At this point, you may be asking yourself, Why do I need to know Snort? It sounds much like tcpdump, in that it sniffs packets and can read and write into the same libpcap format. Here are just a few of the reasons Snort is a versatile solution for both packet sniffing and intrusion detection. Snort:
Is descriptive and verbose.
Is more versatile than tcpdump in output and readability.
Determines each entry's value.
Identifies individual fields and computes corresponding fields.
Can be customized to print out all varying fields in the headers.
Has rules that are relatively easy to configure and understand.
Can report on separate wireless networks using specialized patches.
Generates alerts (it's a network intrusion detection system).
As you begin to use Snort, you will notice the many advantages it offers over tcpdump for raw data interpretation.
Next, we'll cover how to run Snort in its three basic operational modes.
Packet logger (
Network Intrusion Detection System (
While the previously discussed network sniffer tools (tcpdump, ethereal, and Tethereal) are more full-featured and provide excellent packet analysis, there may come a time when you quickly look at the network traffic on a Snort sensor. In this case, using Snort as a sniffer might be valuable. The Snort sniffer-mode output is slightly different than the other command-line sniffers. It is actually very easy to read and you may ...