16

Chapter 1     Introduction to Intrusion Detection and Snort

  Simply logging to 

/var/log/snort/alerts

 file or some other file

  Sending SNMP traps

  Sending messages to syslog facility

  Logging to a database like MySQL or Oracle. You will learn more about using

MySQL later in this book

  Generating eXtensible Markup Language (XML) output

  Modifying configuration on routers and firewalls.

  Sending Server Message Block (SMB) messages to Microsoft Windows based

machines

Other tools can also be used to send alerts in other formats such as e mail mes 

sages or viewing alerts using a web interface. You will learn more about these in later

chapters. Table 1 1 summarizes different components of an IDS.

Table 1 1 Components of an IDS

Name

Description

Packet Decoder

Prepares packets for processing.

Preprocessors or Input Plugins

Used to normalize protocol headers, detect anomalies, packet re 

assembly and TCP stream re assembly.

Detection Engine

Applies rules to packets.

Logging and Alerting System

Generates alert and log messages.

Output Modules

Process alerts and logs and generate final output.

1.4 Dealing with Switches 

Depending upon the type of switches used, you can use Snort on a switch port. Some

switches, like Cisco, allow you to replicate all ports traffic on one port where you can

attach the Snort machine. These ports are usually referred to as spanning ports. The best

place to install Snort is right behind the firewall or router so that all of the Internet traf 

fic is visible to Snort before it enters any switch or hub. As an example, if you have a

firewall with a T1 connection to the Internet and a switch is used on the inside, the typ 

ical connection scheme will be as shown in Figure 1 6.