RE: OT Re: Snort versus Cisco IDS [7:62939]

[Elijah Savage]

My organization just went through evaluating Cisco IDS which we already
have 12 sensors, Dragon IDS kind of based on Snort, and rolling our own
version of snort. I came up with these 3 based on the different price
points and also because according to some of my research talking to
people at SANS conferences just about all the experts consider Dragon #1
in the market. To keep it short my final decision was Dragon very easy
to maintain and install also the ease of writing your own rules and
modifying others already there, also the reporting functionality to
prove to upper management that the money was well spent being able to
calculate how many attacks per month and all that other jazz. One of the
major reasons of course is dollars you know the old saying you get what
you pay for well Dragon was a heck of a lot cheaper and to be considered
the #1 product on the market right now by so many people is great which
proved me and that old saying wrong (you get what you pay for not true
all the time); not to mention Dragon gave us more on trade in value of
our old Cisco IDS sensors than Cisco would give us for them. To me this
says a lot of course Dragon wanted our business but considering we are a
Cisco reseller you would think they would want to keep our business but
I guess not because there were no negotiations on the trade in value. We
told neither what the other offered but when Dragon offered more we took
this to Cisco and they said sorry we can't do that. It might mean
something different to others but that tells me the Cisco's IDS product
is WAY over priced.

The other thing was tech support they leverage there business across all
accounts, if they see for example the sql worm overseas on other
accounts hours before it reaches state side they will contact you via
email letting you know about it and to upgrade your sensors with the new
signatures. Overall I was pleased with the product and tech support and
of course the price. So how useful is snort depends on the product there
are a ton of IDS products in the market place now based on snort. I
could have easily deployed our own rolled version of snort on
workstation pc's to keep cost way down, I will say the key with snort is
getting the proper management console to be able to push out updates to
all your other box's from a centrally managed box and there are a few
free products that will let you do this.

If you really want to keep price down and get great functionality of
snort you might want to look at Demarc PureSecure, I actually run this
at home just to see what it was all about and I am blown away by it.

-----Original Message-----
From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED]] 
Sent: Thursday, February 13, 2003 12:20 PM
To: [EMAIL PROTECTED]
Subject: RE: OT Re: Snort versus Cisco IDS [7:62939]

Thanks for all the replies. It's very helpful to get a feel for the
differences. To quickly synthesize what I've read, I would say that
Cisco's
IDS is an enterprise, end-to-end solution, with improving reliability
and
ease-of-use. Snort, on the other hand, is more appropriate for the
midsize
or smaller companies with Unix expertise and has all the advantages of
an
open-source project, but has some ease-of-use "issues" of its own.

I have a low-cost computer on order. I'm going to squeeze Windows XP
into a
small partition (should just wipe it out maybe? ;-) and install Red Hat
and
learn Linux better. I'll be tearing my hair out I'm sure! But before
long,
I'll have Snort running too.

I guess it only runs on UNIX platforms?

Priscilla

Carroll Kong wrote:
> 
> Backing up what Craig said, Snort is probably better performing
> in
> terms of cost/performance than almost all the IDSes out there, 
> including Cisco.  It does not have a end to end solution to
> make
> one's life easier though, at least not out of the box.
> 
> Of course, you will need some sort of a unix background to set
> it up,
> and I do not mean installing Solaris with GUI tools.  Pretty
> easy to
> anyone who has worked with a FreeBSD or a Linux box (without
> using
> GUI all over the place and/or rpms everywhere).  The idea of no
> GUI
> is probably quite daunting to "enterprise" level engineers. 
> 
> 
> You COULD make it have a lot of the "enterprise level"
> features, but
> it requires a lot of work on your part, and of course no
> commercial
> support, so you are on your own.  (So, add this to your end
> cost...)
> 
> If you want a GUI frontend to snort, you can try Demarc, or
> what they
> call themselves "PureSecure" now.  There are also some freeware 
> analyzers, but Demarc/PureSecure is definately one of the
> nicest
> ones.  Albeit, it had some bugs, fortunately since they give
> you
> their cgis, if you know some perl, you can patch it yourself
> before
> they get around to it.  (unless they changed this behavior, the
> last
> I used was 1.05).
> 
> Puresecure DOES charge for commercial usage, which I suppose
> puts a
> damper on it.  Their licensing is a bit ridiculous.  However,
> the
> pricing should still be very competitive.
> 
> It's a mixed bag, but if you know your Unix, seems like Snort
> is a
> much cheaper (if you know Unix and programming very well, the 
> disadvantages aren't that big) IDS solution.
> 
> If you don't, oh well, like all things in life, pay the price
> for
> one's ignorance.  :)
> 
> > Someone told me in an authoritative voice today that Cisco
> doesn't recommend
> > their IDS. They recommend Snort. Is this really true? Isn't
> Cisco's IDS a
> > big part of SAFE?
> > 
> > Of course, the person who said this doesn't understand that
> Cisco is a huge,
> > chaotic organism, and that saying Cisco does something based
> on what one
> > person does, doesn't make sense.
> > 
> > But I'm just curious, what do you all recommend for intrusion
> detection? How
> > do Snort and Cisco IDS compare? I guess Cisco's solution is a
> bit more
> > complicated, requiring appliances or IDS cards in a switch
> and a console:
> > 
> > Cisco Secure IDS DirectorHP OpenView Network Node Manager
> "plug-in" that
> > runs on UNIX (Solaris and HP-UX)
> > 
> > Cisco Secure Policy Manager (v2.2+)Windows NT-based package
> > 
> > Thanks.
> > 
> > Priscilla
> -Carroll Kong




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=62986&t=62939
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]