This chapter examines common techniques for capturing packets and analyzing their contents. In this chapter, we will get Snort installed and start experimenting with some of the ways to use it. We start with using Snort as a sniffer, a packet logger, and finally start using it as an actual NIDS.
Snort is perhaps the best known open source intrusion detection system available. Snort is designed primarily to operate from the command line, and it has been integrated into several other applications and ported to various platforms. Many third-party applications have been engineered around its use. Snort is actively maintained, and it is possibly the best open source IDS available for download.
Snort was first developed in November 1998. It was originally intended to function as a packet sniffer. Since then it has grown to become much more. Each week Snort is downloaded by thousands of users and developers. It is currently used in most IDS situations, from small office and home networks to corporate and IT offices worldwide. It has been ported to a variety of platforms, so finding a release for your particular operating system should be no problem. I currently run Snort on Windows, FreeBSD, Linux, and Solaris.
No discussion of Snort would be complete without mentioning its commercial counterpart. The Snort developers created their own company, Sourcefire , which supplies an intrusion detection appliance for enterprise-level ...