Snort — A Look Inside an Intrusion Detection System

Kristy Westphal

As evidenced by the daily news headlines, catching wily hackers is becoming even tougher. Every bit of sensible security you can add to your network may help, especially if the tool you are using is free, portable, and easy to install. In the case of Intrusion Detection Systems (IDS’s), there are many good commercial versions. What isn’t as widely advertised are the freeware IDS’s. These programs are not only good products by themselves, but are also excellent supplements to these commercial systems.

Snort (written by Martin Roesch) is one such tool. Snort is a rules-based, “lightweight” Intrusion Detection System that is based on libpcap, and runs on UNIX operating systems. Snort can perform content searches on IP packets, then, through logging, let the security administrator know if unusual activity has occurred. It is the type of IDS that lets you dig down into the packet via the tcpdump format, or simply a decoded format through a directory structure based upon the IP address of the source address. The administrator has the flexibility to set up filters based on IP addresses and the ability to close connections when a rule for a hostile probe or possible attack is found.

This article explores setting up Snort, how to use the various plugins, how to interpret the output of packet captures from Snort, and how it can compliment other IDS’s.

Setting Up Snort: Where to Start, and What You’ll Need

Snort runs on almost every flavor of UNIX, including: Linux, OpenBSD, FreeBSD, Solaris, HP-UX, and AIX. It runs on various hardware platforms (x86, Sparc, and Alpha), as well. Check the hardware matrix listed in the documentation to make sure that the OS/hardware combination you prefer is available.