Publisher Summary
This chapter provides an overview of the more advanced features of Snort and the way it can be used to provide an even greater degree of information security. With proper and knowledgeable configuration, Snort can be used to increase the effective security in organization while at the same time saving a great deal of money. Snort can also be used for detecting unusual traffic such as odd IP-based protocols. This can be helpful for infrastructure level attacks such as those against routers and high-end switches. Another use is in policy-based detections such as when a Web server starts generating traffic other than Web traffic and generating an alarm, or for capturing advanced Trojan traffic such as in the 55808 Trojan. Snort— Snort-Inline and its mangling of packets—can be used to stop attacks from occurring. Snort can also help an IDS team interact with law enforcement investigations. The use of some of the keywords from the Snort language, such as “logto” to keep investigation traffic and alarms separate from normal day-to-day alarms or “session,” can be useful in displaying contents of Web traffic or the contents of an investigation suspect's traffic.