An IDS is a specialized program that knows how to parse and interpret network traffic and send alarms to interest party based on configured signatures or rules –similar to a burglar alarm. IDSes provide the security administrator with a window into the inner workings of the network -the ability to analyze the internal network traffic and to determine any vulnerabilities before a major system crash or database corrupt.
The strengths of IDSes are their capability to continuously watch packets on your network, understand them in binary, and alert you when something suspicious that matches a signature or rule. These rules or signatures need to be updated regularly in order to rely on any IDSes systems.
Snort is an opensource IDS and implemented by many organization around the world. It works on multiple OSes, heavily supported by community. Snort’s architecture consists of four basic components.
- The Sniffer
- The Preprocessor
- The Detection Engine
- The Output
The packet sniffer in Snort used to eavesdrop on data network traffic. The preprocessor reads the packets which were captured by the sniffer, and send those packets to appropriate plug-in. A plugins could be an FTP plug-in. These plug-ins check for a certain type of behavior from the packets. Once the packet is determined to have a particular type of behaviour, it is then sent to the detection engine. The detection engine takes the data that comes from the plug-ins and is checked against a set of rules. These rules can be written using language like Perl. If these rules matches against the packet then an alert can be sent to alert processor where it logs the details and/or send an alert via email to interest parties.
With any IDSes, there will be some false positives and false negatives. False positives are when Snort gives you an alert when it should not which means a false alarm. On the opposite end, you can get false negatives. In other words, someone compromises a Snort- monitored system and your Snort system doesn’t detect it. It is a security administrator job on how to tune the sensor in order to avoid false positives and false negatives.
Snort can downloaded from www.snort.org
