Snort, Information Security Magazine’s pick for Open Source Product of the year 2003, is one of the best examples of the IT community working together to build a capability. Please notice I did not say a tool, but rather, a capability. Snort’s extensible architecture and open source distribution has long made it an ideal choice for intrusion detection. Snort is amazingly flexible with its plug-in architecture and all its supporting tools such as: ACID, barnyard, and swatch. Snort runs on a large number of hardware platforms and OS configurations, and is one of the most widely ported pieces of security software in the world. Analysts with expensive commercial intrusion detection systems still turn to Snort to fill in the gaps.
The creator of Snort, Marty Roesch, originally envisioned Snort as a lightweight intrusion detection system, and it was initially designed as a network packet sniffer.You can run Snort without specifying a ruleset and view all of the traffic traversing a network on the same network segment. As Snort has continually grown, with enhancements from Marty, as well as with a lot of community-contributed code, it has become a full-featured, real-time IP traffic analysis and packet logging system. And though this is a book about Snort, not about intrusion detection per se, you will learn about all the parts of Snort from how to write a rule to becoming familiar with the numerous auxiliary tools used. For example, Barnyard, Andrew Baker’s contribution to Snort, solves one of the hardest problems in intrusion detection:You want the data the IDS collects to end up in a database to facilitate advanced analysis, but databases are slow. If you are running Snort on a busy network a slow database will eventually lead to dropping packets and that is a bad thing, but Barnyard addresses this problem. In short, you will benefit from this book whether you are already running Snort or if you are a beginner.