The Intrusion Prevention Systems called Snort has become very popular, so here is some information that may be useful to readers.
An Intrusion Prevention Systems – IPS – is very similar to the Intrusion Detection System, which monitors network traffic. In addition to detection the IPS can ‘defend’ the network and drop the suspicious packets.
Many users are attracted to Snort as it is all open source and therefore has a large community who can support users. It is also popular because it is available on almost any operating system.
Snort is a type of IPS that uses a collection of signatures that define specified events for the system to look for. This could range from a named IP to a single TCP packet coming from a named port going to a network IP which contains the message ‘MALWARE’. This method is very good against attacks where there is already knowledge about the type of packets that will be sent over the network. However it is weaker against new unknown attacks.
The other method used by an IPS creates a baseline of all the normal activity on the network. Any time something seems unusual against this baseline, the system reacts – the way it reacts, for example, silently log, block or drop the packet, depends on how the IPS has been configured. A problem with this type of IPS is that it causes a lot of false alarms which can be a problem if you have set up so that packets are dropped.
As an IPS, Snort must provide a lot of analytical features in real time. These features include:
- Traffic analysis
- Packet logging – can be checked by system admin
- Protocol analysis
- Content search/matching – very critical for spotting specific attacks. Most have already been written on the Snort community, so users only need to know how to add a rules to a configuration and then run that configuration.
- Detect attacks such as Buffer overflow, Stealth port scans, CGI attacks, SMB probes, OS fingerprinting