Intrusion Detection System
Snort is great Network Intrusion Detection Software (IDS). It's completely free and has impressive capabilities. It has features unseen with any commercial IDS. As with all IDSes it has it's advantages and disadvantages. We sum them up for your convenience:
Advantages:Runs on Linux and Windows
Free of licensing costs (you can buy a nice new server AND the installation service for the price of commercial IDSes)
Immediately available for download
Can be highly customized to your specific environment
Can work decentralised with monitoring probes on different locations of your network
Can process more than 400Mbit/s per node without dropped packets (no commercial IDS has this performance)
Can use a MySQL database as backend
Has a nice web-interface with a lot of detail and explenations
Can auto-update it's rules
Can be configured to automatically bring down certain parts of your network when an intrusion occurs
Can run on your network without being detectable (also a unique feature)
Disadvantages:It is difficult to setup by those who have not done it before
It requires a good installed and running Apache, MySQL, PHP and some other software to do it's magic
It can only be used to do Intrusion Detection behind the firewall (connecting it to the Internet will generate too much positives).
Must be tweaked to reduce the 'false positives' specific to your environment.
The Snort website doesn't give the impression of it's advanced features and capabilities.
The monitoring sensors should be installed with unidirectional Ethernet cables to prevent any security concerns.
On Windows the installation takes longer and the performance is not so impressive. It's also discouraged because of the security reputation of Windows.
Other interesting things to look at:ACID is the original web interface for snort
BASE can be seen as the follow-up on acid and provides a better experience
sguil is a newer standalone client, with very interesting features...
We can assist you in setting up Snort for you and automate everything:
In a 2-3 day period we configure Snort in your network. The first day we set it up on your distribution of choice (not counting additional probes). We configure it fully to be able to process network traffic at high speed without dropping frames, set up the MySQL database backend and configure the web interface with statistics capabilities. After that we configure it to reduce the false positives specific to your network environment and explain the interface to you. Contact us for a price quote.
Our Snort course is integrated in our 'Performance Tuning and Advanced Security' course.
To other great OpenSource software
Back to Linux Belgium
Copyright 2000-2023, Linux Belgium. All rights reserved. Linux is a trademark of Linus Torvalds.
Linux Belgium is a registered trademark of Linux Belgium b.v.b.a. All other trademarks are the property of their respective owners.