Re: ids inquisition

From: Jamie French (
Date: 07/28/01

From: Jamie French <>
Date: Sat, 28 Jul 2001 11:50:14 GMT
Message-ID: <>
Subject: Re: ids inquisition
To: <>

Quite a thread on this one. Many vendors offer their own proprietary
training. I suggest anyone interested in vendor specific training
contact that vendor for a solution. From my perspective SNORT is a great
tool. Like any tool, its practicality is determined by its users. Just
as a car mechanics toolbox will vary between mechanic, so does an IS
professionals. Remember there is no silver bullet, but a combination of
security measures both tangible and intangible that should be employed.
"A person convinced against their will is of the same opinion still"
Remember this.
I think SNORT does a great job for a free tool and many sources of
signatures are available for users who do not have an in-depth
understanding of the underlying protocols. For those that do, you can
create your own signatures. It boils down to this is just one of the
tools in my toolbox and I use it quite often. Decide on which tools you
like the best and acquire them. If money is no object then the sky is
the limit!
As for SANS, I cant quote policy but would hazard a good guess that SNORT
was chosen for its availability to the masses as a tool to help enforce
the training taught by them. I don't see anyone bashing libpcap or
tcpdump here. This is another tool that is used simply because it
provides the basis for immersing the student into the topic of Intrusion
Detection and if Marty Roesch makes some money then good for him.
Jamie French, GCIA Honors Advisory Board
Maybe someone from SANS will correct me if I am wrong, but I would guess
they would let any vendor teach a class on their own product. If you
out the class info, you will see that Marty teaches....Intrusion
Snort Style. If I was attending that class I would expect it to focus on

I think the conversation has veered off the original low blow directed at
Marty. I think it was uncalled for and not well thought out.

The "Which IDS is better?" discussion comes up every couple of months....
don't ever think there is a clear winner. Some people like ISS, some like
BlackICE, and a growing number choose Snort. I think competition is what
make products better and releasing tools that concentrate on other IDS
weaknesses only helps to improve them. For example, there is code in 1.8
response to stick (stream4), so IDS is an evolving area of security.

And RG, if you are talking to users that have been to a Snort class, I
guess they have a better understanding of IDS than most potential
If you can explain the differences and advantages, then I am not sure how
"Snort allows you to write your own signatures" is an argument.

I am not sure about Black Ice, but I think the principles behind
are "Make as much money off these dopes as possible". Every RS quote I
seen has been above $100,000 for what I consider a small rollout, 1-2
consoles and 8-10 sensors. That doesn't even include all the extra stuff
that gets tacked on...maintenance, prof. services, etc. Snort developers
don't have that motivation, so I am sceptical when someone attacks Snort.

Jason Lewis
It's not secure "Because they told me it was secure".
The people at the other end of the link know less
about security than you do. And that's scary.