What Is Snort
Snort is a valid IDS (Intrusion Detection System) that is entirely open source and that runs on any operating system compatible with the libcap libraries.
The quality of this IDS is very high and is able to keep up with other commercial products which not only are quite expensive, but also require a certain level of experience to be configured.
A Snort can be run according to four different levels of protection:
- Sniffer: reads network packets and displays them on the console to be analyzed by the network manager;
- Packet logger: like the previous one, but allows you to save suspicious packets on disk;
- Intrusion detection system (IDS): mode consisting of monitoring, analysis, logging and alerting;
- Intrusion prevention system (IPS): performs an active defense against network attacks. It is good security practice to combine its use with that of a firewall.
Within the same network, it’s possible to run different instances of Snort each with a different task:
- Traffic monitoring in the local network, positioning Snort between the hub and the local network;
- Monitoring the traffic that is directed towards a specific machine, placing Snort inside the machine to be monitored.
- Monitoring the traffic that is coming from the internet, placing Snort before a firewall (which carries out an initial screening of suspicious packets) and after the subnetwork that it intends to protect.