Most companies that choose not to run an IDS do so because of the cost. Thankfully there is Snort. Snort is sometimes referred to the poor man's IDS but that is misleading. Snort is an open source yet powerful software used by many corporations and government sector organizations. Snort was developed for use in Linux systems but has been ported for use in numerous platforms including Windows, Solaris/SunOS, BSD Unix, and Mac OS X to name a few.

Snort has three main modes it operates in: NIDS, Packet Sniffer, and Packet logger. It has other modes as well (In-line, Real time, or Schedule checks) but these are the main three. In NIDS, Snort works to detect potential network intrusions using a rule-based intrusion-detection mechanism. Packet Sniffer enables it to display all network traffic to the user and provides flexibility to display entire packets or certain header information; this is great for diagnosing network issues. Packet logger is the same as Packet Sniffer, but without displaying the data on your screen; it instead places all the data in a traffic data file for later review.

Snort, like any rule-based software, needs to be updated regularly to prevent your rules from becoming dated. Just like antivirus software, if you don't update it you can be prone to new security threats. Snort's website offers the most up to date rulebase at http://www.snort.org/dl/rules/. The main benefit of Snort being open-source is it allows security professionals to develop new rules and add them to the community's knowledge base. Like any intrusion-detection software, Snort has to be tailored to your specific needs; it is not a install and forget software. Snort is very easy to install and get running but make sure to go through line by line to make sure it integrates with your environment properly.