Snort is an open source network intrusion detection and prevention system (NIDS/NIPS). It is capable of performing real-time traffic analysis and packet logging on internet protocol (IP) networks.
It can also perform protocol analysis, content searching, content matching.
Snort can be used to detect a variety of attacks and probes including buffer overflows, stealth port scans, server message block (SMB) probes, common gateway interface (CGI) attacks, operating system fingerprinting attempts.
Prevent your personal and traffic data such as credit card number, visited websites, bank account numbers, username and password information from being captured by intruder while using a network including wireless or wi-fi networks.
Snort can be configured to run in three main modes:
- Sniffer: Read network packets and display them for you in a continuous stream on the console
- Packet Logger: Log packets to the disk for network traffic debugging
- Network Intrusion Detection (NIDS): Detect network traffic and analyze it against a rule set defined by user
The Network Intrusion Detection mode is the most complex and configurable mode.
Snort is comprised of two major components:
- Snort Engine: a detection engine that utilizes a modular plug-in architecture
- Snort Rules: Flexible rule language to describe traffic to be collected
The Snort Engine is distributed both as source code and binaries for popular Linux distributions and Windows. It's important to note that the The Snort Engine and Snort Rules are distributed separately.
Snort 2.9 for Linux introduces the Date Acquisition (DAQ) library for packet I/O. DAQ replaces direct calls to libpcap functions with an abstraction layer that facilitates operation in a variety of hardware and software interfaces without requiring changes to Snort.
Snort Rules
Snort uses a simple, lightweight rules description language that is flexible and quite powerful. Rules are a different methodology for performing detection, which bring the advantage of 0-day detection to the table.
Unlike signature, rules are based on detecting the actual vulnerability, not an exploit or unique piece of data.
There are two sets of rules distributed. The
Community Ruleset is free available to all users. The
Snort Subscriber Rule Set will be made available to users in the following ways:
- Subscribers will receive rulesets in real-time as they are released
- Registered users will receive rulesets 30 days after subscribers
- Unregistered users will receive access to the community ruleset
The rules are available for download on the download page.