Snort is an open source IDS (Intrusion detection system) written by Martin Roesch.
It was bought by the commercial company SourceFire which was bought itself by the FireWall Giant CheckPoint in 2005.
Like Tcpdump, Snort uses the libpcap library to capture packets.
Snort can be runned in 4 modes:
- sniffer mode: snort will read the network traffic and print them to the screen.
- packet logger mode: snort will record the network traffic on a file
- IDS mode: network traffic matching security rules will be recorded (mode used in our tutorial)
- IPS mode: also known as snort-inline (IPS = Intrusion prevention system)
Snort is a very powerful tool and is known to be one of the best IDS on the market even when compared to commercial IDS.
A lot of people in the very active snort community are sharing their security rules which is very useful if you are not an security expert and wants to have up-to-date rules.
The SourceFire company is releasing very frequent new security rules that can be downloaded either for free some days after their releases or immediatly but for money.
By chance, The bleedingsnort community create security rules for free directly after their releases.
Another tool is needed to display the logs generated by the Snort IDS and sent into the database. This tool is BASE for Basic Analysis and Security Engine. It is in fact a php script displaying alerts on a web interface.