Snort, one of the most widely used Intrusion Detection System (IDS) products on the market, is extremely versatile and configurable, and runs on Linux, most UNIX platforms, and Windows. Snort is a fairly difficult product to use fully because of the stark command line interface and the un-ordered scan and attack data. The difficulty associated with its command line interface, however, has spawned a near cottage industry among Snort developers who have created a myriad of graphical user interfaces (GUIs) in an attempt to provide an easier means for network security managers to fully configure and use Snort. This analysis will also look at which Snort add-on products are favoured by network security managers.
Although the security marketplace has no shortage of good, reliable intrusion detection systems, one open source product still manages to hold a very prominent position in the security manager's arsenal - Snort.
Snort is one of the most widely used Intrusion Detection System (IDS) products currently on the market (Northcutt & Novak, 2001). Snort is a command line intrusion detection program based on the libpcap packet capture library (http://www.tcpdump.org/). It is extremely versatile and configurable, and runs on Linux, most UNIX platforms, and Windows. According to DataNerds,
“Snort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plug-in architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba's smbclient.” (DataNerds, 2002).
While the program is very robust and versatile in its ability to detect more than 1200 different types of real-time scans and attacks, it is nonetheless somewhat tedious and difficult to use. Snort employs a rather cryptic command-line interface and all program configurations are done by manually editing the one configuration file - snort.conf. Snort outputs its detected scans and probes into an unordered hierarchical set of directories and text files. Its output however can be made more organized and structured by employing a commonly used database plug-in (add-on) and directing the output to one of several supported SQL database products, such as MySQL (http://www.mysql.com/), PostgreSQL (http://www.postgresql.org/), Oracle (http://www.oracle.com/), or MS SQL Server (http://www.microsoft.com/sql/).
Because of the tediousness of working with a command-line version of Snort, the legion of Snort devotees and developers have created a near cottage industry around developing and improving front-end GUI interfaces to complement Snort. This improvement in the user interface has greatly expanded the use of Snort to non-developers since it not only makes this powerful program more accessible but also more efficient and easier for non-developers to understand ...