6
Chapter 1     Introduction to Intrusion Detection and Snort
Snort uses rules stored in text files that can be modified by a text editor. Rules are
grouped in categories. Rules belonging to each category are stored in separate files.
These files are then included in a main configuration file called snort.conf. Snort reads
these rules at the start up time and builds internal data structures or chains to apply
these rules to captured data. Finding signatures and using them in rules is a tricky job,
since the more rules you use, the more processing power is required to process captured
data in real time. It is important to implement as many signatures as you can using as
few rules as possible. Snort comes with a rich set of pre defined rules to detect intrusion
activity and you are free to add your own rules at will. You can also remove some of the
built in rules to avoid false alarms.
1.1.1
Some Definitions
Before we go into details of intrusion detection and Snort, you need to learn some
definitions related to security. These definitions will be used in this book repeatedly in
the coming chapters. A basic understanding of these terms is necessary to digest other
complicated security concepts.
1.1.1.1
IDS
Intrusion Detection System or IDS is software, hardware or combination of both
used to detect intruder activity. Snort is an open source IDS available to the general
public. An IDS may have different capabilities depending upon how complex and
sophisticated the components are. IDS appliances that are a combination of hardware
and software are available from many companies. As mentioned earlier, an IDS may
use signatures, anomaly based techniques or both.
1.1.1.2
Network IDS or NIDS
NIDS are intrusion detection systems that capture data packets traveling on the
network media (cables, wireless) and match them to a database of signatures. Depend 
ing upon whether a packet is matched with an intruder signature, an alert is generated or
the packet is logged to a file or database. One major use of Snort is as a NIDS.
1.1.1.3
Host IDS or HIDS
Host based intrusion detection systems or HIDS are installed as agents on a host.
These intrusion detection systems can look into system and application log files to
detect any intruder activity. Some of these systems are reactive, meaning that they
inform you only when something has happened. Some HIDS are proactive; they can
sniff the network traffic coming to a particular host on which the HIDS is installed and
alert you in real time.






footer




 

 

 

 

 Home | About Us | Network | Services | Support | FAQ | Control Panel | Order Online | Sitemap | Contact

toronto web hosting

 

Our partners: PHP: Hypertext Preprocessor Cheap Web Hosting JSP Web Hosting Ontario Web Hosting  Jsp Web Hosting

Cheapest Web Hosting Java Hosting Cheapest Hosting

Visionwebhosting.net Business web hosting division of Vision Web Hosting Inc.. All rights reserved