Priscilla, Snort is very happy running on Windows platforms as well. I have been running it as such for a little over a year now in combination with MySQL and ACID and have been pleased. The only challenge (which may soon be resolved) is using multi-processor machines, as the often used packet capture library 'winpcap' did not support MP's. Version 3.0 Beta of winpcap is said to have some support for MP's.
-Joe -----Original Message----- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] Sent: Thursday, February 13, 2003 12:20 PM To: [EMAIL PROTECTED] Subject: RE: OT Re: Snort versus Cisco IDS [7:62939] Thanks for all the replies. It's very helpful to get a feel for the differences. To quickly synthesize what I've read, I would say that Cisco's IDS is an enterprise, end-to-end solution, with improving reliability and ease-of-use. Snort, on the other hand, is more appropriate for the midsize or smaller companies with Unix expertise and has all the advantages of an open-source project, but has some ease-of-use "issues" of its own. I have a low-cost computer on order. I'm going to squeeze Windows XP into a small partition (should just wipe it out maybe? ;-) and install Red Hat and learn Linux better. I'll be tearing my hair out I'm sure! But before long, I'll have Snort running too. I guess it only runs on UNIX platforms? Priscilla Carroll Kong wrote: > > Backing up what Craig said, Snort is probably better performing > in > terms of cost/performance than almost all the IDSes out there, > including Cisco. It does not have a end to end solution to > make > one's life easier though, at least not out of the box. > > Of course, you will need some sort of a unix background to set > it up, > and I do not mean installing Solaris with GUI tools. Pretty > easy to > anyone who has worked with a FreeBSD or a Linux box (without > using > GUI all over the place and/or rpms everywhere). The idea of no > GUI > is probably quite daunting to "enterprise" level engineers. > > > You COULD make it have a lot of the "enterprise level" > features, but > it requires a lot of work on your part, and of course no > commercial > support, so you are on your own. (So, add this to your end > cost...) > > If you want a GUI frontend to snort, you can try Demarc, or > what they > call themselves "PureSecure" now. There are also some freeware > analyzers, but Demarc/PureSecure is definately one of the > nicest > ones. Albeit, it had some bugs, fortunately since they give > you > their cgis, if you know some perl, you can patch it yourself > before > they get around to it. (unless they changed this behavior, the > last > I used was 1.05). > > Puresecure DOES charge for commercial usage, which I suppose > puts a > damper on it. Their licensing is a bit ridiculous. However, > the > pricing should still be very competitive. > > It's a mixed bag, but if you know your Unix, seems like Snort > is a > much cheaper (if you know Unix and programming very well, the > disadvantages aren't that big) IDS solution. > > If you don't, oh well, like all things in life, pay the price > for > one's ignorance. :) > > > Someone told me in an authoritative voice today that Cisco > doesn't recommend > > their IDS. They recommend Snort. Is this really true? Isn't > Cisco's IDS a > > big part of SAFE? > > > > Of course, the person who said this doesn't understand that > Cisco is a huge, > > chaotic organism, and that saying Cisco does something based > on what one > > person does, doesn't make sense. > > > > But I'm just curious, what do you all recommend for intrusion > detection? How > > do Snort and Cisco IDS compare? I guess Cisco's solution is a > bit more > > complicated, requiring appliances or IDS cards in a switch > and a console: > > > > Cisco Secure IDS DirectorHP OpenView Network Node Manager > "plug-in" that > > runs on UNIX (Solaris and HP-UX) > > > > Cisco Secure Policy Manager (v2.2+)Windows NT-based package > > > > Thanks. > > > > Priscilla > -Carroll Kong Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=62979&t=62939 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]