[ Team LiB ] Previous Section Next Section

Recipe 9.20 Getting Started with Snort

9.20.1 Problem

You want to set up Snort, a network-intrusion detection system.

9.20.2 Solution

Snort is included with SuSE but not Red Hat. If you need it (or you want to upgrade), download the source distribution from http://www.snort.org and unpack it:

$ tar xvpzf snort-*.tar.gz

Then compile it:

$ cd `ls -d snort-* | head -1`
$ ./configure
$ make

and install the binary and manpage as root:

# make install

Next, create a logging directory. It should not be publicly readable, since it will contain potentially sensitive data:

# mkdir -p -m go-rwx /var/log/snort

Finally, install the configuration files and rules database:

# mkdir -p /usr/local/share/rules
# cp etc/* rules/*.rules  /usr/local/share/rules

9.20.3 Discussion

Snort is a network intrusion detection system (NIDS), sort of an early-warning radar system for break-ins. It sniffs packets from the network and analyzes them according to a collection of well-known signatures characteristic of suspicious or hostile activities. This may remind you of an anti-virus tool, which looks for patterns in files to identify viruses.

By examining the protocol information and payload of each packet (or a sequence of packets) and applying its pattern-matching rules, Snort can identify the telltale fingerprints of attempted buffer overflows, denial of service attacks, port scans, and many other kinds of probes. When Snort detects a disturbing event, it can log network trace information for further investigation, and issue alerts so you can respond rapidly.

9.20.4 See Also

snort(8). The Snort home page is http://www.snort.org.

    [ Team LiB ] Previous Section Next Section