News Stay informed about the latest enterprise technology news and product updates.

Nab hackers with Snort on Linux

Stocking a Linux security toolbox? Don't forget Snort, says Rafeeq Ur Rehman, author of Intrusion Detection with Snort from Prentice Hall PTR. Snort's stability and cross-platform compatibility makes it Rehman's enterprise open-source intrusion-detection system of choice. In this interview, he discusses the common mistakes people make when using Snort and addresses the tools everyone should have in their security toolboxes. Rehman also talks about the benefits of honeypots to Linux users.

What does Snort do, and how is it used? Would you recommend using it in an enterprise environment?
Snort is a network intrusion-detection system (NIDS), which means that it looks for suspicious network traffic and can alert security administrators based upon predefined rules. For example, it can detect port-scanning activities, detect common attacks on your systems, and so on. Snort is available for many operating systems. A computer running Snort is also called a Snort sensor. A Snort sensor is installed on a network segment where you want to monitor network traffic. Snort listens to all data packets flowing on the network and utilizes its rules database to detect intruder activity. Having detected the activity, it can log the activity in test files, databases, XML files and so on. When used in combination with other products, it can also generate alerts in different forms to alert security administrators.

Snort is already being used in many enterprises. It is a good and stable product and is very useful for large environments as well. You can use multiple Snort sensors for data collection to a central database, where you can analyze it using other tools, like ACID. To start, what general tools should an IT shop have in its Linux security toolbox?
There are many tools available in open-source. Depending upon what applications and servers are running in an IT shop, a different set of tools is needed. However there are some common tools that are used by everyone in the security area. Some of these are:

  • Nessus is a very good tool for assessment of network security.
  • Nmap is a very versatile tool.
  • If using Linux firewalls, then firewall builder is a good tool.
  • You should have a network intrusion-detection system as well, and Snort is a good choice.
What are the most important components of Snort?
The most important component of the Snort system is its detection engine. The detection engine applies rules to captured data and finds out if it shows intrusion activity. Other important components are input and output plug-ins. Input plug-ins pre-process captured data and make it available to the detection engine. Output plug-ins are used to log intruder activity in different formats. For example, to log data to an Oracle database, you need a database output plug-in.

Rules are used to detect intruder activity and take certain actions when such an activity is detected. Writing good rules is an important part of Snort deployment. Could you offer some best practices for running Snort on multiple network interfaces?
You can run Snort on multiple network interfaces. You should run a separate copy of Snort on each network interface. You should not assign [an] IP address to the network interface(s) on which you run Snort. On Snort sensors where you have multiple network interfaces, you should spare one of these interfaces for the management purpose, and an IP address should be assigned to this interface only. What are the most common mistakes made when installing Snort in an enterprise environment?
Snort comes with a default configuration file, which is the most generic one. Most of the people leave this generic file unchanged, which may slow down Snort from a performance perspective. For example, the file includes all default rules. If you are not running a Web server, you may not like to have rules related to Web server intrusion activated. If you select rules carefully, it will increase the performance of Snort. Additionally, default rules may generate lots of fault positive alarms. You need to fine-tune the system according to your environment.

Another important aspect of Snort deployment is that the Snort sensor should not be visible to outside users. You can do it by not assigning any IP address to the network interface on which Snort is running (running Snort in stealth mode). What role do honeypots play in Linux security?
The basic idea of honeypots is to attract hackers to systems, which look like real production servers and get information about their techniques by logging hacker activities. Honeypots are important not only for Linux security but for other operating systems and applications as well. From a Linux perspective, you get to know different techniques hackers are trying to use. Having this knowledge, you can increase security on your systems and fortify them.


See this Ask the Expert on Snort

For more information about intrusion detection

Dig Deeper on Linux servers