Snort is an open source network intrusion prevention system and intrusion detection system. Among its features, it can do real-time traffic analysis and packet logging. It can be run in three different modes:

• Packet sniffing mode: In this mode, Snort simply intercepts traffic on your network in a manner similar to how a program like Wireshark would.
• Packet logging mode: This mode is useful for network traffic debugging. Packets are logged to a disk.
• Network intrusion prevention mode: In this mode, Snort monitors network traffic, and analyzes it against a user-defined rule set. The program can perform a specific action based on the rule that has been matched.

Snort provides its own rules which you can use for intrusion detection. You can pay for a subscription or you can obtain the community rules for free. Even if you don't pay for a subscription, if you create an account on Snort.org, you can download the registered user rule packages.

Once you have installed Snort, you can begin configuration by navigating to Services | Snort and clicking on the Global Settings tab. Note that you can enable the download of the rules simply by checking a checkbox. The Enable Snort VRT checkbox, if checked, downloads the free registered user or paid subscriber rules, while checking the Enable Snort GPLv2 checkbox enables downloading of the community rules (which, as mentioned, are free of charge).You can also enable the download of Emerging Threats (ET) rules. The Enable ET Open checkbox, if checked, enables downloading of the open source version of ET rules, while checking Enable ET Pro enables the downloading of ET Pro rules, which requires signing up for an ET Pro account.

If you are using Snort, you may want to use the Open AppID plugin. This plugin enables Snort to detect, monitor, and manage application usage. If so, you will have to download the Sourcefire Open AppID detectors, and checking the Enable OpenAppID checkbox makes this possible. Open AppID was introduced in February 2014, and there are already more than 1,500 applications that can be detected by this plugin.

The Rules Update Settings section allows you to control when rules are updated. In order to enable auto-updates, you must choose an option other than NEVER in the Update Interval drop-down box. You may also specify a start time for updates in the Update Start Time edit box. In this section, there is also an option to hide deprecated rules categories in the GUI and remove them from the configuration (the Hide Deprecated Rules Categories checkbox).

The General Settings section contains a few more options. The Remove Blocked Hosts Interval drop-down box allows you to select the amount of time hosts will be blocked. The Remove Blocked Hosts Interval checkbox, if checked, will clear all blocked hosts added by Snort when the package is removed. If you check the Keep Snort Settings after Deinstall checkbox, Snort settings will be retained after package removal. Finally, the Startup/Shutdown Logging checkbox, if checked, will output detailed messages to the system log when Snort is starting and stopping.

Once you have configured these options, you can click on the Updates tab and see what rules have been enabled in your configuration. There is also an Update Your Rule Set section which has two buttons. Update Rules automatically checks and applies any new posted updates for enabled rules packages. The Force Update button, if clicked, will zero out the MD5 hashes, thus forcing a download of the entire rules packages. You can also view the log file on this page by clicking on View Log page, or clear the log by clicking on Clear Log.

Snort is configurable on a per interface basis; you can configure interfaces by clicking on the Snort Interfaces tab. There, you can click on the Add tab to add a new interface. Once you choose an interface to inspect traffic on (in the Interface drop down), you can choose whether to automatically block hosts that generate a Snort alert (the Block Offenders checkbox). You can also choose the pattern matcher algorithm in the Search Method drop-down box. The default algorithm is AhoCorasick Binary NFA (AC-BNFA), but there are a number of other options, some of which require more resources than others.

The Split ANY-ANY checkbox, if checked, enables the splitting of an ANY-ANY  port group. An ANY-ANY rule is a rule which will match any address and any port, for example:

alert tcp any any ->192.168.1.0/24 53

This will generate an alert when a host on any IP address and any port tries to connect to port 53 of any host on the 192.168.1.0 subnet. The default behavior of Snort is to add an ANY-ANY port rule to every non-ANY-ANY port group. This way, only one evaluation needs to be done per packet. But, suspending this behavior (not putting an ANY-ANY rule into every other port group) can significantly reduce the memory footprint, at a cost of requiring two group evaluations per packet.

The Choose the Networks Snort Should Inspect and Whitelist section allows you to choose Home Net and an External Net that will be whitelisted. You can also specify a suppression or filtering list in the Alert Suppression and Filtering drop-down box. Finally, you can specify additional parameters in the Advanced Configuration PassThrough list box.

The Iface Categories tab allows you to select the rulesets Snort will load at the startup for this interface. Any rulesets you have downloaded or created should be visible on this page. You can also enable automatic flowbit resolution on this tab (flowbits allow you to track the state of a flow during a TCP session; automatic flowbit resolution automatically converts old rules that do not use the fileidentify.rules category to the new format).

The Iface Rules tab allows you to enable and disable individual rules. You can choose from decoder rules, pre-processor rules, and sensitive data rules. You can also enable and disable any custom rules you have defined. The Iface Variables tab allows you to define the values of certain predefined variables used in rules.

The Alerts tab allows you to view alerts on a per-interface basis. The Interface to Inspect drop-down box allows you to select an interface, and the adjacent edit box allows you to determine how many lines appear. The Auto-refresh view checkbox will result in the page updating automatically as new alerts are generated. You can also download the alert log by clicking on the Download button and clear the log by clicking on the Clear button. The Blocked tab allows you to view hosts that have been blocked by Snort. You can choose the number of blocked hosts that appear on this page (the default is 500), and there is a Refresh checkbox to auto-refresh the page's contents. You can also download the list of blocked hosts by clicking on the Download button.

The Pass Lists tab allows you to generate whitelists, which you can do by clicking on this tab and then clicking on the Add button. To make life easier, there are some sets of IP addresses that can be added to the list just by clicking on a checkbox: namely firewall connected local networks, WAN gateways, WAN DNS servers, virtual IPs, and VPN addresses. You can also add a configured alias to the list.

The Suppress tab allows you to define suppression lists in a similar manner; to do so, click on the tab and click on the Add button. After entering a name and description for the list, simply add the suppression rules into the appropriate list box. The rules must follow Snort's format for such rules.

The SID (Signature ID) Mgmt tab has a single option. The Enable Automatic SID State Management checkbox enables automatic management of rule state and content using criteria specified in configuration files. If you enable this option, Snort will generate a series of configuration files which will appear in the SID Management Configuration Files section. You can add, upload and download these configuration files from this section (the configuration files can be downloaded individually via the download icons in the table, or as a single gzip archive using the Download button). You can also add and delete configuration files within this section. You will need to specify the enable SID, disable SID, and modify SID files.

Most likely, none are selected by default, so you will have to create or generate separate files for each of these and specify them in the corresponding drop-down boxes. The SID State Order drop-down box determines which file is executed first: the disable SID file or the enable SID file. Check the Rebuild button to rebuild the rules from the selected configuration files.

The Log Mgmt tab allows you to control a number of log settings. The Remove Snort Logs on Package Uninstall checkbox, if checked, will remove the Snort log files on uninstall. The Auto Log Management checkbox allows you to enable automatic unattended management of the Snort logs using the parameters specified in the Log Directory Size Limit section and the Log Size and Retention Limits section. The Log Directory Size Limit edit box imposes a hard limit on the combined log directory size, while the Log Size and Retention Limits edit box allows you to control the size of individual logs.

The Sync tab is essentially identical to the Sync tab in such applications as Squid. It allows you to sync Snort settings via XMLRPC. The sync target can either be part of a CARP failover group or any arbitrarily defined node. Moreover, you can select more than one replication target by entering the information in the Replication Targets subsection, entering the relevant information, clicking on the Add button, and repeating the process.