Linux Videos
Email: IDS/IPS systems with Snort
Snort in combination with other open source tools gives us the possibility to create powerful intrusion detection/prevention systems almost for free. I you have a look at the pricing for IDS/IPS products of market leaders like TippingPoint for the first time you will be surprised, for sure. For Snort there are two graphical frontends available: Snorby and BASE.The following diagram shows a typical architecture for an IPS with Snort. It is set up as a transparent bridge.
The network traffic from the internet passes the firewall first and then the Snort sensor. The sensor is set up as a transparent bridge and "not visible" from the outside as it has no IP address configured. Iptables redirects alle network packages to the user space so that they can be analysed by Snort. Snort decides for each package if it is allowed to pass the bridge or not. Furthermore Snort generates messages which are transferred to the log host via sockserv and stunnel. The log host finally creates alert notifications and stores the data in a database. With Snorby the security analyst can simply use a browser to watch what is going on on the network.
This architecture is a complex thing although there are not many components involved. It requires permanent maintenance by an experienced system administrator. The deeper the knowledge about the protocoll stack and security the bigger is the benefit of such a system of course.