Chapter 7. Creating and Managing Snort Rules
Snort is a signature-based intrusion detection system. While the preprocessors do not rely on signatures to generate alerts on potential malicious traffic, the heart of Snort’s ability to detect intrusion is the catalog of signatures located in the rules files. Being a signature-based IDS is both a strength and weakness.
Because Snort is signature-based, it can be configured for specific threats—the latest worm, the latest IIS exploit, and so on. The rules watch for the specific contents of a packet or for strange settings in the headers. This allows the security administrator to quickly determine the nature of the potential attack since he can easily examine the rule that triggered the alert (as well as the packet itself with some of the other tools available, like ACID or SnortCenter). A comparison is commonly made between signature-based IDS and antivirus software. Both have a catalog of signatures that they use to match against a stream of data flowing by a sensor component. In antivirus software, this process is accomplished by a software component that watches memory and filesystem access. An IDS, on the other hand, watches packets traveling the network.
To detect the latest attack methods, you need the latest signatures (although I’ve been surprised at how often a generic signature will draw my attention to a new kind of attack that does not have its own rule). As a result, it is important to keep the rules as up to date as is ...
Get Managing Security with Snort & IDS Tools now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.