RE: OT Re: Snort versus Cisco IDS [7:62939]

Thu, 13 Feb 2003 10:00:52 -0800 

Priscilla,

Snort is very happy running on Windows platforms as well.  I have been
running it as such for a little over a year now in combination with MySQL
and ACID and have been pleased.  The only challenge (which may soon be
resolved) is using multi-processor machines, as the often used packet
capture library 'winpcap' did not support MP's.  Version 3.0 Beta of winpcap
is said to have some support for MP's.

-Joe

-----Original Message-----
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, February 13, 2003 12:20 PM
To: [EMAIL PROTECTED]
Subject: RE: OT Re: Snort versus Cisco IDS [7:62939]


Thanks for all the replies. It's very helpful to get a feel for the
differences. To quickly synthesize what I've read, I would say that Cisco's
IDS is an enterprise, end-to-end solution, with improving reliability and
ease-of-use. Snort, on the other hand, is more appropriate for the midsize
or smaller companies with Unix expertise and has all the advantages of an
open-source project, but has some ease-of-use "issues" of its own.

I have a low-cost computer on order. I'm going to squeeze Windows XP into a
small partition (should just wipe it out maybe? ;-) and install Red Hat and
learn Linux better. I'll be tearing my hair out I'm sure! But before long,
I'll have Snort running too.

I guess it only runs on UNIX platforms?

Priscilla

Carroll Kong wrote:
> 
> Backing up what Craig said, Snort is probably better performing
> in
> terms of cost/performance than almost all the IDSes out there, 
> including Cisco.  It does not have a end to end solution to
> make
> one's life easier though, at least not out of the box.
> 
> Of course, you will need some sort of a unix background to set
> it up,
> and I do not mean installing Solaris with GUI tools.  Pretty
> easy to
> anyone who has worked with a FreeBSD or a Linux box (without
> using
> GUI all over the place and/or rpms everywhere).  The idea of no
> GUI
> is probably quite daunting to "enterprise" level engineers. 
> 
> 
> You COULD make it have a lot of the "enterprise level"
> features, but
> it requires a lot of work on your part, and of course no
> commercial
> support, so you are on your own.  (So, add this to your end
> cost...)
> 
> If you want a GUI frontend to snort, you can try Demarc, or
> what they
> call themselves "PureSecure" now.  There are also some freeware 
> analyzers, but Demarc/PureSecure is definately one of the
> nicest
> ones.  Albeit, it had some bugs, fortunately since they give
> you
> their cgis, if you know some perl, you can patch it yourself
> before
> they get around to it.  (unless they changed this behavior, the
> last
> I used was 1.05).
> 
> Puresecure DOES charge for commercial usage, which I suppose
> puts a
> damper on it.  Their licensing is a bit ridiculous.  However,
> the
> pricing should still be very competitive.
> 
> It's a mixed bag, but if you know your Unix, seems like Snort
> is a
> much cheaper (if you know Unix and programming very well, the 
> disadvantages aren't that big) IDS solution.
> 
> If you don't, oh well, like all things in life, pay the price
> for
> one's ignorance.  :)
> 
> > Someone told me in an authoritative voice today that Cisco
> doesn't recommend
> > their IDS. They recommend Snort. Is this really true? Isn't
> Cisco's IDS a
> > big part of SAFE?
> > 
> > Of course, the person who said this doesn't understand that
> Cisco is a huge,
> > chaotic organism, and that saying Cisco does something based
> on what one
> > person does, doesn't make sense.
> > 
> > But I'm just curious, what do you all recommend for intrusion
> detection? How
> > do Snort and Cisco IDS compare? I guess Cisco's solution is a
> bit more
> > complicated, requiring appliances or IDS cards in a switch
> and a console:
> > 
> > Cisco Secure IDS DirectorHP OpenView Network Node Manager
> "plug-in" that
> > runs on UNIX (Solaris and HP-UX)
> > 
> > Cisco Secure Policy Manager (v2.2+)Windows NT-based package
> > 
> > Thanks.
> > 
> > Priscilla
> -Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=62979&t=62939
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

Reply via email to