Snort (IDS)

So Snort is ran by a series of rules. And these rules are typically broken by three sections. There is a community set, which is going to be free. There’s a registered set, which means you simply just go on the site and you register as a Snort user, it’s free. And then you get access to additional rules. And then we have a subscription based, so if you want to subscribe to Snort, then you can get access to even more rules. So the rules are pretty simple. It’s basically a text file, as we see here. And there’s a bunch of references within that rules file.

And again, the really nice thing is they do offer the rules for free, you could create your own rules, you can modify them, you could pull the community rules, you can get the registered user rules. Or again, if you’re, say, a larger organization, you want more flexibility, you always could subscribe to Snort and get those rule sets also.

Setting up Snort is generally pretty easy. So if you go on their website, they actually have step by step instructions how to install it. And it’s pretty cool too, because once you go there, you could click on, well, I want to load this from source, I want to load this to a Fedora system, CentOS, FreeBSD, or Windows.

And you can see it here: so if you install free from source, you could simply copy and paste these commands in your terminal and start installing Snort.

Now, as far as documentation and setup scripts and guides, there is absolutely no shortage of it. So again, if you go to the Snort website, you will find a wealth of information there. Official documentations, the Snort infographics, Snort startup scripts, related white papers. They have deployment guides, Snort IPS tutorials, Snort IPS using DAQ, AF packets, changing from IDS to IPS.

There’s also setup guides for pretty much every operating system that they support. So there’s Ubuntu, openSUSE, BSD, Windows, CentOS, and whatnot. And also of course, they have additional resources there too. So again, as you see, there’s just a tonne of information at your fingertips for setting up Snort, configuring Snort, getting things running, tweaking Snort. And again, you can find this right on their website.

They also have a lot of handy videos. So on their main page if you click on the Resources tab, they have a lot of cool videos that you can watch through, and it’ll go over things with you, installing, configuring with labs, rewriting the rules for Snort, installing and configuring, and logging with Snort. And this is another reason why Snort’s really popular. It’s just such a easy to get into, friendly community, and it’s got just a tonne of resources. Again, if you don’t want to kind of dig through a HTML file or text document, you always can check out these videos and labs that they have posted on their website.

So running Snort or any other IDS, IPS, MDM, will you be able to prevent 100% of attacks on your network? Well, the short answer is no. Unfortunately, as useful as these tools are, and indeed, they can reduce the number of network attacks, downtime, help identify attackers quicker, not one of them is going to work 100% of the time. Even still, you should have at least one of these in place to help protect your network. And again, Snort runs as an IDS IPS. So what that means is, if you set up as a IPS, it’s going to try to prevent intruders from getting on your network. It’s going to try to blocking them from getting out or potentially getting traffic out.

IDS wise, again, it’ll monitor that network. It’ll look for suspicious traffic, and it’s going to alert you when it finds something. But again, nothing’s perfect. It’s a little bit of an arms race between malicious hackers and security professionals. Security professionals get better tools, better systems in place. Malicious hackers will always try to find ways around that. So I don’t want to sound discouraging that, well, you’re not going to get 100% of the malicious hackers potentially. But again, having a system in place will make things so much harder for a malicious hacker from getting on your network.

If they see that you have certain protections in place, depending if they’re going after you specifically or just going after for any target, they are going to go for the path of least resistance. So have your defences, having your IDS, IPS, MDMs, and whatnot, to protect yourself.

So in wrapping up, Snort is open source. Even though it is owned by Cisco, Snort remains an open source programme. There are premium versions of Snort and it is integrated into some of Cisco’s products. Snort operates as a IDS and IPS system, which makes it really flexible. It’s also multiplatform. It’ll install in both Linux, source Fedora, CentOS, FreeBSD, and also a Windows OS system. Snort can help protect your network, give you greater insight into possible intruders and anomalies, and also they have a great deal of documentation and videos to help you get set up, configured, write your own rule sets and whatnot right on their home page. So this was about Snort.

In the next video, we’re going to be talking about Cisco Meraki, another thing is going to be an MDM. Thank you for watching. I’ll see you in the next video.