Chapter 29: Introducing Snort

Introduction

Snort is a full-fledged open-source Network-based Intrusion Detection System (NIDS) that has many capabilities. These capabilities include packet sniffing and packet logging in addition to intrusion detection. In addition to all of the basic Snort Features, you can set up Snort to send real-time alerts. This provides you with the ability to receive alerts in real time, rather than having to continuously monitor your Snort system.

An Intrusion Detection System (IDS) is used as a "burglar alarm" for your network or host. If there is an anomaly detected (in the case of Snort, by using signatures), the system administrator is notified in various ways. Those ways include e-mail, network messages (like Windows pop-ups or UNIX write), or the syslog facility.

Snort is like a vacuum that takes particular items (in this case, packets) and allows you to perform different tasks, such as watching the items as they get sucked up (packet sniffer), putting the items into a container (packet logger), or sorting them and determining when a particular item has gone through your NIDS.

So why is Snort so popular? Providing packet sniffing and logging functions is an elementary part of Snort, but Snort's beefiness comes from its intrusion detection capabilities—which matches packet contents to an intrusion rule. Snort might be considered a lightweight NIDS. A lightweight IDS is one that has a small footprint and can run on various operating systems (OSs). Additionally, Snort provides functionality only before found in commercial-grade network IDSs such as Network Flight Recorder (NFR) and ISS RealSecure.

Snort's popularity runs parallel to the increasing popularity of Linux and other free OSs such as the BSD-based OSs, NetBSD, OpenBSD, and FreeBSD. Just because Snort's roots are in open source does not mean that it's not available for other commercial OSs. On the contrary, you can find ports of Snort available for Solaris, HP-UX, IRIX, and even Windows.

Snort is a signature-based IDS, and uses rules to check for errant packets in your network. A rule is a set of requirements that would trigger an alert. For example, one snort rule to check for peer-to-peer file sharing services checks for the string "GET" not connecting to a service running on port 80. If a packet matches that rule, that packet creates an alert. Once an alert is triggered, the alert can go a number of places, such as a log file, a database, or to an SNMP trap.

In this chapter, you'll get an understanding of what Snort is, what its features are, and how to use it on your network. Additionally, you'll learn about the history of Snort, and how it came to be such a popular IDS. You'll also learn the importance of securing your Snort system, and some of the pitfalls of Snort. However, as you will see, Snort's advantages far exceed its pitfalls.