What is snort?
From www.snort.org : Snort® is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide. With millions of downloads and nearly 400,000 registered users, Snort has become the de facto standard for IPS.
How to install snort?
I’ve written a series of posts that explain different steps of a Snort installation. If you know what all the tools are, follow these links. If you want an explanation of all the tools, keep on reading.
- Optional : Switch your KVM from regular bridge to Open vSwitch
- Optional : How to configure a mirror port on Open vSwitch
- How to install snort
- Updating snort rules using Pulled Pork
- Building Barnyard2 from source
- Installing and configuring Barnyard2
- Installing Snorby
What are these tools
Website : http://openvswitch.org
By default, your libvirt will connect all guests to a regular software bridge. A regular software bridge acts like a switch for the guests. Since a regular software bridge is very limited, I’m exchanged the bridge for an Open vSwitch. This is the full list of features. The most important feature for us is the SPAN or mirror port.
I wrote 2 posts regarding Open vSwitch.
Switch your KVM from regular bridge to Open vSwitch
How to configure a mirror port on Open vSwitch
If you have a physical switch like a Cisco Catalyst or any other switch that is able to mirror traffic to a certain port, you probably don’t need the Open vSwitch.
Snort is the IDS/IPS software that listens on an interface and logs any traffic which matches a certain pattern. The log files are written in a certain format. The format is called unified2.
This post describes how you can install snort.
In order for Snort to do a good job, it needs to have up-to-date pattern files. These are similar to the pattern files of your desktop antivirus. Pulled Pork is tool which downloads and copies the pattern files to right location.
This post describes how to download, install and configure Pulled Pork.
Barnyard2 is a tool which reads the Unified2 log files. These are the log files which are generated by Snort. After reading them, the tool converts and sends the events to a database, syslog server,…
This post describes how to build Barnyard2 from source. The next post described how to configure it.
We – as human beings – want to have a GUI to look at the events that are detected by Snort. Snorby is such a tool. It presents all events from the database and gives the administrator the possibility the classify all detected events.
This post described how to download and configure Snorby to your needs.
Snort is a registered trademark of Sourcefire, Inc.