Snort

Snort is a free open source program written by Martin Roesch in 1998. It has many uses. Snort is mainly noted for its network IDS and IPS capabilities. The program is based on libpcap. It is released under the GNU GPL version 2.0 license. Snort runs on both Windows and Linux operating systems.

Snort was originally maintained by Sourcefire, the company that Roesch founded. However Sourcecfire was acquired by Cisco in 2013. So the program is distributed by Cisco now. The program remains free. However the latest rule sets can be obtained quickly if you purchase a subscription that runs $499 per year.

Snort can do real time analysis of traffic. It can do protocol analysis and content search. Snort can read captures files. And it detects many types of attacks such a denial of service, worms, buffer overflows, stealth port scans, operating system fingerprinting and so on. When it detects such an attack, it can log alerts to syslog.

There are three main modes that Snort runs in:

1. sniffer - packets displayed on screen
2. logger - packets written to disk
3. IDS - packets compared to rule sets

The rules are written to detect vulnerabilities. You can get access to official rule sets by registering. That costs nothing. Rule sets are provided to users with subscriptions, but the rules are released for free 30 days later to the public.

Snort boats 4M+ downloads and 500k+ registered users. It claims to be the most widely deployed IDS out there. Some say it beats the pants off proprietary IDS solutions. There are other programs which interface with Snort such as BASE, which is a free web interface for Snort alerts.