Snort Review and Alternatives

Snort is an open-source project with development contributions from volunteers. However, the project is well organized and fully funded, making this a free tool of professional standard. The Snort package is a network intrusion detection system. This is an advanced security tool that many users would pay a high price to acquire, but they don’t need to because Snort is entirely free to use.

The system security sector utilizes many overlapping strategies, and it can be challenging to work out exactly which tools a business needs to block malicious activity. Also, it is sometimes difficult to work out what packages are system monitors and which are security services.

Snort is a system security tool. However, that security mechanism is based on live data gathering that provides system monitoring as well. As a free tool, Snort is a disruptor. It matches the capabilities of many expensive tools and could easily damage the profitability of many large software development corporations if more network management knew of Snort’s existence.

Intrusion detection systems

An intrusion detection system (IDS) is aimed at identifying hackers. This is the second line of defense and grew from the software industry’s realization that the fight against hackers is a relentless, unwinnable war.

Traditional defense systems patrol the perimeter. The classic network defender is the firewall. It blocks malware from traveling in and prevents a range of hacker strategies by refusing all inbound connection requests. However, that strategy would be hopeless for Web services and impossible to patrol when insiders can open up connections to malicious outside locations.

No matter what plan a firewall developer comes up with to block malicious outsiders, hackers will always find a way in. So IDSs take a realistic approach and accept that some hackers will always get through. Hope for the best but plan for the worst.

Snort is the system equivalent of homeland security.

IDS and SIEM

There are two prominent locations for any type of activity within a system: on endpoints and between them. Therefore, there are two types of intrusion detection systems: the host-based IDS (HIDS) and the network intrusion detection system (NIDS).

Snort is a NIDS.

When reading about HIDS and NIDS, you will realize that those descriptions are exactly what you read in the brochure for the SIEM that you bought. This is because HIDS, NIDS, SIM, SEM, and SIEM overlap all industry terms.

Security event management (SEM) looks at live activity on a system, which usually boils down to watching networks for malicious traffic. NIDS, therefore, is the same as SEM. Security information management (SIM) involves searching through log files and activity records collected from devices and centralized. This is exactly what host-based intrusion detection systems do. SIEM is Security Information and Event Management – it combines a SIM and an SEM. Therefore, SIEM = HIDS + NIDS.

The boundaries between SIM and SEM and, therefore, HIDS and NIDS can be blurred to confuse matters further. This is because log messages are originally live reports, and the reports that live monitoring systems rely on can be filed.

Intrusion prevention

The only reason you would want to spot malicious activity is to stop it. Your IDS flashes a warning telling you that traffic from a particular IP address or user account is doing something terrible. You will suspend that user account and update firewall rules to block that IP address. You will do that every time.

Given that there are only so many actions that a human administrator can take when an intruder is identified, can’t a computer be made to do those things instead? Yes, it can, and that’s what an intrusion prevention system (IPS) does.

An IPS is an IDS with a few extra routines that communicate with access rights managers and firewalls to powerless those detected malicious actors.

Snort is an intrusion prevention system.

The history of Snort

Martin Roesch is one of the leading figures in the development of system security. His rise to prominence began in 1998 when he created Snort. As more people go to know Snort, the admiration for Roesch grew. Finally, in 2001, he founded Sourcefire, Inc., which held the copyright on Snort.

Sourcefire produced a network appliance called Firepower, which implemented security by embedding Snort processes. In short, Firepower was Snort-as-a-device. But, while Sourcefire made money off Firepower, it kept Snort free and independently managed. So, Firepower subsidized Snort.

Ordinarily, the copyright licensing structure for open source systems lets businesses use and develop the code but prevents them from remarketing that system for profit. However, as Sourcefire owned the copyright to Snort, it wasn’t subject to that restriction.

The Snort and Firepower product line was a winning combination for Sourcefire, and in July 2013, Roesch and his investors sold the company to Cisco Systems for $2.7 billion. Roesch is now Vice President of Cisco’s Security Business Group, and Snort is still free to use.

Uses for Snort

Snort has three modes. These provide different services. The operating levels of Snort are:

  • Sniffer Mode This works as a packet capture system that shows passing traffic in a viewer in the Snort console.
  • Packet Logger Mode This option writes collected packets to file.
  • Network Intrusion Detection System Mode This is the distinctive use for Snort and sets it apart from all other packet sniffers to make it a defense system rather than just a tool for research.

The operational strategy of Snort is layered. Effectively, each higher mode builds upon the services provided by the lower service. For example, there isn’t much difference between the Sniffer Mode and the Packet Logger Mode – the second just stores the packets that the first collects. However, there is a big difference between the Packet Logger Mode and the Network Intrusion Detection System Mode. This leap involves the application of rules. These are called Snort Rulesets.

Snort Rulesets

Rulesets are one of the ways that Cisco can make some money off the Snort package. Rulesets make Snort into an IDS – without these, it is just a packet sniffer. There are two types of rulesets: Community Rulesets and Snort Subscriber Rulesets. The Community Rulesets are free.

