The thing that makes SNORT so powerful is the attack rules which are updated almost daily. Also, you can not beat the price. Simply find an unused PC, install Linux and install Snort. The software and OS is free!
You will need some sort of parsing software to read the snort logs. Check out ACID (http://acidlab.sourceforge.net/) or SnortSnarf. Paul Borghese -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Will Gragido Sent: Friday, February 14, 2003 12:02 AM To: [EMAIL PROTECTED] Subject: RE: Snort versus Cisco IDS [7:62939] Not to mention the fact that Cisco Systems bought Okena Software www.okena.com, last month specifically for their Intrusion Prevention software. SNORT is a great tool, I don't think that anyone would or can argue that. I think that being that it's driven by the open source community it comes (and has come since it became the 'SHADOW'), under a great deal of scrutiny; however, I have yet to see instances where it fails. I agree with Kent in regards to Cisco System's proudly recommending their solution (which when you look under the hood is really an OEM licensed version of Entercept's product, hence the purchase of OKENA). Furthermore, I can't see ANY Cisco Systems SE staying employed for any amount of time if they openly discouraged existing as well as potential clients from purchasing their solutions. Cheers, Will Gragido CISSP CCNP CIPTSS CCDA MCP 9450 W. Bryn Mawr Ave. Suite 325 Rosemont, Il 60018 www.ins.com [EMAIL PROTECTED] -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Kent Hundley Sent: Thursday, February 13, 2003 3:39 PM To: [EMAIL PROTECTED] Subject: Re: Snort versus Cisco IDS [7:62939] On Thu, 2003-02-13 at 00:06, Priscilla Oppenheimer wrote: > Someone told me in an authoritative voice today that Cisco doesn't recommend > their IDS. They recommend Snort. Is this really true? Isn't Cisco's IDS a > big part of SAFE? > Whomever told you this: 1) Is extremely naiive (one Cisco engineer told them something and they took it as gospel) 2) Has never talked to any of the Cisco teams that manage large global accounts I can tell you for a 100% fact that Cisco recommends their IDS very actively to their large global customers, I'm working on a Fortune 5 account right now and the Cisco team is heavily pushing a Cisco IDS deployment. If one of their engineers recommended snort, the AM would have them bound and gagged and thrown in a very dark basement. ;-) > Of course, the person who said this doesn't understand that Cisco is a huge, > chaotic organism, and that saying Cisco does something based on what one > person does, doesn't make sense. > > But I'm just curious, what do you all recommend for intrusion detection? How > do Snort and Cisco IDS compare? I guess Cisco's solution is a bit more > complicated, requiring appliances or IDS cards in a switch and a console: > Cisco IDS is a commercial, fully baked product in the sense that it has a lot of bells and whistles for the end-user market. Cisco is also developing custom hardware such as blades that slide into a Cat 6500, making for easy deployment and the ability to capture and process traffic at Gigabit speeds. Snort is much more of a tech geeks solution, although there are a lot of talented people writing code to increase its ease of use such. (things like ACID and Demarc) The bottom line is that snort will do the job in a lot of environments, but your going to need to have some very technical people to handle the care and feeding of the system. It is an open source solution and doesn't come with built-in support other than what you get through mailing lists. The Cisco IDS comes with TAC behind it. You pay more for more support baked into the process and a large amount of dedicated resources working on your issues. (it's the same old open source vs commercial product argument) For small environments where funds are very limited or for environments with highly technical but cheap labor (such as universities), snort is probably the better solution. For large enterprises, Cisco would probably be the better choice. Of course, YMMV, a lot depends on the environment, , that's my opinion, take it with a grain of salt, yada, yada, yada, etc. etc. disclaimer, disclaimer... Regards, Kent Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=63011&t=62939 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]