48
•
In packet
logger
mode, every packet, along with
its
headers,
is written and stored
in the specific directory on which the snort program is operated in hard drive.
•
In
intrusion
detection
mode,
differed
from
the
other
two
modes,
rather
than
recording packets,
it
uses
rules
that
are
applied
by
the
intrusion
detection
administrators.
•
In Inline mode, it works as IPS, having the ability to block attacks.
Snort
application
basically
consists
of
four
main
components: packet
capture
engine,
preprocessor plug-ins,
detection
engine,
and
output
engine.
Sequentially, each
component does
its
own charge and passes
its process result to the other one. Foremost,
packets that are
going
inbound and outbound are picked
up by the packet capture engine,
using
particular
library
so-called pcap
or
libpcap
that
enables
it
to
receive
datagram,
which
can
be
taken
by NIC before
pass
it to
the
next
component, preprocessor plug-ins
to
do
further
process
of
analysis. Then,
packets
are
decoded
to
delineate
the
packet
structure
of
each
protocol
layer.
Detection
engine
compares
each
packet
based
on
the
structure
with the
rule options
defined
by
snort.
Detection engine
tests each
evaluation
until
all
rules are
done and
intrusion can be
detected. Alerts and other
means of
reports
are displayed to the administrators by the output engine.
IPS-based
Snort
is
capable
of
taking
response
automatically. It
is
developed
to
have
intrusion prevention capability. It
can
be
installed with
inline
mode option so
that
Snort is built to have communication interface with firewall (or IPTABLES in this case).
 |