3.1 About Snort

Snort is perhaps the best known open source intrusion detection system available. Snort is designed primarily to operate from the command line, and it has been integrated into several other applications and ported to various platforms. Many third-party applications have been engineered around its use. Snort is actively maintained, and it is possibly the best open source IDS available for download.

Snort was first developed in November 1998. It was originally intended to function as a packet sniffer. Since then it has grown to become much more. Each week Snort is downloaded by thousands of users and developers. It is currently used in most IDS situations, from small office and home networks to corporate and IT offices worldwide. It has been ported to a variety of platforms, so finding a release for your particular operating system should be no problem. I currently run Snort on Windows, FreeBSD, Linux, and Solaris.

3.1.1 Snort's Commercial Counterpart

No discussion of Snort would be complete without mentioning its commercial counterpart. The Snort developers created their own company, Sourcefire, which supplies an intrusion detection appliance for enterprise-level networks. The Sourcefire appliance combines an enhanced version of Snort with other proprietary technologies to create what they call an Intrusion Management System (IMS). The capabilities of Snort and other applications are combined into a seamless whole that offers state-of-the-art monitoring, perimeter defense, system management, and real-time awareness. For the cost, Sourcefire offers perhaps the most up-to-date and reliable IDS devices for those interested in investing in a commercial variant. By any measure, it competes strongly with solutions from the big players—Cisco, ISS, NFR, and Top Layer, to name a few.