“All through these series of articles, we have tried our very
best to strike a balance between the implementation of these
Intrusion Detection tools and their working principle. As a totally
paranoid System Administrator, who you should anyway be, you should
be able to assess at first hand, the various security threats that
your machines face both internally and externally. Only such an
understanding will help you decide the kind of tools to put in
place to lock down and fortify your network from intruders. In this
article we will have a look at Snort as a backup Intrusion
Detection System for you enterprise network and if it could really
scale up to the requirements of your enterprise networks.”
“The main distribution site for snort is http://www.snort.org.
Snort is distributed under the GNU GPL license by its author,
Martin Roesch (roesch@clark.net). Snort is a lightweight,
network intrusion detection system, capable of performing real-time
traffic analysis and packet logging on IP networks. It can perform
protocol analysis, content searching/matching and can be used to
detect a variety of attacks and probes, such as buffer overflows,
stealth port scans, CGI attacks, SMB probes, OS fingerprinting
attempts, and much more. Snort uses a flexible rule language
to describe traffic that it should collect or pass, as well as a
detection engine that uses modular plugin architecture. Snort has a
real- time alerting capability as well, incorporating alerting
mechanisms for syslog, user specified files, a UNIX socket, or
WinPopup messages to Windows clients using Samba’s smbclient. Snort
has three primary uses. It can be used as a straight packet sniffer
like tcpdump(1), a packet logger (useful for network traffic
debugging, etc), or as a full blown network intrusion detection
system. Snort logs packets in either tcpdump(1) binary format or as
decoded ASCII format to logging directories that are named based on
the IP address of the “foreign” IP host. Plugins allow the
detection and reporting subsystems to be extended. Available
plugins include database logging, small fragment detection, port
scan detection, and HTTP URI normalization.”