Snort was originally maintained by Sourcefire, the company that Roesch founded. However Sourcecfire was acquired by Cisco in 2013. So the program is distributed by Cisco now. The program remains free. However the latest rule sets can be obtained quickly if you purchase a subscription that runs $499 per year.
Snort can do real time analysis of traffic. It can do protocol analysis and content search. Snort can read captures files. And it detects many types of attacks such a denial of service, worms, buffer overflows, stealth port scans, operating system fingerprinting and so on. When it detects such an attack, it can log alerts to syslog.
There are three main modes that Snort runs in:
- sniffer - packets displayed on screen
- logger - packets written to disk
- IDS - packets compared to rule sets
Snort boats 4M+ downloads and 500k+ registered users. It claims to be the most widely deployed IDS out there. Some say it beats the pants off proprietary IDS solutions. There are other programs which interface with Snort such as BASE, which is a free web interface for Snort alerts.