Free snort software for linux

fwsnort parses the rules files included in the snort intrusion detection system and builds an equivalent iptables ruleset for as many rules as possible.
fwsnort accepts command line arguments to restrict processing to any particular class of snort rules such as "ddos", "backdoor", or "web-attacks". Processing can even be restricted to a specific snort rule as identified by its "snort id" or "sid".
fwsnort utilizes the iptables string match module (together with a custom patch that adds a --hex-string option to the iptables user space code) to detect application level signatures.
fwsnort (optionally) makes use of the IPTables::Parse module (to be submitted to CPAN) to translate snort rules for which matching traffic could potentially be passed through the existing iptables ruleset.
Main features:
- Detection for tcp syn, fin, null, and xmas scans as well as udp scans.
- Detection of many signature rules from the snort intrusion detection system.
- Forensics mode iptables logfile analysis (useful as a forensics tool for extracting scan information from old iptables logfiles).
- Passive operating system fingerprinting via tcp syn packets. Two different fingerprinting strategies are supported; a re-implementation of p0f that strictly uses iptables log messages (requires the --log-tcp-options command line switch), and a TOS-based strategy.
- Email alerts that contain tcp/udp/icmp scan characteristics, reverse dns and whois information, snort rule matches, remote OS guess information, and more.
- Content-based alerts for buffer overflow attacks, suspicious application commands, and other suspect traffic through the use of the iptables string match extension and fwsnort.
- Icmp type and code header field validation.
- Configurable scan thresholds and danger level assignments.
- Iptables ruleset parsing to verify "default drop" policy stance.
- IP/network danger level auto-assignment (can be used to ignore or automatically escalate danger levels for certain networks).
- DShield alerts.
- Auto-blocking of scanning IP addresses via iptables and/or tcpwrappers based on scan danger level. (This is NOT enabled by default.)
- Status mode that displays a summary of current scan information with associated packet counts, iptables chains, and danger levels.
Enhancements:
- This is a major update to add the ability to send packets that match content or uricontent criteria to userspace via the iptables QUEUE or NFQUEUE targets.
- This can be used to speed up snort_inline IPS.
- A fwsnort mailing list was added.
- A bug was fixed to remove any existing jump rules from the built-in INPUT, OUTPUT, and FORWARD chains before creating a new jump rules.
- This allows the fwsnort.sh script to be executed multiple times without creating a new jump rule in the fwsnort chains for each execution.

Snort::Rule is a Perl extension for dynamically building snort rules.

SYNOPSIS

use Snort::Rule;
$rule = Snort::Rule->new(
-action => alert,
-proto => tcp,
-src => any,
-sport => any,
-dir => ->,
-dst => 192.188.1.1,
-dport => 44444,
);

$rule->opts(msg,Test Rule");
$rule->opts(threshold,type limit,track by_src,count 1,seconds 3600);
$rule->opts(sid,500000);

print $rule->string()."n";

OR

$rule = alert tcp $SMTP_SERVERS any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE POLICY SMTP US Top Secret PROPIN"; flow:to_server,established; content:"Subject|3A|"; pcre:"/(TOPsSECRET|TS)//[sw,/-]*PROPIN[sw,/-]*(?=//(25)?X[1-9])/ism"; classtype:policy-violation; sid:2002448; rev:1;);

$rule = Snort::Rule->new(-parse => $rule);
print $rule->string()."n";

This is a very simple snort rule object. It was developed to allow for scripted dynamic rule creation. Ideally you could dynamically take a list of bad hosts and build an array of snort rule objects from that list. Then write that list using the string() method to a snort rules file.

SnortSMS is a highly configurable sensor management system that provides the ability to remotely administer Snort [and Barnyard] based Intrusion Detection Systems (IDS), push configuration files, add/edit rules, and monitor system health and statistics, all from a simple and clean Web interface console.
Whether you have one or multiple Snort sensors, SnortSMS can help unify and syncronize all sensor configurations.
Main features:
- Centralized Sensor Management - Unify all sensors under one common console interface. Create and share global configuration policies throughout your IDS sensors. Remotely start and stop sensors.
- Barnyard Support - Integrated support for Barnyard including auto-generation of sid-msg.map.
- Health Monitoring - Monitor the statistics and health of all your sensors. Our parallel querying engine retrives vital stats from all sensors simustainiously.
- Configuration Verification - Uses MD5 checksums to validate sensor config policies with global configuration settings.
- Rule Importing - Instantly download and import Snort rules and configuration resources into the SnortSMS libraries.
Enhancements:
- This release adds support to handle Dynamic directives.
- There are miscellaneous bugfixes.

SAM is a program to monitor (in real-time) the number of alerts generated by Snort. Having recently set up Snort and ACID I felt like there was something missing.

Snort was great for identifying suspicous traffic and ACID was great for digging in to the details but I needed something that was a little higher overview and able to sounds alarms if certain conditions were met.

For instance if I was attacked 100 times in a 5 minutes period. SAM does not replace Snort or ACID but rather it compliments them.

sensorTrends is a project that generates trending reports based on security device log files.
sensorTrends is a Web-based application that displays a high-level view of the ports that are being scanned over the course of time. The display is similar to the look and feel of incidents.org and Dshield.com.
There are also quick links to correlate your data with the Internet Storm Center (incidents.org).
Supported log formats are:
- Cisco router Access Control Lists (ACLs) syslog output,
- Cisco PIX firewall syslog output,
- Snorts portscan.log files,
- NetScreen syslog output.

Firestorm is an extremely high performance network intrusion detection system (NIDS). At the moment it just a sensor but plans are to include real support for analysis, reporting, remote console and on-the-fly sensor configuration. It is fully pluggable and hence extremely flexible. Firestorm performs a lot better than all other systems I have tested (such as snort and prelude) by as much as a factor of 2 (and thats under favourable conditions, it way outstrips the competition under a targeted DoS attack).
A Network Intrusion Detection System is a system which can identify suspicious patterns in network traffic. If a firewall is a doorman, a NIDS is an undercover KGB agent. He silently gathers intelligence and can watch an enemy even if the door security has already let them in (maybe the enemy can make fake identification documents).
Tested Platforms
Linux 2.x
FreeBSD 4.x
OpenBSD
Solaris
Should compile and run on any mainstream UNIX really...
Main features:
- Protocol anomaly detection
- Full application layer decodes
- Fully pluggable
- High performance OS Specific capture module for Linux
- Capture from libpcap files (normal AND redhat extended)
- Packet decode engine fully supports encapsulation
- Decode plugins included for many protocols (see below)
- Comprehensive snort rule support
- Wu-Manber setwise string matching
- Easy to configure; just one config file
- Can run chroot and with lowered privs (when started as root)
- Can run as a realtime process (when started as root)
- Preprocessors to allow supplementary modes of detection (eg: anomaly)
- Full IP defragmentation (passes fragroute evasion tests)
- TCP stateful inspection with window tracking
- Intelligent TCP stream reassembly
- HTTP URL normalization
- EXTREMELY fast and scalable signature engine
- Configurable token-bucket rate-limiting of any alerts
- GNOME2 based analyst console user interface
- Enhanced logging format for ease of analysis
- ELOG indexing for lightning fast sorting and filtering of alerts

Spoink is an output-plugin for snort that works by blocking access to attackers using OpenBSDs pf api.

All you need is an OpenBSD machine (or pf compatible), and snort (last version works well).

Spoink uses a pf table and a blocking rule to stop "attackers" accessing our system. To protect from false negatives you must have a whitelist full of ips you want save (see section 2).

Spoink program only blocks attacks defined in snort rules so think for a minute what rules you want to use first.