OT Re: Snort versus Cisco IDS [7:62939]

Thu, 13 Feb 2003 08:13:24 -0800 

Backing up what Craig said, Snort is probably better performing in 
terms of cost/performance than almost all the IDSes out there, 
including Cisco.  It does not have a end to end solution to make 
one's life easier though, at least not out of the box.

Of course, you will need some sort of a unix background to set it up, 
and I do not mean installing Solaris with GUI tools.  Pretty easy to 
anyone who has worked with a FreeBSD or a Linux box (without using 
GUI all over the place and/or rpms everywhere).  The idea of no GUI 
is probably quite daunting to "enterprise" level engineers.  

You COULD make it have a lot of the "enterprise level" features, but 
it requires a lot of work on your part, and of course no commercial 
support, so you are on your own.  (So, add this to your end cost...)

If you want a GUI frontend to snort, you can try Demarc, or what they 
call themselves "PureSecure" now.  There are also some freeware 
analyzers, but Demarc/PureSecure is definately one of the nicest 
ones.  Albeit, it had some bugs, fortunately since they give you 
their cgis, if you know some perl, you can patch it yourself before 
they get around to it.  (unless they changed this behavior, the last 
I used was 1.05).

Puresecure DOES charge for commercial usage, which I suppose puts a 
damper on it.  Their licensing is a bit ridiculous.  However, the 
pricing should still be very competitive.

It's a mixed bag, but if you know your Unix, seems like Snort is a 
much cheaper (if you know Unix and programming very well, the 
disadvantages aren't that big) IDS solution.

If you don't, oh well, like all things in life, pay the price for 
one's ignorance.  :)

> Someone told me in an authoritative voice today that Cisco doesn't
recommend
> their IDS. They recommend Snort. Is this really true? Isn't Cisco's IDS a
> big part of SAFE?
> 
> Of course, the person who said this doesn't understand that Cisco is a
huge,
> chaotic organism, and that saying Cisco does something based on what one
> person does, doesn't make sense.
> 
> But I'm just curious, what do you all recommend for intrusion detection?
How
> do Snort and Cisco IDS compare? I guess Cisco's solution is a bit more
> complicated, requiring appliances or IDS cards in a switch and a console:
> 
> Cisco Secure IDS DirectorHP OpenView Network Node Manager "plug-in" that
> runs on UNIX (Solaris and HP-UX)
> 
> Cisco Secure Policy Manager (v2.2+)Windows NT-based package
> 
> Thanks.
> 
> Priscilla
-Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=62966&t=62939
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to