Intrusion detection and intrusion prevention systems (IDS and IPS, respectively) provide the ability to inspect and analyze network traffic and either generate alerts or drop traffic in the event that an attack or a malicious event is detected. They are two of a number of controls, such as firewalls, designed to protect your network from a variety of attacks. Both IDS and IPS are commonly deployed in organization’s perimeters to protect externally-facing assets, like Internet-facing Web services. They can also be deployed internally to ward off attacks or virus outbreaks. For example, an IPS sensor that can be configured to stop the spread of a virus or worm may be located in-line on an internal network choke point.
We’re going to demonstrate how to quickly install and run the open source IDS sensor Snort on Red Hat Enterprise Linux 5 (RHEL 5). The instructions below will also generally work for RHEL 4, CentOS 4 and 5, as well as Fedora Core 5 and 6.
For many environments, especially in the small-medium business market but also in many larger corporate and government clients, Snort remains the ubiquitous IDS tool. It is fast and easy to set up and runs on most commercially available hardware, including platforms from IBM, HP, Sun and commodity PC hardware. It is a signature-based, (which Snort calls “rules”) IDS engine that is easy to deploy and easy to tune. Rules are open and can be readily edited, and writing and adding your own rules requires only a little learning. Snort is also capable of outputting data in a variety of formats: binary (called “Unified”), syslog, to a file and to a SQL database (one of Oracle, PostgreSQL, MySQL or Microsoft SQL Server). Many users commonly output data to a SQL database.