SNORT Intrusion Detection System

Snort is great Network Intrusion Detection Software (IDS). It's completely free and has impressive capabilities. It has features unseen with any commercial IDS. As with all IDSes it has it's advantages and disadvantages. We sum them up for your convenience:

Advantages:

  • Runs on Linux and Windows
  • Free of licensing costs (you can buy a nice new server AND the installation service for the price of commercial IDSes)
  • Immediately available for download
  • Can be highly customized to your specific environment
  • Can work decentralised with monitoring probes on different locations of your network
  • Can process more than 400Mbit/s per node without dropped packets (no commercial IDS has this performance)
  • Can use a MySQL database as backend
  • Has a nice web-interface with a lot of detail and explenations
  • Can auto-update it's rules
  • Can be configured to automatically bring down certain parts of your network when an intrusion occurs
  • Can run on your network without being detectable (also a unique feature)

    Disadvantages:

  • It is difficult to setup by those who have not done it before
  • It requires a good installed and running Apache, MySQL, PHP and some other software to do it's magic
  • It can only be used to do Intrusion Detection behind the firewall (connecting it to the Internet will generate too much positives).
  • Must be tweaked to reduce the 'false positives' specific to your environment.
  • The Snort website doesn't give the impression of it's advanced features and capabilities.
  • The monitoring sensors should be installed with unidirectional Ethernet cables to prevent any security concerns.
  • On Windows the installation takes longer and the performance is not so impressive. It's also discouraged because of the security reputation of Windows.

    Other interesting things to look at:

  • ACID is the original web interface for snort
  • BASE can be seen as the follow-up on acid and provides a better experience
  • sguil is a newer standalone client, with very interesting features...

    We can assist you in setting up Snort for you and automate everything:
    In a 2-3 day period we configure Snort in your network. The first day we set it up on your distribution of choice (not counting additional probes). We configure it fully to be able to process network traffic at high speed without dropping frames, set up the MySQL database backend and configure the web interface with statistics capabilities. After that we configure it to reduce the false positives specific to your network environment and explain the interface to you. Contact us for a price quote.

    Our Snort course is integrated in our 'Performance Tuning and Advanced Security' course.

    To other great OpenSource software


    Back to Linux Belgium

    • Copyright 2000-2023, Linux Belgium. All rights reserved. Linux is a trademark of Linus Torvalds.
    Linux Belgium is a registered trademark of Linux Belgium b.v.b.a. All other trademarks are the property of their respective owners.