Introduction
While studying for CompTIA Network+, I couldn't understand a relationship between Snort and IDS. I could memorize that Snort is an opened source tool, but I couldn't totally comprehend the link between Snort and IDS and why IDS is needed.
Once I grasped the structure of both systems, everything clicked, so I decided to write it down.
What is IDS
IDS stands for Intrusion Detection System
In a nutshell, it is a system that ** detects suspicious access to a network and alerts administrators**
Important point
IDS = Detect and Alert
→ Do not block automatically
The system for blocking:
IPS( Intrusion Prevention System)
The difference between IDS and IPS
IDS:
Detect suspicious accesses
↓
Alert to a system manager
↓
The system manager judges it and block it manually
IPS:
Detect suspicious accesses
↓
Automatically block
↓
Notify it to a system manager
Understanding with a fire alarm
IDS = A fire alarm
→ Alert in detecting fire
→ It does not automatically extinguishing fire
→ Human do on behalf of it
IPS = Sprinkler
→ Automatically firefighting in detecting fire
→ It can deal with it before human does
What is Snort
Snort is an open-source tool for IDS/IPS
Developed by: Cisco
License: Open-source( free )
Support OS: Linux・ Windows・ macOS
Main features:
・Real-time monitoring for network traffic
・Detecting suspicious packets
・Working based on rules
・Notifying system administrators and logging reports
Operating mode by Snort
Snort has three operating modes
1. Sniffer Mode
Just show real-time packets
→ Do not report
→ It is used when you check network status
2. Packet Logger Mode
Report packet information to a disk
→ It makes you analyze the information later
→ It is used in troubleshooting
3. Network IDS Mode (IDS Mode)
After analyzing packets, verify it with rules
→ Detect suspicious packets and notify it
→ The most commonly used mode
→ The most frequently tested in exams
What is rule based
Snort detects suspicious packets based on rules, also known as signatures
Example of rule:
"A large amount of access attempts to Port 22"
→ Possible unauthorized access to SSH
→ Notification for managers
"Access from a known attacker's IP address"
→ Possible suspicious access detected
→ Notification for managers
The mechanism of rule based
Network traffic
↓
Snort monitors packets
↓
Verify it with rules
↓
Match → Detect the access as suspicious and notify it
Mismatch → Pass through as an normal access
Pros and Cons
Pros:
・Free due to being open-source
・There is a large community
・It can customize rules by yourself
・It is used all over the world
Cons:
・Complex settings
・Automatic blocking requires additional IPS configuration
・False Positive may occur
What is False Positive
A false Positive occurs when normal access is incorrectly detected as suspicious
Example:
It incorrectly flags legitimate employee access as an attack
Solution:
Tuning rules properly
Relationship with OSI reference model
Layer 7 Application ← Detect attacks at application layer as well
Layer 6 Presentation │
Layer 5 Session │
Layer 4 Transport ← Detect port scan etc...
Layer 3 Network ← Detect IP address based attacks
Layer 2 Data Link │
Layer 1 Physical │
─────────────────────────────
Snort primarily operates across Layer 3 go Layer 7
Summary
What is IDS:
The mechanism to detect suspicious access to network and notify it
The difference between IDS and IPS:
IDS → Detect and notify( Manual )
IPS → Detect and automatically block
What is Snort:
IDS/IPS tool offered by opened source
Operating mode:
1. Sniffer Mode → Just show
2. Packet Logger → Record
3. Network IDS Mode → Detect and notify( The most used mode )
Features:
・Work based on rules
・Opend source and free
・Real-timed monitoring
・Be careful for False Positive
Conclusion
I used to struggle with understanding Snort because I was only trying to memorize it.
Once I understood the differences outlined below, I could answer related questions naturally and grasp why Snort is needed.
IDS = Detect・ Notify( A fire alarm )
IPS = Detect・ Automatically Block( Sprinkler )
Snort = IDS/IPS tool based on rules
Top comments (0)