Snort, with its funny name, has three primary operating modes. The first two are not really intrusion related and merely reads network packets received and displays them on screen or to disk. In these modes, Snort acts as a network sniffer and packet logger. These in themselves can be useful applications, but is not where Snort really shows its stuff.
Snort’s third operating mode – network intrusion detection – is when the magic happens. Here, Snort actually pays attention to the network traffic passing its electronic eyes and matches what it sees according to a database of updatable signatures as well as any custom user-defined rules. In this mode, Snort does for networks what anti-virus tools do for filesystems.
What’s best is it still runs when you’re asleep, processing packets, log files and more. Actually, you can configure it to send alerts via SMS or other means that can even wake up your network or security staff. Or, you could define rules so Snort blocks the suspicious traffic as well as other traffic from the originating host.
Where Snort isn’t so great is the massive amounts of disk space it chews up with the log files it produces as well as the signature files used to detect rule violations. It’s not unrealistic that Snort operating within a high-traffic site could consume up to 100Gb of disk space. Snort doesn’t especially require any particular level of processor but it really will need a fast disk controller and a lot of space – let alone a network card that is as fast as or faster than the rest of your network (or else you can miss packets.) If the budget can cater for it, really, the best advice would even be to dedicate a machine directly to Snort’s use.
Wherever you choose to run Snort, you do have to remember to place it on your network in a strategic location, because it can only see traffic on its own subnet. There’s little point running Snort on your office desktop computer if your public-facing web and mail servers are housed in a co-location facility, for instance. In fact, depending on the complexity and size of your network, you may want to consider multiple Snort installations, to ensure all your key assets are protected by having one Snort system within each key subnet.
Get going with Snort
Snort is freely downloaded from www.snort.org. Regular rules updates from the Snort Vulnerability Research Team (VRT) can be found here also, as well as documentation and community forums.
At this time, the latest stable release is Snort 2.7.0.1 but Snort 2.8.0 beta is also available but is not final release code. Both versions have binary and source code downloads. As with any Linux app, the considerations are that the binary release is ready-to-run whereas the source code release can be tailored to your needs with possibly additional libraries or different combinations of compile-time flags for greater optimisation. When it comes to security tools, compiling from source becomes even more worth considering to give extra peace of mind that the resulting executable did genuinely result from the program code without any hostilities.
