Snort IDS installation basics and tips for security resellers

Welcome to the first edition of Snort Report. The goal of this column is to provide value-added resellers (VARs) and security consultants with suggestions for the productive use of Snort

    Requires Free Membership to View

, an open source intrusion detection and intrusion prevention system developed by Marty Roesch and his team at Sourcefire. To provide a solid foundation for future articles, this issue concentrates on installation and fundamentals.

Before discussing technical details, it's important to consider what Snort is -- and what it is not -- so you can "sell" the open source IDS/IPS to reluctant customers and properly set their expectations.

First, Snort is a network traffic inspection program and, when suitably configured, an access control system. Snort is not a "badness-ometer." One cannot expect to run Snort on an arbitrary network location and simply start discovering malicious activity. While it is possible to accomplish this goal, proper understanding of Snort's capabilities, limitations and deployment model is required for effective use. That's where you come in. You cannot simply drop Snort into place on your customer's network and leave it up to them to efficiently manage.

Second, Snort is not "lightweight." When Marty Roesch wrote his 1999 paper on Snort, his use of the term "lightweight" intended to convey the idea that Snort did not use many system resources. "Lightweight" never meant "ineffective." Today, Snort is extremely powerful, but effective use of these powers requires a dedicated system with plenty of RAM (1 GB or more is recommended) and quality components.

Third, although Snort originally relied on content matching in order to identify malicious activity, the program has advanced considerably beyond that simple technique and incorporates today's technologies. Snort indeed uses rules for core functionality, but some of those signatures are exceedingly complicated. Rules work alongside non-signature based decoders and preprocessors to alert users of many sorts of suspicious and malicious activities.

Snort: Fundamentals and installation tips for the channel

 Sniffer mode
 Packet logger mode
 Intrusion detection mode

About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog (taosecurity.blogspot.com).

This was first published in April 2007

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.