Snort is mainly a so called Network Intrusion Detection System (NIDS), it is
Open Source and available for a variaty of unices as well as Microsoft
Windows (R).
A NIDS cares for a whole network segment in contrast to a host based IDS
which only cares for the host it is running on.
Since NIDS are mostly used in conjunction with firewalls it is vital to not
being vulnerable for attacks itself. Therefor all interfaces used with snort
bound to should be set up without ip addresses. Since this can not be achieved
in every configuration, e.g. if you want to bind snort on an isdn interface
ippp0, it should be considered to use a standalone computer for snort and set
it up as a firewall and router for the dial-up connection too.
For more information on that topic see the
Firewall-HOWTO or my
Firewalling+Masquerading+Diald+dynamic IP-HOWTO.
Snort can be used to care for more than one network segment which we will
discuss later.
Snort also can be used as a sniffer to troubleshoot network problems, but
that's not a topic in this document.
ACID, the Analysis Console for Intrusion Databases, is part of the AIR-CERT
project. It makes use of PHPlot, a library for creating nice graphs in PHP,
and ADODB, an abstraction library for combining PHP and various database
systems like MySQL and PostgreSQL. The ACID homepage says:
"The Analysis Console for Intrusion Databases (ACID) is a PHP-based
analysis engine to search and process a database of incidents generated by
security-related software such as IDSes and firewalls."
Max Vision's IDS rules (referred to as vision.rules
because this is the name of the downloadable file) are used to complete the
rules shipped with snort.
arachnids_upd is a small but fine perl script which downloads the actual
vision.rules using wget and optionally deletes
single rules given in an ASCII file.
