Re: Snort IDS

From: Brad Arlt (arlt@cpsc.ucalgary.ca)
Date: 09/25/02


Date: Tue, 24 Sep 2002 16:54:56 -0600
From: Brad Arlt <arlt@cpsc.ucalgary.ca>
To: hejimenez@bancoagricola.com

On Mon, Sep 23, 2002 at 04:07:29PM -0600, hejimenez@bancoagricola.com wrote:
> Hi everyone!!!, I'm an EDP auditor and I want to know some
> commentaries about the use of Snort IDS...I'de like to know if
> anyone recommend it and if it's a good choice to install in a
> financial organization.

We use snort. It works great.

As I work for a University we are not lush with cash Snort has been a
nice "free" choice. It was fairly easy to setup (others who haven't
become one with their inner TCP/IP stack may not find it overly easy
to tweak), there is quite a bit of third party tools for it (a module
for HalfLife that shows you alerts while you are playing, for
example....)

If you have a bit of cash to play with you might consider the
comercial support for Snort. Silicon Defense, and SourceFire both
provide comercial support for snort. The latter also provides a
commercial version of Snort (much like Sendmail now does, heres our
free version, and if you want to cough up, we also make a less cutting
edge easier to use version). Both company homepages can be found by
adding .com to the name.

I also find myself doing forensics on some machines on occassion.
Snort can read in a libpcap file and report back the interesting
things to you. This can be super handy if you have one too many
gigabytes of network capture files to sift through.

And finally, Snort runs and compiles on a Variety of platforms. Linux,
*BSD, Solaris, Win32, and I think IRIX. This can be handy if you have
some old hardware sitting around collecting dust. It is also handy if
you have a Win32 shop, and have discovered most NIDS are Unix based.

All and all, snort gets 4 of 5 stars.

Barnyard (output handler for Snort) raises this to 4.5 of 5 stars

If 2.0 ever comes out (with the much improved pattern matching
algorythm), I will have to give it 5 of 5 stars.
-----------------------------------------------------------------------
   __o Bradley Arlt Security Team Lead
 _ \<_ arlt@cpsc.ucalgary.ca University Of Calgary
(_)/(_) I should be biking right now. Computer Science



Relevant Pages

  • Re: Snort IDS
    ... DISCLAIMER: I work for Sourcefire. ... > We use snort. ... > provide comercial support for snort. ... This can be super handy if you have one too many ...
    (Security-Basics)
  • Re: Glenn Beck Responds To "New Black Panther" Challenge
    ...  I reckon' that degree comes in handy while she ... works the cosmetics counter at Target. ...
    (alt.politics)
  • Re: Disney Premier Passport
    ... Snort. ... Spew. ... When stars are born, They possess a gift or two, ...
    (rec.arts.disney.parks)