2002-06-05-20:51:45 Chris Rondthaler: > At the hands of a skilled administrator, is not Snort as good as > any of these other high priced software IDS systems? (That is: > minus the bells and whistles.)
Yes and no.
It _Really_ depends on exactly what you need to accomplish.
If your connection can be guaranteed to have no more than say 50Mbps
on it (e.g. because your internet link is no faster than T3); if you
do not require, or can build yourself (or find as contributed
addons) the various features like gooey admin, elaborate reporting,
etc that the free snort does not include; and if you like the
signature update frequency and timeliness, then snort is an
excellent IDS.
I personally find it to be exceedingly well-supported, I regard its
signature update to be quite satisfactory, I like the fact that
oftentimes breaking news alerts include snort sigs, and I use snort
exclusively.
Some general observations to place snort in context:
- some well-regarded managed security monitoring providers deliver
snort appliances
- snort is the common choice for cutting-edge research in new
IDS-defeating technology --- and it gets first profit from the
findings
- snort is developing very, very rapidly indeed, improving at a rate
far exceeding that of any commercial IDS I know of
I'm not 100% sure that any conventional[1] commercial IDS actually
still rivals snort in core functionality, their main claim to
fame at this point is the integrated add-ons they include, the
aforementioned gooey admin and elaborate interactive reporting and
whatnot.
There's one big exception that I'd cite here: if you can't wean your
traffic down to what can be handled on a standard computer platform,
then you need to be looking for a commercial solution based around
suitable custom hardware; some folks competing in that space are
claiming to be able to keep up with 2Gbps and more with serious
useful signature lists, in normal operating conditions [I've not
verified these claims myself:-].
-Bennett
[1] By "conventional" I mean to deliberately focus on pure IDS
systems, things that examine packets against a signature
database looking for evil. There are more elaborate systems out
there, I'm thinking of nCircle's integrated vuln-scan + IDS
concept here, that I place in different categories. I wouldn't
compare IP360 with snort, they do different jobs.
msg00336/pgp00000.pgp
Description: PGP signature
