FreeOS.com: Intrusion Detection Systems for your network: Part III - Installing SnortFeb 05, 2001, 17:56 (3 Talkback[s])
(Other stories by Trevor Warren)
"All through these series of articles, we have tried our very best to strike a balance between the implementation of these Intrusion Detection tools and their working principle. As a totally paranoid System Administrator, who you should anyway be, you should be able to assess at first hand, the various security threats that your machines face both internally and externally. Only such an understanding will help you decide the kind of tools to put in place to lock down and fortify your network from intruders. In this article we will have a look at Snort as a backup Intrusion Detection System for you enterprise network and if it could really scale up to the requirements of your enterprise networks."
"The main distribution site for snort is http://www.snort.org. Snort is distributed under the GNU GPL license by its author, Martin Roesch (firstname.lastname@example.org). Snort is a lightweight, network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort uses a flexible rule language to describe traffic that it should collect or pass, as well as a detection engine that uses modular plugin architecture. Snort has a real- time alerting capability as well, incorporating alerting mechanisms for syslog, user specified files, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient. Snort has three primary uses. It can be used as a straight packet sniffer like tcpdump(1), a packet logger (useful for network traffic debugging, etc), or as a full blown network intrusion detection system. Snort logs packets in either tcpdump(1) binary format or as decoded ASCII format to logging directories that are named based on the IP address of the "foreign" IP host. Plugins allow the detection and reporting subsystems to be extended. Available plugins include database logging, small fragment detection, port scan detection, and HTTP URI normalization."