Network Intrusion Detection Systems - Snort

  • Bigwebmaster
  • Site Admin
  • Site Admin
  • User avatar
  • Posts: 9091
  • Loc: Seattle, WA & Phoenix, AZ

Post 3+ Months Ago

Snort
Snort falls into the category of Network Intrusion Detection Systems (NIDS). It is the best open source program of this type that I am aware of. Port scan detection is a subset of NIDS so one can rightfully assume that snort handles this as well.


Pros:
Snort is portable across multiple platforms using the libpcap library.

Because it is entirely a packet capture NIDS, it doesn't suffer from Port Sentry's port binding and is able to see a lot more of what's going on underneath.

Snort can act as a tcpdump like packet analyser, a packet logger (for gathering statistical data around your network, or as an NIDS).

Snort can output in tcpdump format letting you analyse snort logs with many of the already existing programs that interpret tcpdumps.

Snort can be configured to detect specific exploits going through your network which a program like Port Sentry can not. It is legal to port scan a machine in most countries, all a port scan detector is good for is to act as an early warning system (because port scans often precede exploit attempts). Software like snort can also analyse packets looking for specific exploits, and logging the session. This is good from an evidence point of view, or simply detecting what specific exploits are being launched against you.

The exploits that snort looks out for are configurable using rules, the default rules detect hundreds of exploits from aforementioned Bind/Wu-FTPD (right down to the specific exploit type by analysing the packet) to DOS attacks to a variety of well known web exploits to pings of death to netbios exploits. Basically if there is a network based exploit with a discernable pattern it should be trivial to to create a rule to detect it. http://www.snort.org and http://www.whitehats.com carry up to date rules (and user submitted rules).

Snort is also extensible using plugins, the base package already contains a number of useful plugins.

Snort does passive port scan detection, it won't advertise services that do not exist or in any capacity give away the fact that you are running an IDS. Snort's port scanner plugin is also much more adept than Port Sentry at detecting various Stealth scans. You can also configure the plugin to report scans only if they scan multiple ports at a particular rate, compared to the classic Port Sentry way of getting triggered when somebody connects to a bound port.

There is an experimental plugin for snort (called spade) which detects anomalous network traffic. It's quite configurable and basically lets you take a more statistical approach to NIDS, rating unusual traffic by the frequency with which they occur. Another plugin is being developed that will use spade to pinpoint the most likely attacker in an nmap decoy scan

Snort can be used to detect attacks across an entire network, not just on a single machine.

Conclusion:
Snort is a fine piece of software, there is certainly no comparison with Port Sentry, it does so much more, and where they do the same thing, Snort does it much better. Without a bit of configuring (especially WRT ignoring DNS server traffic) you might get more information than you want, but the configuration files are organised in such a way that you can comment out an include line to ignore a certain class of exploits.

<hr>

You can see the entier article here: http://www.linux.ie/articles/portsentryandsnortcompared.php which compares between Snort and Port Sentry. For the most part it sounds like Snort is a much better piece of software as compared to Port Sentry. I have used Port Sentry in the past but some of the points this article makes seem pretty good and I think I will be using Snort instead. Port Sentry could potentially open you up to a DOS attack.
  • Borrow -A- Geek
  • Professor
  • Professor
  • User avatar
  • Posts: 763
  • Loc: Dallas/Ft Worth, Texas

Post 3+ Months Ago

actually speaking of DOS attack, i cant seem to find the article, but i read that the version of BIND that ships with red hat 7.3 - 8.0 is vulnerable to DOS attack.. ill look for it and post it in a new thread.

as far as snort, how long has it actually been out? because when your talking security, you can never be too safe... but from what ive read there it looks like it has been very well thought out.

also is it GNU or does it cost? if its GNU, who knows it may shart shipping with future OS's

my 2ยข
  • Bigwebmaster
  • Site Admin
  • Site Admin
  • User avatar
  • Posts: 9091
  • Loc: Seattle, WA & Phoenix, AZ

Post 3+ Months Ago

Snort is all open source and is free. It appears it has been tested for a long time. You can check the website out here:

http://www.snort.org

The oldest version there looks like it was around 11-18-1998. So its definetely been out and tested for awhile. Plus its open source and I am sure they get alot of feedback on it. Finally their team looks like a descent size:

http://www.snort.org/team.html

Post Information

  • Total Posts in this topic: 3 posts
  • Users browsing this forum: No registered users and 10 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.