Pick a Free OS

Intrusion Detection System Part 3: Snort

Our failure establishes only this,

that our determination to succeed

wasn't strong enough.

--Bovee

The main distribution site for Snort is http://www.snort.org. Snort is distributed under the GNU GPL license by the author Martin Roesch. Snort is a lightweight network IDS, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching. It can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and more. Snort uses a flexible rules language to describe traffic that it should collect or pass, and includes a detection engine utilizing a modular plug-in architecture. Snort has real-time alerting capability as well, incorporating alerting mechanisms for Syslog, user- specified files, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient. Snort has three primary uses. It can be used as a straight packet sniffer like tcpdump or as a packet logger that is useful for network traffic debugging. It can also be used as a full blown network intrusion detection system.

Snort logs packets in either tcpdump binary format or in Snort's decoded ASCII format to logging directories that are named based on the IP address of the foreign host.

Plug-ins allow the detection and reporting subsystems to be extended. Available plug-ins include database logging, small fragment detection, portscan detection, and HTTP URI normalization.

The ground that we will be covering with respect to Snort will be

- Snort as a straight packet sniffer like tcpdump.

- Snort as a packet logger. Useful for network traffic debugging etc.

- Snort as a full blown network intrusion detection system.

Compiling and installing Snort

Having downloaded Snort, untar the archive with the following command.

bash# tar -xvzf snort-1.6.3.tar.gz

This should do the trick and get it untarred into a directory snort-1.6.3. Having done this, next on the cards is a dependency check for various libraries and header files that Snort needs. You'll need to ensure that you have the sources for libcap. If not, you can download it from ftp://ftp.ee.lbl.gov/libpcap.tar.Z.