A rule is a paring of conditions and actions: IF this happens, THEN do that. The action is usually a series of steps. Any programmer will immediately recognize this structure and a conditional branching mechanism that is one of the mainstays of a computer program. So, the title of “rulesets” underplays the importance of these plugins.

The Community Rulesets are not quite as amateurish as they sound. First of all, keep in mind that the Snort Community comprises highly experienced, qualified network specialists. Not every idea makes it into the Community Ruleset menu. Analysts from Cisco Talos, a security applications research team, vet each Community Ruleset candidate. This ensures that hackers can’t intentionally introduce security scanning blind spots into the Snort system.

Snort deployment options

Snort’s source code is available for download, which means, if you have the skills and the time, you can adjust the program before compiling and using it. That scenario lies at the heart of many of the updates to the system because those users who come up with a bright idea for an extension to Snort submit those changes to the central committee for consideration. After analysis, some of those customizations become part of the core functionality of Snort. The source code is bundled in a tar format, suitable for use on Linux.

Installers are available to get Snort running on Fedora and CentOS Linux, FreeBSD, and Windows. These packages are available for free from the Snort Home page.

Snort strengths and weaknesses

Snort has a very loyal user community that constantly researches possible improvements to the package and dispenses free advice to newcomers. As a result, the tool is very highly regarded and challenging to beat. Here is our assessment of Snort.

Pros:

  • Free to use
  • Scans network traffic for analysis
  • Allows packets to be stored to file for analysis in other tools
  • Allows remediation actions to be triggered upon the detection of an intruder
  • Flexible and can be customized with rulesets
  • Has several related third-party partner tools

Cons:

  • Is susceptible to DoS attacks from within the network

Overall, getting to know Snort is a worthwhile exercise. Even if you end up working with a different IPS or plump for a SIEM instead, trialing the Snort system offers a good education in how network security packages work.

Alternatives to Snort

Although Snort is an industry leader in intrusion detection and one of the few products that genuinely perform network intrusion detection, it is always a good idea to examine several alternative systems before plumping for any type of software.

What should you look for in an alternative to Snort?   

We reviewed the market for network intrusion prevention systems like Snort and assessed the options based on the following criteria:

  • An easy-to-use interface that allows for detection customization
  • The opportunity to see and store network traffic
  • An expandable rules base that also allows for customization
  • A service that can orchestrate remediation actions with other security tools
  • A service that is well supported and frequently updated to close exploits
  • A free tool or a free trial for a no-cost assessment
  • A paid tool that provides value for money or a free tool that is worth installing

We have compiled a list of some excellent intrusion prevention systems that compete well with Snort with these selection criteria in mind.

Here is our list of the six best alternatives to Snort: 

  1. Invicti (GET FREE DEMO) If you don’t want to go the IDS/SIEM route for your system security strategy, you could try a vulnerability manager instead. This is a different approach to system protection. Rather than looking for malicious activity on your system, Invicti looks for exploits that would let hackers in. It doesn’t operate on network weaknesses but focuses on Web application security instead. It is possible to implement both an IDS and a vulnerability manager for total protection. This system is a paid tool available as a SaaS package or for installation on Windows and Windows Server. See how Invicti works by accessing a demo system.
  2. Acunetix (GET FREE DEMO) This is also a vulnerability manager rather than an IDS. Acunetix is a little closer to Snort than Invicti because it implements network vulnerability scanning and provides Web application security. Acunetix is a paid tool, and it is available as a hosted SaaS packages or for installation on Windows, macOS, or Linux. Take a look at Acunetix by accessing a demo system.
  3. Suricata This is a very close competitor to Snort. It is an open-source, free intrusion prevention system with a sophisticated interface with all the look and feel of a costly paid tool. Added HTTPS and TLS management facilities mean that this is also an excellent protection system for Web servers. This system was developed and is managed by the Open Information Security Foundation (OISF). It is so close to Snort that any tool designed to interface to Snort will automatically work with Suricata. This system is available for Windows, Linux, macOS, and FreeBSD.
  4. Zeek Formerly known as Bro, this free, open-source project is older than Snort by four years but is well maintained and regularly updated. This is an excellent network security monitor that can operate as a packet sniffer. It works with HTTP, SNMP, FTP, and DNS traffic to look for anomalies. Its detection and prevention capabilities are driven by customizable and shareable policy scripts, which are similar to the rulesets of Snort. Available for Linux, macOS, and FreeBSD.
  5. OSSEC The Open Source HIDS Security system will give you a host-based alternative to Snort’s network security monitoring approach. This highly respected free HIDS launched in 2008. Trend Micro sponsors it. OSSEC collects log data and processes those records looking for indicators of attack that are defied by a database of signatures. The tool can coordinate with firewalls and access rights managers to shut down suspicious activity. Available for Windows, Linux, macOS, FreeBSD, and Solaris.
  6. Prelude OSS This is a security package available in a free, community edition as an alternative to the paid version, Prelude SIEM. The Prelude service is compatible with Snort, OSSEC, and other open-source IDSs, so it is possible to construct a hybrid security service with this tool and others working in concert. This service has three modules: Alert, which is an SEM, watching live events; archive, which is a SIM and scours log files; and Analyze, which ties the other two modules together. Available for Linux.