Besides Suricata, Snort is the best-known open source network intrusion detection / prevention system (NIDS / NIPS). Originally started 1998 by Martin Roesch as a simple network sniffer, over the years it has developed into the NIDS reference in the open source environment . After seven years of development, the developer team has re-implemented the code in C ++ and now released the long-awaited Snort3.

Snort is a component many commercial solutions and also works at the core of Cisco’s Firepower IPS solutions. The network specialist bought 2013 the company from Martin Roesch (Sourcefire) and then integrated the commercial version into its own products. This long history was also a curse for Snort and already led 2009 to the development of Suricata, since the internal architecture of Snort is considered by many developers to be was viewed as backward. While Suricata was already multi-threaded and offered automatic protocol support, Snort could not come up with these functions. Since 2013 the Snort development team has been working more or less actively on a completely new version that was now written in C ++ instead of C. The main innovations of Snort version 3.1 are:

The packet processing takes place in several parallel threads. These can access a common configuration and attribute table. The PCRE analysis is carried out with the new Hyperscan library from Intel (hyperscan.io). This significantly accelerates the detection compared to version 2. Snort now supports Realtime Network Awareness (RNA). This enables Snort to learn for itself which systems and protocols are used in the network. This was previously a feature that was only available in commercial products. Full plug-in support in Lua. Since Snort can recognize application protocols regardless of the port (RNA), the rules can now be written depending on the protocol are no longer restricted to ports. However, the rule syntax has also changed slightly. Some of the commercial products from Cisco already allow an upgrade to the new Snort 3 Core. However, they do not yet master all functions.

Even in version 3, Snort users don’t be afraid of the command line.

Although Snort is one of the most powerful IDS engines, there is still a lack of suitable management interfaces in the open source environment with which the product can be used effectively. Security Onion and OPNSense are two of the few products that use Snort and offer a rudimentary management interface.

(avr)