Snort + (OpenBSD or Linux)

From: Digital Ebola (digi@legions.org)
Date: 07/30/01


Date: Mon, 30 Jul 2001 08:55:59 -0500 (CDT)
From: Digital Ebola <digi@legions.org>
To: dbunge@costco.com
Subject: Snort + (OpenBSD or Linux)
Message-ID: <Pine.BSO.4.21.0107300842300.18588-100000@cyberspace7.legions.org>


---------
Snort's a cool toy for home use, and it's great to have in the test lab,
but I'd never deploy it for production use in the enterprise. Not just
yet.
--------

I don't agree. One of Snort's best features, is the ability to configure
it to your exact needs. If something bad happens immediately, you can
write a rule for it, immediately. It isn't your network as Cisco see's it,
it is your network as YOU see it, because you tweaked your rules to a
maintainable level. Having used both Cisco Secure IDS, and Snort, I would
say given the choice, I would take Snort, for its configurability. And,
with some work, you can make the interface almost as pretty as a
commerical product. The problem here, is most people do not want to devote
time to customization. Understandable.

The one gripe I do have about Snort, is resource utilization. On a fast
network, it does need some horsepower. Snort under OpenBSD does seem to
keep a smaller overhead, then Snort on Linux. Well, truthfully, my Snort
testbed is a 40 mhz Sparc, running OpenBSD, and it seems to keep up with a
Pentium 150 running Debian, even though the Sparc has a bottleneck
(ethernet).
 
Anyways, hope this adds to the discussion, it's Monday, and I am still
waking up... =)

Digital Ebola
www.legions.org
www.legions.org/~digi/

"Network penetration is network engineering, in reverse."



Relevant Pages