2. What is the Snort?
• Snort is an open-source network Intrusion Detection and Prevention
System (NIDS/IPS).
• The de facto standard of intrusion detection tools.
• Capable of performing real-time traffic analysis and packet logging on
IP networks.
• It can perform:
• Protocol analysis
• Content searching/matching
• Detection a variety of attacks and probes, such as buffer overflows, stealth
port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much
more.
3. What is NIDS?
• There are two prominent
locations for any type of activity
within a system: on endpoints
and between them.
• So, there are two types of
intrusion detection systems:
• The host-based IDS (HIDS)
• The network intrusion detection
system (NIDS).
Source: https://www.comparitech.com/net-admin/network-intrusion-
detection-tools/
6. Snort Modes
Sniffer Mode
It works as a packet
capture system that
shows passing traffic
in a viewer in the
Snort console, same
tcpdump.
Packet Logger Mode
This option writes collected
packets includes data and
headers to file.
Intrusion Detection
Mode
This is the distinctive use for Snort
and sets it apart from all other
packet sniffers to make it a defense
system rather than just a tool for
research.
8. Snort Rules
• Snort rules are extremely flexible and are easy to modify, unlike many
commercial NIDS.
• 4050 community rules in last version (v3.0)
• Various rules categories:
• web-frontpage.rules web-iis.rules web-misc.rules
• web-attacks.rules sql.rules x11.rules
• icmp.rules netbios.rules misc.rules
• backdoor.rules shellcode.rules policy.rules
• porn.rules info.rules icmp-info.rules
9. Snort Rules (Cont.)
> alert tcp $EXTERNAL_NET any -> $SQL_SERVERS 1433 (msg:"MS-SQL xp_cmdshell -
program execution"; content:
"x|00|p|00|_|00|c|00|m|00|d|00|s|00|h|00|e|00|l|00|l|00|"; nocase; flags:A+;
classtype:attempted-user; sid:687; rev:3;) caught compromise of Microsoft SQL Server
10. Snort Deployment Options
• In addition to source code, packages
are available to get running
on Fedora, CentOS, FreeBSD,
and Windows.