>> An IDS can be connected to a switch through port mirroring,also known as SPAN, Switched Port Analyzer.This will allow the IDS to see all network traffic, including internal data flowingbetween company servers, as well as internet traffic.Alternatively, the IDS can be connected to a network tap right behind the firewalland right in front of the switch.In this topology, all incoming and outgoing traffic can be seen by the IDS.Span ports can get overloaded and packets will be dropped before reaching the IDS.Frames with errors will be lost too.Using a tap instead of a span port guarantees that every packet will be seen,regardless of bandwidth, errors, or anything else.There are three main modes, or ways, that Snort can be configured, sniffer, packet logging,and NIDS, Network Intrusion Detection System.In Sniffer mode, Snort will read network packets and display them on the console.In packet logger mode, Snort will collect every packet it sees, and log them to disk.In NIDS, Network Intrusion Detection System mode, Snort monitors network trafficand analyzes the traffic against a user-defined ruleset.Snort will then perform specific actions based on what has been identified.In this mode, Snort logs and generates alerts for packets matching certain rules.In other words, predefined attack signatures.Common rules or signatures are obtained from the installation files themselves,but rules are modified and added regularly to multiple repositories.Alerts can be categorized into different priorities, and different actions can be taken,including ignoring a packet, logging a packet, generating an alert, activating another actionafter generating an alert, or taking a user-defined action, like sending messagesto SYSlog, sending SNMP traps, logging data as XML files,or combining multiple actions at the same time!Furthermore, if Snort is running as an IPS, in inline mode, packets can be dropped.
转载于:https://www.cnblogs.com/sec875/articles/10028733.html
相关资源:Snort_2_8_6_Installer.exe