Network and host-based intrusion detection systems (IDS) as well as intrusion prevention systems (IPS) are many and varied. One of the best out there has also been around longer than most, since 1998. Snort is a free, open source intrusion detection and prevention system. It can also function as a sniffer and packet logger. Real time alerts and analysis are possible with Snort as well. I’ve used Snort since it has existed, and I’ve always loved it. Let’s see why.
Requirements & Setup (5 out of 5)
There are several components needed before Snort can be deployed. The Snort site provides a clear, well-defined list of these prerequisites. Snort is at home on Linux and other *nix systems best, but can run with binaries that have been ported to Windows. The most important prerequisite for this or any other network monitoring tool is packet capture capability. Packet capture libraries are required. On Unix-like systems the libpcap library is required. On Windows systems there is a port of pcap called WinPcap. Snort also requires a component called Barnyard–an output management component. Unix users may also need the Perl Compatible Regular Expressions (PCRE) library and libnet if they do not already have them.
Snort rules are customizable, there are many community rules, but the latest & verified rules are available real-time via a subscription. Registered users can access the rule base free of charge, but these rules are accessible 30 days after their release. Registration takes only seconds.
Features (5 out of 5)
Snort is flexible. You might use it as a real-time traffic analysis tool, or as a sniffer to record and log packets. The real value of Snort though is the intrusion detection capability. Rules in Snort are powerful, flexible, and can be customized any way you need. There are hundreds of rules devised by experts if you don’t know or care how to learn to craft them. Snort allows detection of vulnerabilities, exploits, or other conditions. Snort has IPv6 support.
Snort supports logging to MySQL, Oracle, Microsoft SQL Server, and ODBC databases on the Windows version. All the capabilities come for free, other than 0-day real-time updates of the rules database. Even real-time updates of the VRT are affordable by comparison with other options: for businesses a year subscription is $499 per sensor for 1-5 sensors.
Performance & Administration (5 out of 5)
Snort has always been a high performance, lightweight IDS solution. As networks become higher in bandwidth and protocols become more complex, Snort keeps pace. As a host-based IDS it is as straightforward to get set up and configured as any I’ve ever used. Snort has an excellent set of instructional, training, and reference material available. If you wish to automate updating of signatures, a script and method are provided to do so. Administrators must register for a code to use for scripted updates. Due to the large community and contributions from it, false positives and false negatives are both very low. Likewise if you want to do something, it’s likely someone has before, and so it’s simple to find out how.
Overall (5 out of 5)
Snort has long been the most flexible and comprehensive IDS out there. Its original claim to fame was that it was “lightweight”. It’s still a very compact platform with low overhead. Snort has been integrated into many commercial products and has a large support base. If you require commercial service, integration, and support, the creator of Snort makes that available via Sourcefire. Pricing is competitive and frankly I’ve always found Snort to be the best of breed in this category.