On further analysis of the T.J. Maxx hacking, it's possible to point to a tangible point in time where the incident was finally noticed and mitigated. But what about the security incidents that go unnoticed? What if an enterprising young hacker is discreet enough to siphon tiny pieces of vital information from a network in a manner that leaves system administrators none the wiser? To better combat this type of scenario, security/system administrators may consider the Snort Intrusion Detection System (IDS).
Beginnings of SnortIn 1998, Snort was released by Sourcefire founder Martin Roesch. At the time, it was billed as a lightweight intrusion detection system that functioned primarily on Unix and Unix-like operating systems. At the time, the deployment of Snort was considered cutting edge, as it quickly became the de facto standard in network intrusion detection systems. Written in the C programming language, Snort quickly gained popularity as security analysts gravitated toward to the granularity with which it could be configured. Snort is also completely open source, and the result has been a very robust, widely popular piece of software that has withstood ample amounts of scrutiny in the open source community.
Snort FundamentalsAt the time of this writing, the current production version of Snort is 2.9.2. It maintains three modes of operation: Sniffer mode, packet logger mode and network intrusion detection and prevention system (IDS/IPS) mode.
Sniffer mode involves little more than capturing packets as they cross paths with whichever network interface card (NIC) Snort is installed on. Security administrators can use this mode to decipher what type of traffic is being detected at the NIC, and can then tune their configuration of Snort accordingly. It should be noted that there is no logging in this mode, so all packets that enter the network are simply displayed in one continuous stream on the console. Outside of troubleshooting and initial installation, this particular mode has little value in and of itself, as most system administrators are better served by using something like the tcpdump utility or Wireshark.
Packet logger mode is very similar to sniffer mode, but one key difference should be evident in the name of this particular mode. Packet logger mode allows system administrators to log whatever packets are coming down into preferred places and formats. For example, if a system administrator wants to log packets into a directory named /log on a specific node within the network, he would first create the directory on that particular node. On the command line, he would instruct Snort to log packets accordingly. The value in packet logger mode is in the record keeping aspect inherent in its name, as it allows security analysts to examine the history of a given network.
OK. All of this information is nice to know, but where is the value added? Why should a system administrator spend time and effort installing and configuring Snort when Wireshark and Syslog can perform practically the same services with a much prettier interface? The answer to these very pertinent questions is the network intrusion detection system (NIDS) mode.
Sniffer mode and packet logger mode are stepping stones on the way to what Snort is really all about - NIDS mode. NIDS mode relies primarily on the snort configuration file (commonly referred to as snort.conf), which contains all of the rule sets that a typical Snort deployment consults prior to sending alerts to system administrators. For example, if an administrator would like to trigger an alert every time FTP traffic enters and/or leaves the network, she would simply refer to the appropriate rules file within snort.conf, and voila! An alert will be triggered accordingly. As one may imagine, the configuration of the snort.conf can get extremely granular in terms of alerts, protocols, certain port numbers, and any other heuristic that a system administrator may feel is relevant to her particular network.