Introduction

In the last chapter we taught you how to detect the subtle and insidious acts of the typical script kiddie once she gains access to an account on your computer. In this chapter we will present a tool that can help you stop the barbarian at the gate.

Here we present a brief introduction to Snort, a self-described "lightweight intrusion-detection system." Snort is a kind of a supersniffer. It is a sniffer that can use rules to select out packets seen on a network interface and take selective action based on those rules. In this chapter we will present the basics of writing Snort rules, a discussion of the "standard" rulesets and why you may wish to use them, and a few observations on how Snort might fit into the security scheme of various installations.

This chapter presumes that you have a fairly extensive knowledge of the TCP/IP suite of internetworking protocols. If you do not, I would refer you to a basic text on the subject, such as Douglas E. Comer's excellent Internetworking with TCP/IP, Volume 1: Principles, Protocols, and Architecture .

You, as the reader, shouldn't have to care about my problems as the author, but this tool (and this chapter) is one of those that has us walking that tightrope between being too light to be useful and too heavy to be understood . Bear in mind that the overall goal throughout this book is to show you some of the exciting things you can do with Free Software. We are not writing documentation or tutorials. That said, we do aim to make the information we present in each chapter practical and useful. If I fail here, it is certainly not for want of trying.