Snort’s third operating mode – network intrusion detection – is when the magic happens. Here, Snort actually pays attention to the network traffic passing its electronic eyes and matches what it sees according to a database of updatable signatures as well as any custom user-defined rules. In this mode, Snort does for networks what anti-virus tools do for filesystems.
What’s best is it still runs when you’re asleep, processing packets, log files and more. Actually, you can configure it to send alerts via SMS or other means that can even wake up your network or security staff. Or, you could define rules so Snort blocks the suspicious traffic as well as other traffic from the originating host.
Where Snort isn’t so great is the massive amounts of disk space it chews up with the log files it produces as well as the signature files used to detect rule violations. It’s not unrealistic that Snort operating within a high-traffic site could consume up to 100Gb of disk space. Snort doesn’t especially require any particular level of processor but it really will need a fast disk controller and a lot of space – let alone a network card that is as fast as or faster than the rest of your network (or else you can miss packets.) If the budget can cater for it, really, the best advice would even be to dedicate a machine directly to Snort’s use.
Wherever you choose to run Snort, you do have to remember to place it on your network in a strategic location, because it can only see traffic on its own subnet. There’s little point running Snort on your office desktop computer if your public-facing web and mail servers are housed in a co-location facility, for instance. In fact, depending on the complexity and size of your network, you may want to consider multiple Snort installations, to ensure all your key assets are protected by having one Snort system within each key subnet
0 comments:
Post a Comment