Snort is an open source Network Intrusion Detection System (NIDS).
Knowing well how to use snort as both a straight packet sniffer and packet logger, I had always desired to learn to use it as a network intrusion detection system. Today, I learned how to do that too.
I modified the /etc/rc.d/rc.snortd file to include a simple BASH construct
if [ "`/sbin/ifconfig ppp0 2> /dev/null`" ]; then IFACE=ppp0 else IFACE=eth0 fi
to automate choosing of which interface to listen to, depending on the availability of a Point-to-Point link, as I use a dial-up link only to get online.
Now, all I have to do is to execute /etc/rc.d/rc.snortd with the “start” or “restart” argument, and snort goes up automatically, listening as an NIDS.
It is actually kinda’ cool, seeing as snort has already flagged some 20+ various intrustion attempts. ;-p