Snort Introduction
Snort it is a multi-platform, real-time traffic analysis, intrusion detection system. Snort is a libpcap-based packet sniffer and lightweight as a network intrusion detection system.
snort operating mode
(1) Sniffer
sniffer mode: the data packet is read from the network as a continuous stream and displayed on the terminal.
(2) a data packet logger
packet logger: the data packet is recorded on the hard disk.
(3) Network Intrusion Detection System
Network Intrusion Detection: It is configurable (it will be relatively more complex).
working principle
Because the data can snort packet capture on the network, but it can be distinguished from the sniffer custom rules and corresponding processing according to. There are five kinds of response mechanisms of snort.
(1) Activation (alarm and start another dynamic rule chain);
(2) the Dynamic (by other rules packet call);
(. 3) the Alert (alarm);
(. 4) Pass (ignored);
(. 5) the Log (not but the police record network traffic).
Snort by TCP / IP network 5 of the data link layer structure crawling network packet, the network card need to capture promiscuous mode, depending on the use or winpcap libpcap function capturing the operating system from the network packet ; then captured packet to the packet decoder for decoding.
Snort is mainly through the plug-ins work only so powerful, so select the appropriate database at the time of deployment, Web servers, graphics and software version is also very important.
Snort's shortcomings
Snort reason why it is lightweight means that its function is still not perfect, aspects such as generating linkage with other products could be improved; Snort plug-in to work each function, complex installations, each software plug-ins sometimes depending on the version and other issues impact of the program is running; Snort for all data traffic according to the rules of the match, and sometimes will produce a lot of false positives due process.