Home > Security Channel Tips > Snort Report > Snort IDS installation basics and tips for security resellers
Security Channel Tips:
EMAIL THIS
 TIPS & NEWSLETTERS TOPICS 

Snort IDS installation basics and tips for security resellers


Richard Bejtlich
Rating: -3.00- (out of 5)

Welcome to the first edition of Snort Report. The goal of this column is to provide value-added resellers (VARs) and security consultants with suggestions for the productive use of Snort, an open source intrusion detection and intrusion prevention system developed by Marty Roesch and his team at Sourcefire. To provide a solid foundation for future articles, this issue concentrates on installation and fundamentals.

Before discussing technical details, it's important to consider what Snort is -- and what it is not -- so you can "sell" the open source IDS/IPS ...


RELATED CONTENT
Open Source Security Software
Network session data analysis with Snort and Argus
How to use shared object rules in Snort
Why is the Snort IDS still alive and thriving?
Is Snort right for the IDS needs of all clients?
What is the difference between Snort and Bro?
How can the operator test Snort?
What does the future hold for Snort?
What extra functionality do Snort add-ons provide?
Does Snort support target-based intrusion detection?
Will deploying Snort detect malicious events quickly?

Open Source Security Tools
Using SnortSP and Snort 2.8.2
OSSEC Host-Based Intrusion Detection Guide
How to find new features in Snort 2.8.2
How to use shared object rules in Snort
Snort frequently asked questions
How to test Snort
How to run IDS Snort on Red Hat Enterprise Linux 5
Working with Snort's unified output
Output options for Snort data
Snort IDS upgrade and tips on the Snort.conf file

Network intrusion detection and prevention defenses
Network security services issues to watch out for in 2010
Top security channel tips and topics for 2009
SIEM services help customers with security monitoring
Implementing IDS/IPS technologies: Managing politics and accountability
Juniper launches mid-level security appliances
Must-haves for wireless network security: WLAN switches, intrusion detection and more
Host-based IDS/IPS Partner Program Directory
Understanding Snort's Unified2 output
Network security algorithms introduction
Searching for multiple strings in packet payloads

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary


to reluctant customers and properly set their expectations.

First, Snort is a network traffic inspection program and, when suitably configured, an access control system. Snort is not a "badness-ometer." One cannot expect to run Snort on an arbitrary network location and simply start discovering malicious activity. While it is possible to accomplish this goal, proper understanding of Snort's capabilities, limitations and deployment model is required for effective use. That's where you come in. You cannot simply drop Snort into place on your customer's network and leave it up to them to efficiently manage.

Second, Snort is not "lightweight." When Marty Roesch wrote his 1999 paper on Snort, his use of the term "lightweight" intended to convey the idea that Snort did not use many system resources. "Lightweight" never meant "ineffective." Today, Snort is extremely powerful, but effective use of these powers requires a dedicated system with plenty of RAM (1 GB or more is recommended) and quality components.

Third, although Snort originally relied on content matching in order to identify malicious activity, the program has advanced considerably beyond that simple technique and incorporates today's technologies. Snort indeed uses rules for core functionality, but some of those signatures are exceedingly complicated. Rules work alongside non-signature based decoders and preprocessors to alert users of many sorts of suspicious and malicious activities.

About the author
Richard Bejtlich is founder of TaoSecurity, author of several books on network security monitoring, including Extrusion Detection: Security Monitoring for Internal Intrusions, and operator of the TaoSecurity blog (taosecurity.blogspot.com).

Rate this Tip
To rate tips, you must be a member of SearchSecurityChannel.com.
Register now to start rating these tips. Log in if you are already a member.




DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

HomeNewsTopicsITKnowledge ExchangeTipsMultimediaWhite PapersBlogsEvents
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2006 - 2010, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts