FRAMINGHAM (10/06/2003) - I am trying to be proactive at our company about finding an intrusion or a potential one before much if any damage has been one. Several individuals I have talked to at other companies have recommended I look at something called Snort. The problem is that I am not that familiar with Linux. What are my options?
-- Via the Internet
Snort is one of the more popular intrusion-detection applications available. It has even been adopted by several commercial companies that provide a value add with making it even easier to install on a particular platform and providing user friendly ways of getting to the data. Another option is doing the implementation yourself.
Syngress Publishing has released a book called Snort 2.0 Intrusion Detection. Written by Brian Caswell and other Snort experts, you may find this is a hard reference to put down once you start reading it. This book gives you a cookbook approach to implementing Snort on both Linux and Windows platforms. If you aren't that comfortable with Linux, you can start by putting it on a Windows system and then make the move to Linux when you are ready.
The power in Snort is the plug-in functionality that allows you to pick and choose what you want it to do by the modules you put it together with. When you add something called ACID (Analysis Console for Intrusion Databases), you get the foundation for a Web-based of presenting the information that Snort has gathered. There are several plugins that can give you just about any reporting functionality that you could want. The key to Snort, or any IDS for that matter, is to start simple and expand as you become more comfortable with what you are doing.
As with any package like this, making sure that you have the latest rules and patches applied will help keep the false positives to a minimum. I would strongly recommend that you keep a written log handy when you make any changes so that if you run into a problem, it will be easier to get back to where you were before the problem started. Also, when making changes to any of the files that Snort uses, make a backup copy of the file first.
Ron Nutter, a Master Certified Novell Engineer and Microsoft Certified Systems Engineer in the Lexington, Kentucky, area, tracks down the answers to your questions. Send your questions to firstname.lastname@example.org.