6. 1. Introduction
1.1 Overview
Snort is a free open-source Network Intrusion Detection
System (NIDS) and Intrusion Prevention System (IPS)
made by Martin Roesch.
Snort can perform real-ime traffic analysis and packet
logging on IP networks, help the network manager or
user define malicious activity.
8. 1. Introduction
1.2 Component
Snort has 5 modules:
- Sniffer Module.
- Pre-processor Module.
- Detection Engine Module.
- Alert and Log Module.
- Import/Export data Module.
9. 1. Introduction
How Snort apply 5 modules
packet Sniffer
Pre-
Processo
r
Detectio
n
Engine
Alert/Log
Import/
Export
Data
10. 1. Introduction
Rulesets
Rule is a set of description languages, it
works with the detection engine to detect
the intrusion.
Rules can be written in
/etc/snort/rules/local.rules
11. 1. Introduction
Rulesets
Snort rules are divided into two logical
section: rule header and rule options
alert tcp any any -> 192.168.1.0/24 1337
(content:āhackedā; msg:āhack attemptā; sid:10000000;)
12. 1. Introduction
Rulesets
alert tcp any any ->
192.168.1.0/24 1337
(content:āhackedā; msg:āhack
attemptā; sid:10000000;)
Rule Header Rule Options