3. Technical Overview

Snort is mainly a so called Network Intrusion Detection System (NIDS), it is Open Source and available for a variaty of unices as well as Microsoft Windows (R).

A NIDS cares for a whole network segment in contrast to a host based IDS which only cares for the host it is running on.

Since NIDS are mostly used in conjunction with firewalls it is vital to not being vulnerable for attacks itself. Therefor all interfaces used with snort bound to should be set up without ip addresses. Since this can not be achieved in every configuration, e.g. if you want to bind snort on an isdn interface ippp0, it should be considered to use a standalone computer for snort and set it up as a firewall and router for the dial-up connection too.

For more information on that topic see the Firewall-HOWTO or my Firewalling+Masquerading+Diald+dynamic IP-HOWTO.

Snort can be used to care for more than one network segment which we will discuss later.

Snort also can be used as a sniffer to troubleshoot network problems, but that's not a topic in this document.

ACID, the Analysis Console for Intrusion Databases, is part of the AIR-CERT project. It makes use of PHPlot, a library for creating nice graphs in PHP, and ADODB, an abstraction library for combining PHP and various database systems like MySQL and PostgreSQL. The ACID homepage says:

"The Analysis Console for Intrusion Databases (ACID) is a PHP-based analysis engine to search and process a database of incidents generated by security-related software such as IDSes and firewalls."

Max Vision's IDS rules (referred to as vision.rules because this is the name of the downloadable file) are used to complete the rules shipped with snort.

arachnids_upd is a small but fine perl script which downloads the actual vision.rules using wget and optionally deletes single rules given in an ASCII file.