Snort - A network intrusion prevention and detection system

Snort is an open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire. Combining the benefits of signature, protocol, and anomaly-based inspection, Snort is the most widely deployed IDS/IPS technology worldwide.

Snort can perform protocol analysis and content searching/matching. It can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more. It uses a flexible rules language to describe traffic that it should collect or pass, as well as a detection engine that utilizes a modular plug-in architecture. Snort has a real-time alerting capability as well, incorporating alerting mechanisms for syslog, a user specified file, a UNIX socket, or WinPopup messages to Windows clients. Snort has three primary uses: a straight packet sniffer like tcpdump, a packet logger, or a full network intrusion prevention system.


Features
  • Protocol analysis and content searching/matching
  • Uses a flexible rules language to describe traffic that it should collect or pass
  • Detection engine that utilizes a modular plug-in architecture
  • Real-time alerting capability
  • Detects buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and more
Wednesday, July 18, 2012
Snort 2.9.3.0 has been released!
Snort 2.9.3.0 is now available on snort.org, at http://www.snort.org/snort-downloads/in the Latest Release section.

[*] New additions
* Update to flowbit rule option to allow for OR and AND of individual bits within a single rule, and allow flowbits to be used in multiple groups. See README.flowbits and the Snort manual for details.

* Dynamic output plugin architecture to provide an API that developers can write their own output mechanisms to log alert and packet data from Snort.

* Update to dcerpc2 preprocessor for improved accuracy and handling of different OSs for SMB processing. SeeREADME.dcerpc2 and the Snort manual for details.

* Updates to reputation preprocessor for handling of whitlelist and trustlists and zone information. SeeREADME.reputation and the Snort manual for details.

[*] Improvements

* Updates to http_inspect client PAF handling and server flow_depth handling.

* Logging updates to the smtp preprocessor.

* Added detailed documentation of unified2 logging configuration and logging.

* Removed --enable-decoder-preprocessor-rules configure option and hardened preprocessor and decoder rule event code. To enable old behavior such that specific preprocessor and decoder rules don't have to be explicitly added to snort.conf, add "config autogenerate_preprocessor_decoder_rules" to your snort.conf.

* Fixed SMTP mempool allocation for significant memory savings. Also tweaked memory required per stream5 session tracker.

* Force exact versioning match of running dynamic engine and dynamic engine used to build SO rules.

* User can now query reputation pp for routing table and management information.

* Update to return error messages through the control channel.

* Updates to the processing of email attachments for better handling of non-encoded attachments, and improved memory management for attachment processing.

* Improvements in HTTP Inspect for better performance with gzip decompression. Also improvements for handling simple responses, encoded query strings, transfer encoding and chunk encoding processing.

* Updates to the packet decoders to support pflog v4.

* Fix logging of multiple unified2 alerts with reassembled packets.

* Compiler warning cleanup across multiple platforms.

* Added 116:458 and 116:459 to cover fragmentation issues.

[*] Deletions
* Removed all database outputs.

Please see the Release Notes and ChangeLog for more details.
Snort Downloads

If you are using RHEL5, CentOS 5.5, or Fedora Core 11, please click here.

The Snort Engine is distributed both as source code and binaries for popular Linux distributions and Windows. It’s important to note that the The Snort Engine and Snort Rules are distributed separately.
Latest Release
We strongly recommend that you keep pace with the latest production release. Snort is evolving all the time and to stay current with latest detection capabilities you should always have both your Snort engine and ruleset up to date.


Name
Modified
Size
Status
Totals: 9 Items

17.9 MB
2012-07-19
4.9 MB
i8 downloads
2012-07-19
472.2 kB
i1 downloads
2012-07-19
4.9 MB
i1 downloads
2012-07-19
2.2 MB
i1 downloads
2012-07-19
455.6 kB
i1 downloads
2012-07-19
2.1 MB
i1 downloads
2012-07-19
148.1 kB
i1 downloads
2012-07-19
2.5 MB
i38 downloads
2012-07-19
147.3 kB
i1 downloads

PGP Information

Snort releases 2.9.0 and above are signed with this pgp key.
Trust Chain: This new key can be verified with this signature, signed by our previous key.
Snort releases 2.8.3 and above are signed with this pgp key.
Trust Chain: This new key can be verified with this signature, signed by our previous key.
Snort Official Documentation
The official documentation produced by the Snort team at Sourcefire
TitleAuthor
Snort Users ManualSnort Team
Snort FAQSnort Team
The Snort Manual (HTML)Snort Team

Snort Setup Guides

The following setup guides have been contributed by members of the Snort Community for your use. Comments and questions on these documents should be submitted directly to the author. Authors who want comments and feedback may be emailed by clicking on their names below.
If you have a document you’d like to contribute to the Snort community contact at snort-team@sourcefire.com.
TitleAuthor
Snort 2.9.3.0 on Debian 6.0.5PDF SmallJason Weir
Snort 2.9.3.0 on OpenSuSE 12.1PDF SmallWilliam Parker
Snort 2.9.3.0 on FreeBSD 8.2PDF SmallWilliam Parker
Snort 2.9.3.0 on OpenSuSE 11.4PDF SmallWilliam Parker
Snort 2.9.3.0 on Ubuntu 10.04 LTSPDF SmallDavid Gullett, Symmetrix Technologies
Snort 2.9.1.2 on Mac OS XPDF SmallChristoph Murauer
Snort 2.9.0.x with PF_RING Inline deploymentPDF SmallMetaflows Google Group
Snort on Amazon EC2PDF SmallEtay Nir, Sourcefire

Snort Deployment Guides

The following deployment guides have been contributed by members of the Snort Community for your use. If you have a document you’d like to contribute to the Snort community contact us at snort-team@sourcefire.com.
TitleAuthor
Comparison of Popular Snort GUIsPDF SmallJames Lay

Snort Related Whitepapers

The following Whitepapers have been written by Sourcefire employees and may help with your Snort deployment. For further information on these papers, please email snort-team@sourcefire.com
TitleAuthor
VRT Methodology WhitepaperPDF SmallSourcefire Vulnerability Research Team (VRT)
Improving your Custom Snort RulesPDF SmallLeon Ward
Inline Normalization using Snort 2.9.0PDF SmallRuss Combs
Using Perfmon and Performance Profiling to Tune Snort Preprocessors and RulesPDF SmallSteven Sturges
HTTP Evasions RevisitedPDF SmallDaniel Roelker
Target Based Fragmentation ReassemblyPDF SmallJudy Novak
Target Based Stream ReassemblyPDF SmallJudy Novak


Visit website -
http://www.snort.org/
Documentation -
http://www.snort.org/docs
For more information -
http://screenshots.portforward.com/SnapGear/SG565/Intrusion_Detection_Snort.htm
Testing Snort with Windows Sp2The snort2pfsense shell script (snort to pfSense)Making snort a Service in Server 2008Snort Config files