Summary

Snort is a very powerful tool for improving the security of whole networks. It is only as good as you are, however. This tool is not best used by someone who doesn't understand the IP, ICMP, TCP, UDP, and RPC protocols at a fundamental level. It is also most effective as part of a defense in depth.

If you are not particularly knowledgeable about TCP/IP and Linux administration, don't let the difficulty of this topic and this chapter drive you away from Linux and into the comforting but feeble arms of "easier" systems. Any operating system that implements any service using TCP/IP (and if you use the Internet, then your system is using TCP/IP) is potentially vulnerable to these types of attack. There is nothing about Linux that makes it more vulnerable, and there are some things about it, such as its user -level system security, that make it less vulnerable, certainly , than the "nonserver" PC operating systems.

There are commercial products that have some capabilities Snort lacks, but this is a book about free software. I would also say that argument I made about trusting rules supplied by others applies in spades to security products for which you do not have the source code. The one good argument for trusting closed-source security products is that companies have a strong economic incentive to keep your trust. Experience has shown, however, that this pressure has not been sufficient to get companies to close security holes in a timely manner. Snort is an important part of a complete security plan, but it is not, in itself, a security solution.