Snort

  1. Snort
  2. SSP
  3. DAQ

Snort

  • versions
    • v2: non-modular
    • v3: modular, multi-threaded
  • protocols
    1. TCP
    2. UDP
    3. ICMP
    4. HTTP: Snort v3
  • actions
    1. alert: + log
    2. log
    3. pass
    4. drop: + log
    5. reject: TCP RST or ICMP unreachable, log
    6. Sdrop: block without log
  • no FQDN lookup

SSP

  • Snort Security Platform
  • functions:
    • data acquisition
    • encoding/decoding
    • flow normalization
    • defragmentation
    • stream assembly

DAQ

  • data acquisition module
  • processes PCAP (one interface, IDS) or uses afpacket (2 interfaces, IPS)