Learn how Snort collects IDS and IPS data. Jungwoo shows what IDS/IPS data looks like and how to interpret it.
- [Instructor] Snort is a popular solution for both intrusion protection and prevention. It can even run in a packet sniffer mode when its detection and prevention capabilities are turned off. When running it in its sniffer mode Snort can store the captured packets in the pcap format. As an intrusion detection and prevention system, Snort can either generate a log file or forward its alerts to log servers such as syslog-ng. Whether they're stored in a file or forwarded, the Snort alerts have the following basic format.
The first number in the square brackets is the generator ID showing which part of Snort created the alert. The second number is the signature ID tied to a Snort rule activating the alert. The third number is the revision ID used to tell how many revisions have been made since the Snort rule was created. You can also record packet header information that triggered the alert and contains information such as timestamp, source IP and port, and destination IP and port as shown here.
Snort offers various other output methods including comma-separated values or CSV, extensible mark-up language or XML, database, unified etc.
- Network security concepts
- The basic functions of a firewall
- Intrusion detection and prevention systems
- Using network data to improve security
- Using log servers to collect data
- Collecting application data
- Collecting OS data
- Network forensics
- Network security visualization