Why Is Everyone Talking About Snort?
According to snort.org Snort is the leading Open-Source Intrusion Prevention System (IPS) in the world. An IPS can prevent someone from getting into your network. Before using Snort, I recommend you understand networking fundamentals such as the OSI model (Framework used to describe the functions of a networking system. Snort uses a series of rules that help identify dangerous network activity. Snort uses those rules to find packets (A packet is just a set of information sent across a network) that match against them and generates alerts for users. Snort has three primary uses: As a packet sniffer like Wireshark, as a packet logger which is useful for network traffic debugging, or it can be used as a full-blown network intrusion prevention system. Some important things to know about snort are the difference between Snort version 2 and Snort version 3. Also, Snort configuration and community rules are important when you first start using Snort.
Snort version 3 is a completely new version of Snort. Snort version 3 is a big upgrade from snort version 2. Some of the new features in Snort 3 include: processing of raw files, more help from the command line, and over 200 new plugins. One issue you will find upgrading from Snort 3 to Snort 2 is that rule configurations are different. Snort2Lua can convert the Snort 2 configuration file to a Lua (the programming language for the Snort configuration files) files compatible with Snort 3. Not all Snort 2 rule files are supported in Snort 3 but Snort2Lua will do its best to convert the file.
The 4 snort types include local rules created by you, community rules, registered rules, and subscriber rules (this requires a paid subscription). Community, registered, and subscriber rules can be downloaded from snort.org.
Here is an example of a snort rule via researchgate.net:
This rule should alert you if it is an ICMP attack (Denial of service attack) on your specified IP address. This attack can flood your network with ICMP messages to prevent your network/server from working properly.
Other programs like Snort include Wireshark and tcpdump. If you do not want to write your own rules subscriber and community rules will be very useful to you. If you are just getting started using Snort, I recommend you jumping straight to Snort 3. In conclusion, Snort is a powerful free tool that should be added to all information security personnel’s toolkit.
Thank you for visiting my blog!
