Snort v2.33 - An Open Source Network Intrusion Prevention System

[Mel]

What is Snort?
==============
Snort is an open source network intrusion prevention system, capable of
performing real-time traffic analysis and packet logging on IP networks.
It can perform protocol analysis, content searching/matching and can be
used to detect a variety of attacks and probes, such as buffer
overflows, stealth port scans, CGI attacks, SMB probes, OS
fingerprinting attempts, and much more.

Snort uses a flexible rules language to describe traffic that it should
collect or pass, as well as a detection engine that utilizes a modular
plugin architecture. Snort has a real-time alerting capability as well,
incorporating alerting mechanisms for syslog, a user specified file, a
UNIX socket, or WinPopup messages to Windows clients using Samba's
smbclient.

Snort has three primary uses. It can be used as a straight packet
sniffer like tcpdump(1), a packet logger (useful for network traffic
debugging, etc), or as a full blown network intrusion prevention system.

http://www.snort.org/

About Snort
===========
In 1998, Martin Roesch wrote an open source technology called Snort,
which he termed a "lightweight" intrusion detection technology in
comparison to commercially available systems. Today that moniker doesn't
even begin to describe the capabilities that Snort brings to the table
as the most widely deployed intrusion prevention technology worldwide.
Over the years Snort has evolved into a mature, feature rich technology
that has become the de facto standard in intrusion detection and
prevention. Recent advances in both the rules language and detection
capabilities offer the most flexible and accurate threat detection
available, making Snort the "heavyweight" champion of intrusion
prevention.

 

[Ricardo_Venezuela]

i think snort it's a IDS (detection system) than a PREVENTION system,
if i wrong can you help me configure snort to block atacks from the
internet?

I found a perl script but only works on freebsdm, not linux

greetings all

 

[Mel]

i think snort it's a IDS (detection system) than a PREVENTION system,
if i wrong can you help me configure snort to block atacks from the
internet?

I found a perl script but only works on freebsdm, not linux

greetings all

Inline Mode

Snort 2.3.0 RC1 integrated the intrusion prevention system (IPS)
capability of snort inline into the official Snort project. Snort inline
obtains packets from iptables instead of libpcap and then uses new rule
types to help iptables pass or drop packets based on Snort rules.
In order for snort inline to work properly, you must download and
compile the iptables code to include “make installdevel”
(http://www.iptables.org). This will install the libipq library that
allows snort inline to interface with iptables. Also, you must build and
install LibNet, which is available from http://www.packetfactory.net.
There are three rule types you can use when running Snort with snort
inline:

drop - The drop rule type will tell iptables to drop the packet and log
it via usual Snort means.

reject - The reject rule type will tell iptables to drop the packet,
log it via usual Snort means, and send a TCP
reset if the protocol is TCP or an icmp port unreachable if the protocol
is UDP.

sdrop - The sdrop rule type will tell iptables to drop the packet.
Nothing is logged.

http://www.snort.org/docs/snort_manual.pdf