Skip to content Skip to navigation Skip to footer

What Is SNORT?

SNORT Definition

SNORT is a powerful open-source intrusion detection system (IDS) and intrusion prevention system (IPS) that provides real-time network traffic analysis and data packet logging. SNORT uses a rule-based language that combines anomaly, protocol, and signature inspection methods to detect potentially malicious activity. 

Using SNORT, network admins can spot denial-of-service (DoS) attacks and distributed DoS (DDoS) attacks, Common Gateway Interface (CGI) attacks, buffer overflows, and stealth port scans. SNORT creates a series of rules that define malicious network activity, identify malicious packets, and send alerts to users. 

SNORT is a free-to-use open-source piece of software that can be deployed by individuals and organizations. The SNORT rule language determines which network traffic should be collected and what should happen when it detects malicious packets. This snorting meaning can be used in the same way as sniffers and network intrusion detection systems to discover malicious packets or as a full network IPS solution that monitors network activity and detects and blocks potential attack vectors.

What Are the Features of SNORT?

There are various features that make SNORT useful for network admins to monitor their systems and detect malicious activity. These include:

Real-time Traffic Monitor

SNORT can be used to monitor the traffic that goes in and out of a network. It will monitor traffic in real time and issue alerts to users when it discovers potentially malicious packets or threats on Internet Protocol (IP) networks.

Packet Logging

SNORT enables packet logging through its packet logger mode, which means it logs packets to the disk. In this mode, SNORT collects every packet and logs it in a hierarchical directory based on the host network’s IP address

Analysis of Protocol

SNORT can perform protocol analysis, which is a network sniffing process that captures data in protocol layers for additional analysis. This enables the network admin to further examine potentially malicious data packets, which is crucial in, for example, Transmission Control Protocol/IP (TCP/IP) stack protocol specification.

Content Matching

SNORT collates rules by the protocol, such as IP and TCP, then by ports, and then by those with content and those without. Rules that do have content use a multi-pattern matcher that increases performance, especially when it comes to protocols like the Hypertext Transfer Protocol (HTTP). Rules that do not have content are always evaluated, which negatively affects performance.

OS Fingerprinting

Operating system (OS) fingerprinting uses the concept that all platforms have a unique TCP/IP stack. Through this process, SNORT can be used to determine the OS platform being used by a system that accesses a network.

Can Be Installed in Any Network Environment

SNORT can be deployed on all operating systems, including Linux and Windows, and as part of all network environments.

Open Source

As a piece of open-source software, SNORT is free and available for anyone who wants to use an IDS or IPS to monitor and protect their network. 

Rules Are Easy to Implement

SNORT rules are easy to implement and get network monitoring and protection up and running. Its rule language is also very flexible, and creating new rules is pretty simple, enabling network admins to differentiate regular internet activity from anomalous or malicious activity.

What Are the Different SNORT Modes?

There are three different modes that SNORT can be run in, which will be dependent on the flags used in the SNORT command.

Packet Sniffer

SNORT’s packet sniffer mode means the software will read IP packets then display them to the user on its console.

Packet Logger

In packet logger mode, SNORT will log all IP packets that visit the network. The network admin can then see who has visited their network and gain insight into the OS and protocols they were using.

NIPDS (Network Intrusion and Prevention Detection System)

In NIPDS mode, SNORT will only log packets that are considered malicious. It does this using the preset characteristics of malicious packets, which are defined in its rules. The action that SNORT takes is also defined in the rules the network admin sets out.

What Are the Uses of SNORT Rules?

The rules defined in SNORT enable the software to carry out a range of actions, which include:

Perform Packet Sniffing

SNORT can be used to carry out packet sniffing, which collects all data that transmits in and out of a network. Collecting the individual packets that go to and from devices on the network enables detailed inspection of how traffic is being transmitted.

Debug Network Traffic

Once it has logged traffic, SNORT can be used to debug malicious packets and any configuration issues.

Generate Alerts

SNORT generates alerts to users as defined in the rule actions created in its configuration file. To receive alerts, SNORT rules need to contain conditions that define when a packet should be considered unusual or malicious, the risks of vulnerabilities being exploited, and may violate the organization’s security policy or pose a threat to the network.

Create New Rules

SNORT enables users to easily create new rules within the software. This allows network admins to change how they want SNORT conversion to work for them and the processes it should carry out. For example, they can create new rules that tell SNORT to prevent backdoor attacks, search for specific content in packets, show network data, specify which network to monitor, and print alerts in the console.

Differentiate Between Normal Internet Activities and Malicious Activities

Using SNORT rules enables network admins to easily differentiate between regular, expected internet activity and anything that is out of the norm. SNORT analyzes network activity in real time to sniff out malicious activity, then generates alerts to users.

How Fortinet Can Help

Organizations can import SNORT rules to their network with the FortiGuard IPS service. Importing SNORT rules with Fortinet can be achieved through custom IPS signatures and the FortiConverter tool.