Snort
Snort falls into the category of Network Intrusion Detection Systems (NIDS). It is the best open source program of this type that I am aware of. Port scan detection is a subset of NIDS so one can rightfully assume that snort handles this as well.
Pros:
Snort is portable across multiple platforms using the libpcap library.
Because it is entirely a packet capture NIDS, it doesn't suffer from Port Sentry's port binding and is able to see a lot more of what's going on underneath.
Snort can act as a tcpdump like packet analyser, a packet logger (for gathering statistical data around your network, or as an NIDS).
Snort can output in tcpdump format letting you analyse snort logs with many of the already existing programs that interpret tcpdumps.
Snort can be configured to detect specific exploits going through your network which a program like Port Sentry can not. It is legal to port scan a machine in most countries, all a port scan detector is good for is to act as an early warning system (because port scans often precede exploit attempts). Software like snort can also analyse packets looking for specific exploits, and logging the session. This is good from an evidence point of view, or simply detecting what specific exploits are being launched against you.
The exploits that snort looks out for are configurable using rules, the default rules detect hundreds of exploits from aforementioned Bind/Wu-FTPD (right down to the specific exploit type by analysing the packet) to DOS attacks to a variety of well known web exploits to pings of death to netbios exploits. Basically if there is a network based exploit with a discernable pattern it should be trivial to to create a rule to detect it. http://www.snort.org and http://www.whitehats.com carry up to date rules (and user submitted rules).
Snort is also extensible using plugins, the base package already contains a number of useful plugins.
Snort does passive port scan detection, it won't advertise services that do not exist or in any capacity give away the fact that you are running an IDS. Snort's port scanner plugin is also much more adept than Port Sentry at detecting various Stealth scans. You can also configure the plugin to report scans only if they scan multiple ports at a particular rate, compared to the classic Port Sentry way of getting triggered when somebody connects to a bound port.
There is an experimental plugin for snort (called spade) which detects anomalous network traffic. It's quite configurable and basically lets you take a more statistical approach to NIDS, rating unusual traffic by the frequency with which they occur. Another plugin is being developed that will use spade to pinpoint the most likely attacker in an nmap decoy scan
Snort can be used to detect attacks across an entire network, not just on a single machine.
Conclusion:
Snort is a fine piece of software, there is certainly no comparison with Port Sentry, it does so much more, and where they do the same thing, Snort does it much better. Without a bit of configuring (especially WRT ignoring DNS server traffic) you might get more information than you want, but the configuration files are organised in such a way that you can comment out an include line to ignore a certain class of exploits.
<hr>
You can see the entier article here: http://www.linux.ie/articles/portsentryandsnortcompared.php which compares between Snort and Port Sentry. For the most part it sounds like Snort is a much better piece of software as compared to Port Sentry. I have used Port Sentry in the past but some of the points this article makes seem pretty good and I think I will be using Snort instead. Port Sentry could potentially open you up to a DOS attack.
December 25th, 2002, 9:14 pm
