O'Reilly logo

Managing Security with Snort & IDS Tools by Christopher Gerg, Kerry J. Cox

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Chapter 7. Creating and Managing Snort Rules

Snort is a signature-based intrusion detection system. While the preprocessors do not rely on signatures to generate alerts on potential malicious traffic, the heart of Snort's ability to detect intrusion is the catalog of signatures located in the rules files. Being a signature-based IDS is both a strength and weakness.

Because Snort is signature-based, it can be configured for specific threats—the latest worm, the latest IIS exploit, and so on. The rules watch for the specific contents of a packet or for strange settings in the headers. This allows the security administrator to quickly determine the nature of the potential attack since he can easily examine the rule that triggered the alert (as well as the packet itself with some of the other tools available, like ACID or SnortCenter). A comparison is commonly made between signature-based IDS and antivirus software. Both have a catalog of signatures that they use to match against a stream of data flowing by a sensor component. In antivirus software, this process is accomplished by a software component that watches memory and filesystem access. An IDS, on the other hand, watches packets traveling the network.

To detect the latest attack methods, you need the latest signatures (although I've been surprised at how often a generic signature will draw my attention to a new kind of attack that does not have its own rule). As a result, it is important to keep the rules as up to date as is ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required