There has been a comparitive test between Snort and some major commercial IDSs. NSS Group (www.nss.co.uk) has an ongoing programme of comparison testing security software, and the latest IDS comparison test (edition 2) was published December 2001 (edition 3 is due summer 2002).
This was picked up and hyped by a Vnunet article on 3 Dec 2001 (http://www.vnunet.com/News/1127283) which slightly oversold Snort's results and comparitive position, although they do quote Bob Walder, director of NSS Group as saying "In our tests Snort was the top performer - we were blown away by it.". I couldn't see that in my skim-read of the report, however Snort is impressive. The NSS report is available as a 5MB pdf free download (free registration required: name, company and email suffice) and features 15 commercial IDSs plus Snort. The upshot is that /properly configured/, Snort is as good or better than the commercial IDSs tested. It is a raw tool, and requires some forethought and additional tools to get it sniffing at its best. You could resort to vi, etc., but there are some GUI tools coming out which should make it less of a pig to drive. My impression is that the configuration complexity is no worse than postfix or netfilter, but since I've reconfigured neither netfilter nor snort by hand, YMMV. Snort is still on my todo pile, but have you wrestled with the pig on your own machine yet? If not, give it a go and see if it's too much of a handful. There are some helpful scripts on the www.snort.org site. There is a commercial venture based on Snort - www.SourceFire.com - being weened as I type. It has been bred to focus on the usability issues, so that could be a good affordable/usable/performance compromise option. Pdf brochures are available for download. Recently there has been a demonstration of an attack which completely side-stepped Snort. It was a highly fragmented, stealthy attack and I doubt whether any other IDS could have detected it. Snort.org are undoubtedly working their buns off plugging the hole. IDS is currently a very immature market, but growing up fast. For that reason, consider remaking IDS decisions on a relatively short time scale, keeping an ear to the ground for the latest threats, and your choice of IDS (and rulesets) frequently updated. You might also consider browsing www.Gartner.com. They seem to have had some nice things to say about OSS, and put on a very PHB-friendly face. I did a quick Gartner search for Snort and scored a 100% hit on a report "Intrusion Detection Systems (IDSs): Perspective". No, I haven't read it, but it probably mentions Snort kindly, and some managers value advice by the price tag. I think that $295 is an impressive price tag. -- Terry
