Introducing Snort – Open Source NIDS

Anyone who has studied or spent time working in network security will have heard of Snort.  It is an open source NIDS (Network Intrusion detection System) which has been installed on millions of systems across the world.  It was written initially as a packet sniffer by Marty Roesch but is now supported by many more programmers and developers, indeed the company who support the software was bought by Cisco Systems in 2009.  It has been described as one of the most important pieces of software of all time.

Snort is a signature based NIDS which uses a combination of pre-processors and rules to help analyse traffic and identify attacks.  The rules offer a simple and flexible method of checking individual packets against multiple signatures.   The pre-processor code built into Snort allows more intensive examination of the packets and even some individual manipulation of the code which cannot be achieved with simply matching against existing signatures,

The pre-processors are in charge of specific functions ranging from IP defragmentation, web traffic analysis and TCP stream re-assembly all important jobs when trying to look out for intrusions into a network.  Snort is also easily configurable and it’s relatively easy to create your own signatures and install them.  Also there are lots of plug-ins that further expand the functionality into areas like active response and detection systems for malicious traffic.

Snort started it’s life as a packet sniffer and indeed can still be run in this mode to dump traffic to the screen or a text file.  However it is a lot more sophisticated than that and in NIDS mode Snort is able to compare your standard network traffic against a huge set of signatures known as rules in order to detect attacks.

When the program is run in NIDS mode, any events which are deemed interesting are dumped in to various files.  This is in response to matches or partial matches of the data to the rules stored in Snort’s configuration.  This gives the administrator lots of control over what events trigger alerts and in what circumstances, they can be tailored to different threat environments.

This also means that not only can you configure Snort to look for specific behaviour such as tell tale signs of specific port scans for example.  You can also configure what happens when one of these alerts/rules are triggered.  For example say you are looking for attacks or connections to a specific server or address, maybe a proxy or VPN server. Perhaps someone using for a specific need  to get BBC iPlayer in Australia through your UK server!

The log and alert files from Snort can be quite tricky to use in larger environments so you can actually write these to other locations.  There are numerous options including a backend system called barnyard and even writing directly to a mysql database if preferred.  It’s been around a long time now so there are probably many more options than this too.

James Herron

Author of Best VPN for Anonymity

One Response

  1. John March 30, 2017

Leave a Reply