Snort is a lightweight network intrusion detection system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. Snort uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plugin architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients using Samba’s smbclient.
Snort has three primary uses. It can be used as a straight packet sniffer like tcpdump(1), a packet logger (useful for network traffic debugging, etc), or as a full blown network intrusion detection system.
Snort logs packets in either tcpdump(1) binary format or in Snort’s decoded ASCII format to logging directories that are named based on the IP address of the “foreign” host
Snort should work any place libpcap does, and is known to have been compiled successfully for Mac OS X server.
Sounds kind of complicated to some people, there isn’t a Graphical User Interface for this program on the Mac OS X yet so it is command line. Setting up is simple, once unpacked read through the documentation, that is where you will find information on installing and using Snort.
What are Snort Rules?
The rules are what Snort looks for, like virus definition files it defines what to watch for. By looking @ the Snort website and reading the Current Snort Rule file you will see the flexibility of the definitions. If you want to watch for something specific you may create your own snort rule file and snort will monitor it for you.
Snort is a open source project and remains free to the user. Because unix based development has updates and changes often the link below goes directly to their download area. There you will download either the source or the RPM, and compile or install. We are sure to see a Mac OS X install package in the near future for this application for now you have to be a little unix savvy.
One of the great things about Snort is it is BSD compatible so Mac OS X users may use this free program to run network intrusion tests. Programs on the windows platform cost up to $5000.00. If your interested in security this is a must for Mac OS X users.
To learn more about Snort and its capabilities visit Snort.org