On Mon, Sep 23, 2002 at 04:07:29PM -0600, [EMAIL PROTECTED] wrote: > Hi everyone!!!, I'm an EDP auditor and I want to know some > commentaries about the use of Snort IDS...I'de like to know if > anyone recommend it and if it's a good choice to install in a > financial organization.
We use snort. It works great. As I work for a University we are not lush with cash Snort has been a nice "free" choice. It was fairly easy to setup (others who haven't become one with their inner TCP/IP stack may not find it overly easy to tweak), there is quite a bit of third party tools for it (a module for HalfLife that shows you alerts while you are playing, for example....) If you have a bit of cash to play with you might consider the comercial support for Snort. Silicon Defense, and SourceFire both provide comercial support for snort. The latter also provides a commercial version of Snort (much like Sendmail now does, heres our free version, and if you want to cough up, we also make a less cutting edge easier to use version). Both company homepages can be found by adding .com to the name. I also find myself doing forensics on some machines on occassion. Snort can read in a libpcap file and report back the interesting things to you. This can be super handy if you have one too many gigabytes of network capture files to sift through. And finally, Snort runs and compiles on a Variety of platforms. Linux, *BSD, Solaris, Win32, and I think IRIX. This can be handy if you have some old hardware sitting around collecting dust. It is also handy if you have a Win32 shop, and have discovered most NIDS are Unix based. All and all, snort gets 4 of 5 stars. Barnyard (output handler for Snort) raises this to 4.5 of 5 stars If 2.0 ever comes out (with the much improved pattern matching algorythm), I will have to give it 5 of 5 stars. ----------------------------------------------------------------------- __o Bradley Arlt Security Team Lead _ \<_ [EMAIL PROTECTED] University Of Calgary (_)/(_) I should be biking right now. Computer Science
