Packet Monitoring, Logging, and Triggering

Packet Monitoring, Logging, and Triggering

Like sniffers (described in Chapter 11 ), Snort watches all the packets on a given network interface. Unlike sniffers, however, Snort doesn't just dump them out to a screen or a file. No, instead it takes some sort of programmed action when packets match certain criteria. These critera and actions are specified in Snort rules, which we will describe in some detail later.

So Snort monitors all packets. When a packet matches a rule, the action for that rule is taken. That action may be to log the packet for later examination. It may be to alert to a serious condition. It may even be to trigger the activation of additional rules. We'll talk about how this may help a little later on.

The goal of all of this is to watch what is going on on your network, to recognize when certain kinds of activity are coming from certain places, and to make sure that activity gets noticed in time for you to do something about it.

Remember the attack sequence described in the last chapter? One of the first things a remote attacker will do is reconnaissance. He or she will probably begin by scanning hosts on your network. With Snort, you can recognize and detect the scan itself and perhaps be able to do something about it long before the intruder gets in and starts messing with your files.

In the last chapter we told you how to detect the " prints and fibers " of an intruder who has been messing about with your systems. If Tripwire is analogous to a forensics team collecting evidence after the crime, Snort is analogous to a nosy neighbor calling the cops when he sees someone skulking around your home. I don't know about you, but I would rather the miscreant were apprehended before he got into my home and began to redecorate it.

 



Multitool Linux. Practical Uses for Open Source Software
Multitool Linux: Practical Uses for Open Source Software
ISBN: 0201734206
EAN: 2147483647
Year: 2002
Pages: 257

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net