SummaryFirst introduced around 1998 by Martin Roesch, this tool is considered the most venerable open source security tool in the world. We cannot imagine a network implementation without at least one Snort sensor. Snort is easy to deploy, has a ton of possible options, and benefits from a huge number of rules developed by an equally huge number of open source developers. (Besides supporting Snort itself, the Snort community provides the core rule sets for some commercial IDS/IPS products.) As well, Snort can act as a sniffer, returning everything it sees with detailed packet decodes or it can be configured just to present alerts from its rule sets.
However you use Snort, it is a solid tool for gathering and analyzing network traffic. With its add-ins/ons, Snort can perform as solidly as most commercial IDS products. Deployment across large network infrastructures, though a bit challenging, is possible, and almost all commercial SIEM products can take Snort input, either as tcpdump files (binary) or as a text file, for further correlation and analysis.
For its ability to be deployed rapidly, its comprehensive capabilities and the superb open source community support, Snort has to be one of our favorites. And no discussion of Snort would be complete without a nod to the commercial version, available as an appliance from Sourcefire, guided by Snort's developer Martin Roesch as its CTO. Roesch has blended the best of both the open source and commercial worlds into the Sourcefire offerings, and for organizations that want Snort with the reliability of a commercially supported product, Sourcefire is the real deal.