Snort

Back in the early 90’s, a basic Layer 3 firewall was more than sufficient to safeguard your private network from the public Internet. Back then most folks were connecting through dial-up; some of you may not remember it but let me tell you those were the golden years of the Internet. Most viewed cyberspace as a good thing, to be used for the benefit of all; certainly not the doom and gloom virus infected, financially driven, credit-card stealing black market it has become today. As the Internet has grown up we have seen an exponential growth in the number of threats targeting anyone willing or unwilling to play along. Net result, security tactics had no choice but to evolve. These days it’s no longer enough to simply hang a Layer 3 firewall as your Internet gateway and hope for the best. Today, at bare minimum an “Intrusion Detection” security layer is a must. An “IDS” certainly is not the magic bullet of Internet security but like any security expert will tell you creating layers of security produce best results. Over the years many vendors have established themselves as IDS experts offering a plethora of devices and for the consumer it’s a tough decision. Only after asking many specific questions, analyzing your requirements and of course budget can you decide on one or another. I can’t comment on your individual environments however what I will tell you is the Open Source community has once again pulled together and developed a product synonymous with Intrusion Detection and Open Source security called “Snort”. It’s an interesting name and certainly shows the playful cleverness of the white hacker community. Currently at version 2.9 Snort has been around since 1998 and was created by Martin Roesch. In 2009 Snort was entered into InfoWorld’s Hall of Fame as one of the best pieces of software of all time. In my view Snort is the ‘de facto’ of intrusion detection. It’s flexibility, modular design, cross platform support, vast detection signature library and excellent performance put Snort ahead of any other intrusion detection device, appliance or software available today.

Snort has 3 basic modes of operation, a sniffer, logger or intrusion detection engine. It works best on Linux but has successfully been ported to Windows. Its use on a Windows Server is quite respectable but for heavy lifting I would suggest Linux. As a sniffer and logger Snort is flexible with its output options ranging from a simple text file, local or remote Syslog, Alert file or simple screen output. But it really shines and comes alive as an Intrusion Detection engine, and what an engine! Sourcefire, Snort’s primary sponsor, a company started by Snort’s creator offers commercial support and provides certified Snort detection signatures through an annual paid subscription. Windows centric environments with a Sourcefire subscription will receive certified detection signatures on patch Tuesday. In addition Sourcefire offers turnkey Snort devices for the uninitiated. But if you like getting your hands dirty Snort has lots to offer. Its support community is vast and online documentation is virtually infinite. I would consider Snort one of the most mature Open Source projects out there and wouldn’t blink an eye when asked about Snort’s enterprise worthiness.

Snort developers have modularized it to the fullest, starting with version 1.5. They’ve created what they call ‘preprocessors’ which are modular plug-ins able to extend Snort base functionality. For example one preprocessor may look at fragmentation another can track sessions yet another look for port scans. This design makes Snort very extensible with excellent performance. Best yet, should your environment not require a specific preprocessor Snort will happily move along with it disabled. This design makes Snort lean and mean. Sourcefire has taken a similar approach with their detection signatures creating a large category pool with Sourcefire certified signatures and open community driven rules. Those with a Sourcefire subscription will have immediate accesses to the latest Sourcefire Certified rule set. Despite such commercial aspiration Sourcefire has not forgotten the community because I’m happy to say it grants free access to certified rules 30 days after their initial release. What’s the catch? You have to register with Sourcefire, that’s with no strings attached. If that wasn’t enough, those of you feeling adventurous or requiring custom rules Snort has you covered. Its rule writing format has become the industry standard mainly because it is fairly intuitive (rocket science degree not required). With all these tasty ingredients Snort is a winning combination when compared to other tools. However there is downside … and that my friends we’ll discuss next week.