Snort - Red Hat ENTERPRISE LINUX 4 - SECURITY GUIDE Manual

Chapter 9. Intrusion Detection

9.3.1. Snort

While tcpdump is a useful auditing tool, it is not considered a true IDS because it does not analyze
and flag packets for anomalies. Instead, tcpdump prints all packet information to the screen or to a
log file without any analysis. A proper IDS analyzes the packets, tags potentially malicious packet
transmissions, and stores them in a formatted log.
Snort is an IDS designed to be comprehensive and accurate in successfully logging malicious network
activity and notifying administrators when potential breaches occur. Snort uses the standard libcap
library and tcpdump as a packet logging backend.
The most prized feature of Snort, in addition to its functionality, is its flexible attack signature
subsystem. Snort has a constantly updated database of attacks that can be added to and updated
via the Internet. Users can create signatures based on new network attacks and submit them to the
Snort signature mailing lists (located at http://www.snort.org/lists.html) so that all Snort users can
benefit. This community ethic of sharing has developed Snort into one of the most up-to-date and
robust network-based IDSes available.
Note
Snort is not included with Red Hat Enterprise Linux and is not supported. It has been
included in this document as a reference to users who may be interested in evaluating it.
For more information about using Snort, refer to the official website at http://www.snort.org/.
88