SNORT® is probably the worldwide most used IDS, is free and open source, and is ran by Sourcefire.
We'll see here the basic possible architectures to set in place the SNORT IDS, as it's always ran with companion softwares.
Althought it can be ran as a standalone, it is usually combined with other softwares to increase reliability, useability and performance. We'll see here these combinaisons.
1. Presentation of the SNORT NIDS
Here is the basic SNORT NIDS structure :
SNORT can output alerts to a Database, a Syslog Server or simply display them in console mode. It can output using any combinaison of these three of course.
Beside, it can log suspicious packets in raw mode ( PCAP format ) for later further analysis.
2. SNORT / MYSQL / APACHE / BASE
Although the SNORT IDS can output alerts in console mode or send them to a syslog server, a MySQL Database is usually always used, to provide for easy datas consulting and sorting.
Likewise, a web GUI is handy for easy access to the MySQL Database, as well as data display, consulting and analysis.
Here, SNORT logs alerts to a MySQL Database. With the help of a Apache Web Server, a web-based GUI ( BASE ) is used to monitor the SNORT alerts. Although other SNORT GUI do exist ( SGUIL, OSSIM, Snorby, ... ), BASE is very easy to setup and ideal for newcommers.
This is the simplest SNORT NIDS setup, great for beginners to have an easy learning curve, although it as some performance / reliability issues compared to a more robust setup.
We'll just add an update tool : Pulledpork is the official ruleset updater for SNORT :
We'll see in a following post how to practically implement this easy-setup.
3. SNORT / BARNYARD2 / APACHE / BASE
Here, a spooler is added to the software chain. Barnyard2 is a spooler specially designed for SNORT :
Here SNORT can concentrate on its main duty : sniffing network traffic, and just logs raw binary datas on the HDD. Barnyard2 gathers these datas, and handles teh task of sending them to the MySQL database. Barnyard2 is very clever : when it starts, it looks for any maybe missed datas left laying around by SNORT, and handles them. Samely, it is able to understand if the MySQL Database is offline, and then pauses sending datas to it. When it sees the teh MySQL Database is up again, it resumes sending datas to it.
Using Barnyard2 adds some complexity to the global softwares chain, do complicate problems troubleshooting, allwith the need to do some manual build ( no apt-get for barnyard2 in debian Repository ).
This spooling job, handled by Barnyard 2, allows to bring full efficiency, reliability and performance to SNORT.
Of course, here too the Pulledpork updater is added to the picture too, for rulesets updating :
We'll see in a following post how to practically implement this more robust setup too.
- SNORT® is a registered trademark of Sourcefire, Inc. -