Snort vs. other
From: Terry Browning (terry@nihil.demon.co.uk)Date: 06/08/02
- Previous message: Bennett Todd: "Re: Snort vs. other"
- Next in thread: Brady Justice: "RE: Snort vs. other"
- Reply: Brady Justice: "RE: Snort vs. other"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Terry Browning <terry@nihil.demon.co.uk> To: focus-linux@securityfocus.com Date: 08 Jun 2002 02:53:30 +0100
There has been a comparitive test between Snort and some major
commercial IDSs. NSS Group (www.nss.co.uk) has an ongoing programme of
comparison testing security software, and the latest IDS comparison test
(edition 2) was published December 2001 (edition 3 is due summer 2002).
This was picked up and hyped by a Vnunet article on 3 Dec 2001
(http://www.vnunet.com/News/1127283) which slightly oversold Snort's
results and comparitive position, although they do quote Bob Walder,
director of NSS Group as saying "In our tests Snort was the top
performer - we were blown away by it.". I couldn't see that in my
skim-read of the report, however Snort is impressive.
The NSS report is available as a 5MB pdf free download (free
registration required: name, company and email suffice) and features 15
commercial IDSs plus Snort.
The upshot is that /properly configured/, Snort is as good or better
than the commercial IDSs tested. It is a raw tool, and requires some
forethought and additional tools to get it sniffing at its best. You
could resort to vi, etc., but there are some GUI tools coming out which
should make it less of a pig to drive. My impression is that the
configuration complexity is no worse than postfix or netfilter, but
since I've reconfigured neither netfilter nor snort by hand, YMMV.
Snort is still on my todo pile, but have you wrestled with the pig on
your own machine yet? If not, give it a go and see if it's too much of a
handful. There are some helpful scripts on the www.snort.org site.
There is a commercial venture based on Snort - www.SourceFire.com -
being weened as I type. It has been bred to focus on the usability
issues, so that could be a good affordable/usable/performance compromise
option. Pdf brochures are available for download.
Recently there has been a demonstration of an attack which completely
side-stepped Snort. It was a highly fragmented, stealthy attack and I
doubt whether any other IDS could have detected it.
Snort.org are undoubtedly working their buns off plugging the hole.
IDS is currently a very immature market, but growing up fast. For that
reason, consider remaking IDS decisions on a relatively short time
scale, keeping an ear to the ground for the latest threats, and your
choice of IDS (and rulesets) frequently updated.
You might also consider browsing www.Gartner.com. They seem to have had
some nice things to say about OSS, and put on a very PHB-friendly face.
I did a quick Gartner search for Snort and scored a 100% hit on a report
"Intrusion Detection Systems (IDSs): Perspective". No, I haven't read
it, but it probably mentions Snort kindly, and some managers value
advice by the price tag. I think that $295 is an impressive price tag.
-- Terry
- Previous message: Bennett Todd: "Re: Snort vs. other"
- Next in thread: Brady Justice: "RE: Snort vs. other"
- Reply: Brady Justice: "RE: Snort vs. other"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
