Taking a NOC funded class this week to set up a standard SNORT IDS (Intrusion Detection System) server. One of the things which I've really learned the past 2 days is how to harden a linux distro. I had only a brief glimpse before of all the services installed by default. We installed a Helix disto of Linux, and it had just a ton of 'non-essential' services. I'm talking like 15-20 pages of services total. We took out nearly half which would not be used. Great exercise which I had not done before, and learned a lot from that.
We haven't actually installed SNORT on our boxes yet, but the install appears to be fairly straightforward. What SNORT does is monitor the network for specific user-defined anomolies. Imagine that you own a business which only sells CD's. You receive CD's every day from your supplier, and sell them to your customers. One day, one of your suppliers attempts to drop off an 8 track. You notice this right away, because you only sell/buy CD's. Congratulations, you're a SNORT IDS (in simple terms).
We receive/send packets on our network nearly every time we do something on our computers. They send packets when we're not looking (no cause for alarm). What the SNORT IDS solution will do for us is make sure the packets we're receiving/sending are not 'abnormal'. Typically, 'abnormal' packets are used for hacking systems, or running other things which you may/may not want on the network. The duty of SNORT is to observe the packets which run by it, and log the unusual things we specify on the box. This does not specifically do anything with the packets, other than report to the network admin that "Hey, something happened which you may want to look at". Compare this with an IPS (Intrusion Prevention System). In an IPS solution, the sensor would take an active approach to 'abnormal' packets. From my research, this can lead to issues. For the time being, we're going to use an IDS solution, and log all the 'weird' things.
It should be interesting next week when I put this box into our network to see what it comes up with.