Snort – the de facto standard for intrusion detection/prevention

What is Snort?

Snort is an open source network intrusion prevention system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.

Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba’s smbclient.

Snort has three primary uses. It can be used as a straight packet sniffer like tcpdump(1), a packet logger (useful for network traffic debugging, etc), or as a full blown network intrusion prevention system.

The Power of Open Source Development

The roots of Snort’s development methodology hail from the Open Source movement, a movement pioneered by Richard Stallman at MIT during the 1980’s. The idea behind Open Source is that all software should have source code available and be developed by communities of interested developers. This ideology and the power that it unleashes to develop superior software was further explained and highlighted in what is considered to be the seminal treatise on Open Source development, “The Cathedral and the Bazaar” by Eric S. Raymond. In “The Cathedral and the Bazaar”, Raymond outlines how the Open Source development methodology can be leveraged to create superior software compared to traditional proprietary methods. The Snort project relies on this ideology heavily and it’s impact shows, in test after test Snort has come out at or near the top of the heap when compared head to head with other sensor technologies.

The Snort Community

The power and reach of Snort is due in large part to the power and reach of the Snort user community. Aside from the seasoned developers at Sourcefire, there are literally thousands of experienced programmers reviewing and testing the functionality and rule sets. By leveraging the “many eyeballs” theory that was popularized by Eric Raymond and used to launch Linux to success in the operating systems market, people in the open source Snort community worldwide can detect and respond to bugs and other security threats more quickly and efficiently than in a “closed” environment.

To help foster this sense of community and provide a platform for users to share their ideas and experiences, local Snort User Groups have been formed throughout the world. To find a user group in your area, click here.


Open Source Security Information Management | OSSIM

Ossim stands for Open Source Security Information Management. Its goal is to provide a comprehensive compilation of tools which, when working together, grant a network/security administrator with detailed view over each and every aspect of his networks/hosts/physical access devices/server/etc…
Besides getting the best out of well known open source tools, some of which are quickly described below these lines, ossim provides a strong correlation engine, detailed low, mid and high level visualization interfaces as well as reporting and incident managing tools, working on a set of defined assets such as hosts, networks, groups and services.

All this information can be limited by network or sensor in order to provide just the needed information to specific users allowing for a fine grained multi-user security environment. Also, the ability to act as an IPS (Intrusion Prevention System) based on correlated information from virtually any source result in a useful addition to any security professional.


Ossim features the following software components:

  • Arpwatch, used for mac anomaly detection.
  • P0f, used for passive OS detection and os change analisys.
  • Pads, used for service anomaly detection.
  • Nessus, used for vulnerability assessment and for cross correlation (IDS vs Security Scanner).
  • Snort, the IDS, also used for cross correlation with nessus.
  • Spade, the statistical packet anomaly detection engine. Used to gain knowledge about attacks without signature.
  • Tcptrack, used for session data information which can grant useful information for attack correlation.
  • Ntop, which builds an impressive network information database from which we can get aberrant behaviour anomaly detection.
  • Nagios. Being fed from the host asset database it monitors host and service availability information.
  • Osiris, a great HIDS.
  • OCS-NG, Cross-Platform inventory solution.
  • OSSEC, integrity, rootkit, registry detection and more.

From :