Re: Snort vs. other

From: Bennett Todd (bet@rahul.net)
Date: 06/07/02


Date: Fri, 7 Jun 2002 16:59:03 -0400
From: Bennett Todd <bet@rahul.net>
To: Chris Rondthaler <CRondthaler@TVGNetwork.com>


2002-06-05-20:51:45 Chris Rondthaler:
> At the hands of a skilled administrator, is not Snort as good as
> any of these other high priced software IDS systems? (That is:
> minus the bells and whistles.)

Yes and no.

It _Really_ depends on exactly what you need to accomplish.

If your connection can be guaranteed to have no more than say 50Mbps
on it (e.g. because your internet link is no faster than T3); if you
do not require, or can build yourself (or find as contributed
addons) the various features like gooey admin, elaborate reporting,
etc that the free snort does not include; and if you like the
signature update frequency and timeliness, then snort is an
excellent IDS.

I personally find it to be exceedingly well-supported, I regard its
signature update to be quite satisfactory, I like the fact that
oftentimes breaking news alerts include snort sigs, and I use snort
exclusively.

Some general observations to place snort in context:

- some well-regarded managed security monitoring providers deliver
  snort appliances

- snort is the common choice for cutting-edge research in new
  IDS-defeating technology --- and it gets first profit from the
  findings

- snort is developing very, very rapidly indeed, improving at a rate
  far exceeding that of any commercial IDS I know of

I'm not 100% sure that any conventional[1] commercial IDS actually
still rivals snort in core functionality, their main claim to
fame at this point is the integrated add-ons they include, the
aforementioned gooey admin and elaborate interactive reporting and
whatnot.

There's one big exception that I'd cite here: if you can't wean your
traffic down to what can be handled on a standard computer platform,
then you need to be looking for a commercial solution based around
suitable custom hardware; some folks competing in that space are
claiming to be able to keep up with 2Gbps and more with serious
useful signature lists, in normal operating conditions [I've not
verified these claims myself:-].

-Bennett

[1] By "conventional" I mean to deliberately focus on pure IDS
    systems, things that examine packets against a signature
    database looking for evil. There are more elaborate systems out
    there, I'm thinking of nCircle's integrated vuln-scan + IDS
    concept here, that I place in different categories. I wouldn't
    compare IP360 with snort, they do different jobs.






Relevant Pages

  • Re: Value of "richer" signatures?
    ... Snort, Dragon, and NFR, and I can tell you that they ... Here's an example of how the newer IDS signatures help ... Let's say you are using a simple packet grepping IDS ... > an FTP connection). ...
    (Focus-IDS)
  • Re: ids inquisition
    ... Subject: ids inquisition ... Snort isn't one of them. ... Brian Caswell - CSV output plugin, ... Christian Lademann - active response, ...
    (Focus-IDS)
  • RE: IDS recommendations
    ... Subject: IDS recommendations ... Snort is a relatively raw tool and that usually adds ... >> I can appreciate your comments on the ISS product. ...
    (Focus-IDS)
  • RE: "Free" IDS
    ... I am very surprised noone mentioned Demarc PureSecure IDS solution. ... It cost less than 2000.00 and it runs off of the snort engine and has a big ... if you want to learn snort then just read up on it. ...
    (Focus-IDS)
  • RE: Test tools for IDS
    ... "Sneeze" is great for Snort IDS. ... Captus Networks IPS 4000 ... Intrusion Prevention and Traffic Shaping Technology to: ...
    (Focus-IDS)