This section presents an example deployment of the Snort IDS (http://www.Snort.org). Snort used to be called a "lightweight IDS," but it has since progressed way beyond that stage, and there is nothing lightweight about it anymore. Snort might only be called lightweight if we're referring to the high efficiency of its detection engine and its small memory footprint. It is a full enterprise IDS that can be deployed in high-performance and distributed configurations that reach gigabit speeds.
The intrusion detection platform discussed in this section is based on a Linux OS, a Snort network IDS, a MySQL database, and an ACID analysis console. Any Linux distribution, such as Red Hat or Debian can be used. While ideally you should build a minimum Linux system from scratch (as is done by the commercial IDS vendors selling Unix-based IDSs), for small network deployment you might be able to get away with a "canned" Linux variant. The system has to be minimized (i.e., all unneeded software removed) and hardened.
You should have at least two network cards on the computer where
Snort is deployed, since the sniffing interface (which picks up
attacks) and the management interface (used for sensor event data
management, rule updates, and configuration changes) must be separate.
The main reason is that the sniffing interface has no IP address
assigned to it. In Linux, it is easy to activate a network interface
with no IP address by using a command such as