This paper explores the elements involved in implementing a Snort IDS and associated software. The considerations and steps taken in building the IDS are discussed, as are the pitfalls and compromises inherent in the implementation discussed in this paper. This paper should be helpful to anyone considering setting up and IDS for the first time regardless of the final software solution that is chosen.
This paper was written in November of 2005. It is primarily a personal narrative explaining the reason for choosing Snort and FreeBSD for an IDS implementation that I had recently completed. It is fairly informal. This should be an interesting read for other people considering a Snort implementation. From a technical perspective this is a bit dated and I would not implement in exactly the same way outlined if I was working on this today but this should be a good place to start or a place to gain additional ideas for implementers who are already started on an IDS implementation. While this does spend much time discussing Snort the concepts should be useful for implementations of other IDS products.
Link to Paper