1.6 Why Snort as an NIDS?

Snort represents a cost-effective and robust NIDS solution that fits the needs of many organizations. This book should be all you need to get Snort installed, configured, tuned, and alerting accurately in your environment. Snort is covered from initial configuration to ongoing maintenance. Strategies are revealed to make Snort useful for a home office or a large corporation with a dedicated and experienced network security staff. The approach is one of attempting to derive reasonable approaches to the issues at hand. I try hard not to be a zealot.

Snort does not stand by itself as the beginning and end of a security framework for an organization. It is part of an overall defense-in-depth strategy that incorporates security in all aspects of a network. Whether Snort is an important and significant contributor relies on strong planning and an ongoing dedication to the care and feeding of your NIDS.

There are a wide variety of choices in the area of intrusion detection. Digging through the propaganda generated by the various marketing departments is not easy. Even the definition of intrusion detection is murky, often moving from one solution to another. To cut through the noise, consider the following:

Cost

Open source software is hard to beat on price. To be sure, very often such software can be more difficult to operate. Snort is one of the more mature open source packages out there and competes with any commercial product for return on investment. There is the occasional C-level executive that will throw out an open source solution because there is no one to call when it breaks. With mainstream acceptance of open source solutions increasing constantly, this is less often a problem. For those who cling to this thinking, there are several commercial products that use Snort as their core technology. Chief among these is Sourcefire, an organization at the forefront of Snort development and implementation. Sourcefire was started by a fellow named Martin Roesch, now the CTO (does that name sound familiar?).

Stability, speed, and robustness

Since very early on, one of the main goals of Snort's developers was to keep it lightweight, fast, and lean, in order to keep up with ever-increasing network bandwidths. Since it is not a new solution, bugs are virtually nonexistent. A Snort instance crashing is almost unheard of. I personally have a Snort installation that watches sustained 450 Mbps of bandwidth using a cluster of six sensors. The only time Snort is down is during a planned maintenance window to upgrade signatures or move to a new version. This demonstrates not only Snort's stability, but also its ability to be adapted to very demanding environments (see Chapter 13).

The preprocessors

In Chapter 5, I go into great detail on the inner workings of the Snort preprocessors. For the moment, let me just say that the preprocessors massage the network data flow in real time to increase the chances of a signature noticing a malicious packet. The incredibly complex ways that computers can communicate and be used on a network presents a real challenge. The preprocessors act as interpreters for the Snort detection engine. Another real strength of the preprocessors is their ability to defeat many IDS evasions techniques. Chapter 4 discusses the ways that attackers go after your systems and also the ways they try to trick, hide from, or simply overwhelm your IDS defenses.

Flexibility

Snort is very flexible in the ways it can be deployed. Chapter 4 through Chapter 8 detail the ways that Snort can be used, from a simple network sniffer to a true gateway IDS that kills a dangerous network conversation in its tracks. Because you can customize existing signatures or write your own custom rules, Snort can adapt to almost any situation.

There are a number of applications that can act as central monitoring and alerting consoles. I talk about several, concentrating on ACID and SnortCenter. There are also a number of community contributed scripts and plug-ins that extend Snort's functionality—allowing syslogs to be parsed and alerted from, and another allowing the dynamic creating of access control lists on Cisco routers, for example.

Industry support

Particularly with the advent of several commercial versions of Snort, many security industry watchdogs include Snort signatures in their security announcements (CERT and SANS, to name two). The Snort open source community is very active keeping signatures up to date. When worms are ravaging the Internet and there are constantly new variants, there are sometimes updates multiple times a week. The Snort mailing lists are a fantastic resource for people who are trying to run Snort or write their own signatures.