Your Complete Guide to Snort

July 12, 2017 | Views: 8165

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

The 2017 Ponemon Cost of Data Breach Study from IBM recently reported that average data breach costs organizations $3.62 million, approximately $141 per lost or stolen record. Their research indicates that the average size of a breach has increased, 1.8%, the equivalent of 24,000 records per breach.

That being said, malicious activity can be very serious for a number of reasons in addition to cost and should be investigated promptly. For those working in a larger organization, handling a lot of traffic, or those with a small security team, being constantly on the lookout for threats is simply not enough. That’s where an intrusion detection and prevention system such as Snort from Cisco comes in.

You can provide tremendous value to your organization by learning how to manage this technology and stopping threats in their tracks. It is by doing so you can prevent damage and optimize your security strategy for future threats.

What is an Intrusion Detection/ Intrusion Prevention System (IDS/IPS)?

An IPS is an active system that sits on the network and intercepts network traffic, analyzes and stops anything deemed malicious. Intrusion prevention systems that are installed are able to actively block any intrusions that are detected. For example, an IPS can drop malicious packets, blocking the traffic an offending IP address, etc. Whereas IDS is a passive system; it doesn’t stop network traffic, but instead sets alerts and sends messages if something happens.

“Broadly speaking, an intrusion prevention system can be said to include any product or practice used to keep attackers from gaining access to your network, such as firewalls and anti-virus software.”

IPS and IDS appliances can be either behavior based or signature based, network based or host based. It’s good to have a combination of components for maximum network security.

What is Snort?

Created in 1998 by Martin Roesch, the founder of Sourcefire and chief security architect at Cisco, Snort is defined by Cisco as “an open-source, rule-based, intrusion detection and prevention system. It combines the benefits of signature-, protocol-, and anomaly-based inspection methods to deliver flexible protection from malware attacks.”

According to Cisco’s count, Snort has over 4 million downloads and over 500,000 registered users, making it the most widely deployed intrusion prevention system in the world.

What sets Snort apart?

Many will know Snort as being able to detect threats at incredibly high speeds, a necessary function for today’s rapidly changing technology landscape where threats can pop up within a moment’s notice.

Additionally, it is recognized for providing rapid response, offering greater accuracy, and being an adaptable system.

For more advanced options, you may choose to extend your Snort investment through a partnership with Cisco through one of three paths. These involve the Cisco Intrusion Agent, Cisco Intrusion Prevention System (IPS) solutions, and our next-generation intrusion prevention system (NGIPS).

What are some of the features of Snort?

Some of the most notable features of Snort include its’ ease of installation and use, quick detection, and cost effectiveness. Those who can customize their IDS will reap a number of benefits and gain insight into their networks like they’d never imagined.

“With Snort, rules are powerful, flexible and relatively easy to write, so new rules to detect the latest malware are often written by the Snort community within hours of an outbreak. Add one to your local or experimental rules file, restart Snort, and you’re well on your way to detecting, containing and eliminating any infestation that makes it past your other layers of security.”

What is Snort used for?

Snort has three primary functions. First and foremost, it is used as a network intrusion detection and prevention system. It can also be used as a packet sniffer, a tool that intercepts data flowing in a network, and as a packet logger, a tool that makes copies of the packets transmitted in a network. The difference between a packet logger and a packet sniffer is that the logger only records the data, whereas the sniffer interprets it.

“These features allow for various types of useful security analysis to be performed, including closer examination of the contents of potential attacks, live traffic sampling or ongoing security events, and historical data on past network events.”

Why should I learn Snort?

For organizations who need an added layer of security, implementing an IDS/IPS may seem like a no-brainer, but properly utilizing these devices takes a good amount of customization to your specific network. Otherwise, the system will disrupt the flow and report a high number or false positive/negatives. That being said, there is also the question of which IDS/IPS to use in the first place. Having familiarity of one of the more common IDS/IPS provides you with a great advantage.

In addition to knowing the strengths and weaknesses of a product like Snort, knowing how to install, manage, customize, etc. an IDS/IPS can provide a critical piece of the enterprise defense strategy. Imagine to be the one responsible for this aspect at your organization.

Cybrary Resources for Learning IDS/IPS

Currently, Cybrary offers an IDS/IPS micro course that will help you learn ‘intrusion’ basics in under and hour. To earn your micro cert, take the exam at the end of the free course. Use code OBLOG50 for half off your exam.

If you want to work with Snort hands-on, check out the NEW Cyberscore Network Essentials Bundle. which features labs like ‘Using Snort and Wireshark to Analyze Traffic.’

To Summarize

Intrusion detection and prevention are major components of a layered security strategy.  Learning to utilize this technology to enhance the corporate security environment in any capacity can provide a unique advantage as a security professional. Whether you’re hoping to enter a security role, or are interested in deploying Snort for your current company, you will find a thorough knowledge to be useful.

Looking for More?

Comment below with your request for future posts.

Olivia Lynch (@Cybrary_Olivia) is the Marketing Manager at Cybrary. Like many of you, she is just getting her toes wet in the field of cyber security. A firm believer that the pen is mightier than the sword, Olivia considers corny puns and an honest voice essential to any worthwhile blog.

 

 

Share with Friends
FacebookTwitterLinkedInEmail
Use Cybytes and
Tip the Author!
Join
Share with Friends
FacebookTwitterLinkedInEmail
Ready to share your knowledge and expertise?
5 Comments
  1. Hi, great article!

    I hope you don’t mind me pointing out but theres a slight typo in the section “Cybrary Resources for Learning IDS/IPS”

    Currently, Cybrary offers an IDS/IPS micro course that will help you learn ‘intrusion’ basics in under **and** hour.

    Should read:

    Cybrary Resources for Learning IDS/IPS
    Currently, Cybrary offers an IDS/IPS micro course that will help you learn ‘intrusion’ basics in under an hour.

  2. Also, what threat intel feeds would you recommend? Lots of good data out there for custom signature development.

  3. Great Snort intro. I’ve always thought of IDPS as simply a sniffer with a rule set.

    Have any of you done much with YARA? I haven’t seen material here on Cybrary for it yet but I’m still looking at most Intermediate and Advanced Course outlines.

  4. Good article, snort is a good if not great tool, for the PC user and for servers. Love the quicky guides they have on their site. I recommend snort for all! Let us not mention pulled pork nor any of the vast array of food and pig products also available, that is if you what to be or be like pig. Oinks to all! Just one other thought, alittle humor in this very serious topic is just for fun, I have no, I say again No bad feelings against pig, or any pig like product. As a matter of fact I like bacon.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel