Bad Packets: Snort -- the Dobermans behind the firewall

Snort , an open-source intrusion detection system (IDS) package, is the highly-trained Doberman pack that roams the company grounds, pawing at intruders.

Wes Simonds

Let's face it. In an age when monolithic software corporations are being assailed by the same people who worked

like fiends to put Al Capone away, we need all the first-caliber alternative software solutions we can get.

And in this department one can hardly find a better example than Snort, the open-source intrusion detection system (IDS) package, which is as good or better than many leading commercial products. Snort is available for a surprising variety of platforms including Linux, BSD UNIX (probably including Mac OS X, which is of course based on FreeBSD), Solaris, and Win32.

Half a million people have downloaded Snort. Of them, a large percentage -- say, a lot -- have found that it provides an excellent security supplement to the standard company firewall. If a firewall is the initial gate, Snort is the highly-trained Doberman pack that roams the company grounds, pawing at intruders, sniffing at their packets in a deceptively unobtrusive manner and occasionally, when things are manifestly uncool, biting them gently in half.

Uncool in this context is primarily determined by rules which govern the types of network activity and traffic which fall outside predefined guidelines. Snort continually analyzes traffic, looking for violations of the rules before acting. These can be created from scratch or downloaded from the Net and deployed in the product immediately, which is a great timesaving feature since in many cases there are commonly-held, rapidly-updated, and fairly site-independent rules of thumb concerning, for instance, problematic SNMP traffic or peak server CPU utilization which can tag a hacker long before you realize he's there to be tagged.

I read yesterday on searchNetworking's excellent sister site, searchSecurity, that Snort has finally been released in a commercial-grade package. My initial reaction to this article was that Snort was already commercial-grade, but I soon discovered that Martin Roesch, the lead developer, has added impressive management features.

These include "the OpenSnort Management Console, an appliance based on Snort, and the OpenSnort Sensor that gives network and enterprise IT managers a central console to view intrusion and attack data."

Well -- fair enough. The strongest argument against open-source products in general is that they are too difficult to deploy and too counterintuitive to use. That being the case, these added features, in conjunction with precompiled binaries, should be pie to the technical managers out there who'd love to use Snort but simply haven't got the time to do things like download, compile, install and support open-source code themselves.

Of course, what's probably the single most valuable new aspect of the "commercial-grade" release of the product is a marketing, rather than technical, advantage. I refer to the fact that it has a company behind it -- Sourcefire, now just past its first birthday -- instead of just a man (and a large and happy installed base of users who communicate via a list).

There are, after all, network administrators who believe that open-source solutions aren't to be trusted because nobody's responsible when nobody's paid. Money makes the world go 'round, and when you haven't given anyone any money for a product, how much service can you expect in return?

If, according to this logic, you can't pick up the phone and pay a hundred dollars an hour for the chance to wait in a company tech support queue for forty-five minutes, finally speaking to a phone monkey who is generally more interested in his bagel than your problem... then by golly, you're just not getting the enterprise-class service you deserve.

Well, I certainly hope this isn't one of the new Snort's commercial-grade features, since Snort has a reputation for top-drawer support as it stands. Although I am also sure if enough people demand it, Sourcefire will deploy it.

As a side note, I have found that many people critique Snort on the grounds that it does not come with an associated drinking game.

Folks, that is nothing but a myth. I can't have you thinking Snort requires sobriety when so many of you depend on hidden flasks of bourbon just to get through the workday.

MORE INFORMATION:

Commercial grade of Snort arrives

A drinking game for members of the Snort user list

Bad Packets: SNMP risk? Neil Diamond knew

Dig deeper on Network Security Monitoring and Analysis

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchSDN

SearchEnterpriseWAN

SearchUnifiedCommunications

SearchMobileComputing

SearchDataCenter

SearchITChannel

Close