Snort started out as an open source IDS for Linux (and similarly flavoured systems), and is now even available as a Win32 binary. We downloaded this version briefly just to see how it ran on a Window 2000 machine. The application also requires WinPcap v2.3 (the Windows packet capture architecture library) to be installed. This Win32 version of Snort runs in a very similar command-line mode to the Linux version. Personally we prefer to stick with the Linux environment for Snort.We installed Snort on a Slackware 9.1 environment on the test machine. The Linux installation takes slightly longer than the Win32 package, mainly because it needs to be compiled and installed from the source code. Libpcap 0.8.3 is also required, and must be installed on the system prior to installing Snort.
Once Snort is installed, running it in basic mode is very straightforward, enabling the administrator to specify what data to collect and where to store it. However, this is just the basics. Snort is a totally rules-based IDS and with 2427 pre-defined rules available at the time we reviewed the product. Undoubtedly there is something in there for everyone. The supporting documentation for most of the rules is also very well presented and documented for administrators to get to the root of the attacks that they may be experiencing.
Snort is not necessarily a standalone application. While Snort applies the rules and logs the data, there is a range of add-on applications such as Barnyard, LogHog, SnortSentry, and Acid as well as a plethora of other tools and user interfaces or front ends. There's even a plugin for the webmin management console. These tools assist with tasks such as configuration, offloading data handling, viewing logs, generating reports, and and analysing the collected data.
While it's not necessarily everyone's cup of tea, Snort would definitely provide an entry into the IDS field, and something is definitely better than nothing. Snort could ideally be deployed to monitor specific ports on the network for traffic. It could even be used as a portable network monitoring tool running on a notebook or older system for diagnostics or intermittent traffic monitoring and analysis. According to the Snort Web site, the package will soon be upgraded to include IPS functionality.
 |
|
|
|||
| |||||
| Product | Snort 2.1.3 |
| Price | Free under the GNU General Public Licence |
| Vendor | Snort |
| Phone | +410 423 1901 (SourceFire) |
| Web | www.snort.org |
| Interoperability |
|
| Supports Microsoft Windows and Linux. | |
| Futureproofing |  ½ |
| Very thorough, in-depth application with plenty of updates and third-party add-ons. | |
| ROI |  ½ |
| Free, but not neccessarily easy. | |
| Service |  ½ |
| No vendor supprt, GNU licence. Online community support is available. | |
| Rating |  |
