Preprocessors
Preprocessors are like the "helpers" of Snort. They get the data from your network and get it
ready for Snort to analyze. Think of them as preparing the ingredients before cooking a meal.
Here's what they do:
1. Cleaning Up Data: They make sure the data is in a nice, neat format. For example, if
data is broken into chunks, preprocessors will piece it back together.
2. Understanding Different Protocols: They help Snort understand different types of
network traffic, like web traffic (HTTP) or email traffic (SMTP), so Snort can check
them properly.
3. Looking for Bad Stuff: Some preprocessors can look for known bad patterns in the
traffic before Snort looks at it, helping to spot problems faster.
Example Preprocessors:
Stream5: Fixes up any broken chunks of data in a TCP stream.
HttpInspect: Understands web traffic to spot web-based attacks.
Output Modules
Output modules are like the "reporters" of Snort. They decide how and where Snort’s findings
are recorded or sent. Think of them as sending out a report card after grading a test. Here’s what
they do:
1. Storing Alerts: They can save the alerts and logs into files so you can check them later.
2. Sending Alerts: They can send alerts to other systems that manage logs or notify you
about issues in real-time.
Example Output Modules:
Unified2: Saves data in a special format that can be processed later by tools for detailed
analysis.
Syslog: Sends alerts to a central server where logs are collected.
How to Set Them Up
In Snort’s configuration file (snort.conf), you tell Snort which preprocessors to use and how to
use them. You also tell it where to send or save the alerts and logs.
�Simple Configuration Example:
For preprocessors:
preprocessor http_inspect_server: server_ports { 80 443 }
This means “Check HTTP traffic on ports 80 and 443.”
For output modules:
output unified2: filename snort.log
This means “Save alerts in a file named snort.log.”
So, preprocessors help get the data ready, and output modules handle how the findings are
reported or saved.
What is Intrusion Prevention?
Intrusion Prevention is like having a security guard for your computer network who doesn’t
just watch for bad behavior but actively stops it. Imagine if someone tried to break into your
house and the security system didn't just sound an alarm but also locked the doors to keep them
out. That’s what IPS does for your network.
How Does it Work?
1. Watching the Network: The IPS keeps an eye on the data moving in and out of your
network. It looks for anything suspicious or out of the ordinary.
2. Detecting Problems: When it spots something that looks like a potential threat (like an
attempted hack or a virus trying to spread), it doesn’t just let you know about it.
3. Taking Action: The IPS can immediately act to block or stop the threat. For example, if
it sees a malicious attack, it can block the harmful traffic or shut down the malicious
connection right away.
Why Use IPS?
1. Prevents Attacks: It helps stop attacks before they can cause any harm. Think of it as a
proactive security system rather than just a reactive one.
2. Keeps Data Safe: By blocking threats, it protects your important information and ensures
your network stays secure.
3. Automates Security: It automatically handles threats, reducing the need for constant
manual monitoring and intervention.
�Types of IPS
1. Network-Based IPS:
o Where: Installed at key points in your network, like where your internet connects.
o What It Does: Watches all the traffic coming into and going out of your network.
2. Host-Based IPS:
o Where: Installed directly on individual computers or servers.
o What It Does: Protects specific devices by monitoring their activities.
Example
Imagine you have a smart home security system:
Detects Movement: The system detects unusual movement near your house.
Alerts You: It sends you an alert that something suspicious is happening.
Takes Action: It locks the doors and windows to prevent the intruder from getting in.
In this analogy, the smart home security system is like an IPS, detecting and preventing
unauthorized access.
Summary
An Intrusion Prevention System (IPS) is a proactive tool that monitors your network for potential
threats and takes immediate action to block or stop them, much like a high-tech security system
that doesn’t just watch but also acts to keep your network safe.
