Docunext


Snort Notes

January 22nd, 2007

What is Snort?

Snort is a Network Intrusion Detection System (NIDS). Snort can operate in a few different modes, we use it in NIDS mode. This means that Snort listens, captures, and anaylzes all data that comes across it's interface(s). It will alert us after it compares signature data on the host machine to the packet data.

Snort MySQL

We are also using another feature of Snort. Snort has MySQL capabilities built in. You just have to compile it too support MySQL. The primary reason that I do this is, to use a front end. It's much easier for a front end script

too look in a database than a very large flat file. Due to the amount of internet threats these days, your logs can fill up very fast. ACID, BASE, and Squil are frontends that are currently avaliable. They primarly do the same thing, let you look at what Snort stores as an alert. Which is what you've told it too do in the snort configuration. These are just a very easy way too see who's attacking your network, which ports/services, times, days, and other data in an easy fashion.

Snort Related Websites:

http://www.sun.com/bigadmin/features/articles/intrusion_detection.html

RULES/SIGNATURES:

Bleeding Snort

OFFICIAL SNORT:

Snort

Yearly Indexes: 2003 2004 2006 2007 2008 2009 2010 2011 2012 2013 2015 2019 2020