Originally Published: Tuesday, 16 October 2001 Author: Shashank Pandey
Published to: enchance_articles_security/Advanced Security Articles Page: 1/4 - [Printable]

Intrusion Detection Systems for the Uninitiated, Part 2; Installing and Configuring Snort

Shashank Pandey returns to Linux.com with part two of his popular series on IDS: Intrusion detection Systems for Linux. Quizzing PortSentry in his last article, in today's Pandey cast a sharp eye over working with snort. And remember in some primitive parts of the world you have to pay for information like this! Can you imagine?

snort   Page 1 of 4  >>


Snort is a lightweight network-based intrusion detection system (called NIDS). NIDS is unlike 'portsentry', which is a host based IDS and capable of performing real-time traffic analysis and packet logging on IP networks. The reason Snort is called 'lightweight' NIDS, is because it's easy to use and install and is designed primarily for small networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts and such.

Snort uses 'rules' (specified in 'rule' files) to know which traffic to allow and which to stop. In fact it's so flexible it allows you to write new rules and abides by them (see http://www.snort.org/writing_snort_rules.htm). It also has a 'detection engine' that utilizes a modular plugin architecture whereby specific plugins can be added or removed from the 'detection engine' to alter its capability.

An important aspect of any IDS is its 'alerting mechanism'. Snort attracts attention in a variety of ways, in that it can alert about the attacks/probes through syslog, has a real-time (as the attacks/probes take place) alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient.

Snort can run in three modes :

  1. As a straight packet sniffer like tcpdump(1)
  2. As a packet logger (useful for network traffic debugging, etc),
  3. As a full-blown network intrusion detection system.

This article will talk in detail about the Snort installation, architecture, rules and how to run them.

So here we go.


Linux 2.2.* ,
Snort 1.7(http://www.snort.org/)
Snort is known to compile and run on: Sparc: SunOS 4.1.x, Solaris, Linux, and OpenBSD
x86: Linux, OpenBSD, FreeBSD, NetBSD, and Solaris
M68k/PPC: Linux, OpenBSD, NetBSD, Mac OS X Server

Snort should also compile on:


Libpcap(Snort is based on the libpcap packet capture library, commonly used in may TCP/IP traffic sniffers and analyzers. ).
Get it from: ftp://ftp.ee.lbl.gov/libpcap.tar.Z.

snort   Page 1 of 4  >>