourced corporates and government sector organizations (including Defense sector organizations) have adopted Snort as their IDS of choice, and not for financial reasons. Snort is a solid IDS alternative and a good benchmark for other commercial products.
What do you think of this tip? Post your thoughts in our discussion forum.
This was first published in March 2003