Snort is one of the most widely used intrusion detection systems (IDS) and intrusion prevention systems (IPS) in conjunction with Suricata today. Snort is a free and free network IDS / IPS, offers the ability to examine in real time all network traffic, regardless of the interface (WAN or LAN) where we put it, and its objective is to detect any type of traffic malicious and block it through the firewall. Very soon we will see the final and stable version of Snort 3, the latest version that incorporates a large number of improvements over Snort 2, which is currently the one that is usually used.
Snort main features
Snort, being an IDS and IPS, incorporates an attack detection engine and port scan detection based on rules that we can download for free, and that are updated with a certain frequency, in addition, we can automate the download of new ones rules. Snort allows you to register, alert and respond to any possible network attack that we have previously defined with the rules that we have registered. We ourselves can create specific rules for Snort to detect and do its job.
Most firewall operating systems such as pfSense or OPNsense, incorporate this popular IDS / IPS together with Suricata, since they are the two best and most used in the industry. In addition, we can mount a complete firewall to protect our home local network quite easily.
During the installation and configuration of Snort, we have the possibility to register thousands of filters or rules, however, it is highly recommended to “train” Snort so that it does not detect false positives and, therefore, blocks legitimate traffic. It has multiple rules for backdoors, DoS attack detections, fingerprint, attacks on services such as SSH, Samba, FTP, web attacks, any type of scanning with Nmap and much more.
Snort works in several different ways:
- Sniffer: the first Snort function is current Sniffer, that is, it will capture and examine all network traffic where we activate Snort, since we can activate it in one or more interfaces where we install it.
- Package registration: after performing the sniffer function, if a package corresponds to a certain rule or a pattern that we have previously registered, it will automatically register that package in the system. In this way, we will know what that record has produced, of what IP address and port, and to which IP and port an attempt has been made.
- Intrusion prevention: Snort works together with the firewall, if the sniffer captures a packet and matches a rule or a pattern, Snort will not only record these packets, but can also act by blocking the IP address through the firewall.
Once we know in a very basic way what Snort is and what its main characteristics are, we are going to explain the novelties that Snort 3 incorporates with respect to Snort 2.
Differences between Snort 3 and Snort 2
Snort 3.0 is a great evolution of the current version of Snort 2.X, the new version is more efficient, provides better performance, scalability, usability and allows great extensibility. Some of the main improvements incorporated in this new version are the following:
- Support for multiple packet processing threads, this allows Snort to consume fewer resources, especially in terms of RAM.
- Access to more than 200 plugins
- Support for Hyperscan, this feature is very important as it leads to faster patterns, content literals and PCRE compatible during the evaluation of the different signatures that we have registered in Snort.
- The handling of the TCP transport layer protocol has been completely rewritten, in order to have the best possible performance.
- A new rule parser and new rule syntax have been added. Also, the comments in the rules are also new.
- Improved shared object rules have been incorporated, in addition, rules for 0day vulnerabilities can be added.
- New performance monitors, time and space profiles.
- If your CPU has multiple cores, the ability to scale is much simpler to make the best use of the hardware.
- Now allows you to process a raw payload, and join two sockets for inspection.
In the following image you can see a comparison between Snort 2 and Snort 3 that is taken directly from the official Snort blog.
We recommend you visit the official Snort blog where you will find all the details about this new version.