old-www/HOWTO/archived/Snort-Statistics-HOWTO/technicaloverview.html

<HTML
><HEAD
><TITLE
>Technical Overview</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.76b+
"><LINK
REL="HOME"
TITLE="Snort-Setup for Statistics HOWTO"
HREF="index.html"><LINK
REL="PREVIOUS"
TITLE="Structure"
HREF="structure.html"><LINK
REL="NEXT"
TITLE="Configuration"
HREF="configuration.html"></HEAD
><BODY
CLASS="SECT1"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><DIV
CLASS="NAVHEADER"
><TABLE
SUMMARY="Header navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TH
COLSPAN="3"
ALIGN="center"
>Snort-Setup for Statistics HOWTO</TH
></TR
><TR
><TD
WIDTH="10%"
ALIGN="left"
VALIGN="bottom"
><A
HREF="structure.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="80%"
ALIGN="center"
VALIGN="bottom"
></TD
><TD
WIDTH="10%"
ALIGN="right"
VALIGN="bottom"
><A
HREF="configuration.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
></TABLE
><HR
ALIGN="LEFT"
WIDTH="100%"></DIV
><DIV
CLASS="SECT1"
><H1
CLASS="SECT1"
><A
NAME="TECHNICALOVERVIEW">3. Technical Overview</H1
><P
>   Snort is mainly a so called Network Intrusion Detection System (NIDS), it is
   Open Source and available for a variaty of unices as well as Microsoft
   Windows (R).
  </P
><P
>   A NIDS cares for a whole network segment in contrast to a host based IDS
   which only cares for the host it is running on.
  </P
><P
>   Since NIDS are mostly used in conjunction with firewalls it is vital to not
   being vulnerable for attacks itself. Therefor all interfaces used with snort
   bound to should be set up without ip addresses. Since this can not be achieved
   in every configuration, e.g. if you want to bind snort on an isdn interface
   ippp0, it should be considered to use a standalone computer for snort and set
   it up as a firewall and router for the dial-up connection too.
  </P
><P
>   For more information on that topic see the
   <A
HREF="http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html"
TARGET="_top"
><EM
>Firewall-HOWTO</EM
></A
> or my
<A
HREF="http://www.lug-burghausen.org/projects/firewall/firewall-masq-diald.html"
TARGET="_top"
><EM
>Firewalling+Masquerading+Diald+dynamic IP-HOWTO</EM
></A
>.
  </P
><P
>   Snort can be used to care for more than one network segment which we will
   discuss later.
  </P
><P
>   Snort also can be used as a sniffer to troubleshoot network problems, but
   that's not a topic in this document.
  </P
><P
>   ACID, the Analysis Console for Intrusion Databases, is part of the AIR-CERT
   project. It makes use of PHPlot, a library for creating nice graphs in PHP,
   and ADODB, an abstraction library for combining PHP and various database
   systems like MySQL and PostgreSQL. The ACID homepage says: 
  </P
><P
>   <EM
>"The Analysis Console for Intrusion Databases (ACID) is a PHP-based
   analysis engine to search and process a database of incidents generated by
   security-related software such as IDSes and firewalls."</EM
>
  </P
><P
>   Max Vision's IDS rules (referred to as <EM
>vision.rules</EM
>
   because this is the name of the downloadable file) are used to complete the
   rules shipped with snort.
  </P
><P
>   arachnids_upd is a small but fine perl script which downloads the actual
   <EM
>vision.rules</EM
> using <EM
>wget</EM
> and optionally deletes
   single rules given in an ASCII file.
  </P
></DIV
><DIV
CLASS="NAVFOOTER"
><HR
ALIGN="LEFT"
WIDTH="100%"><TABLE
SUMMARY="Footer navigation table"
WIDTH="100%"
BORDER="0"
CELLPADDING="0"
CELLSPACING="0"
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
><A
HREF="structure.html"
ACCESSKEY="P"
>Prev</A
></TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
><A
HREF="index.html"
ACCESSKEY="H"
>Home</A
></TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
><A
HREF="configuration.html"
ACCESSKEY="N"
>Next</A
></TD
></TR
><TR
><TD
WIDTH="33%"
ALIGN="left"
VALIGN="top"
>Structure</TD
><TD
WIDTH="34%"
ALIGN="center"
VALIGN="top"
>&nbsp;</TD
><TD
WIDTH="33%"
ALIGN="right"
VALIGN="top"
>Configuration</TD
></TR
></TABLE
></DIV
></BODY
></HTML
>