It may not be what you want. It depends on what you're attempting to accomplish.
Snort is an intrusion DETECTION tool, not an audit tool. ^^^^^^^^^ As an IDS tool, it's great, IF (and ONLY IF) the administrator is knowledgeable enough to keep it current and to review and RESPOND/REACT to the logs. As an auditor, you should be checking whether there is a formal procedure for monitoring and acting upon the output of the tool! Just having it running, with a rules base from six months ago and nobody monitoring the logs is useless. If you do monitor the IDS output and react to it, then the IDS is a tool that helps in two ways - information is power and an IDS is an information source: One is the knowledge of how much of a target you are, and Two is information to allow you to focus your security efforts on "real world", high-payback tasks. Suppose that TODAY, you can either update OpenSSH or install the new release of Apache. Which one offers the payback, RIGHT NOW? If you don't know what probes are being made against your systems (and what you have installed), then you can't make the right decision. Unfortunately, IDS have two "flaws"... Both are inherent with the beast and are not reasons not to use an IDS (but are reasons not to naively use an IDS)... 1. They generate a lot of "false positives". Say for example, you just install the whole default rules set, you will have (and almost certainly be probed for) a huge # of Windows IIS log messages. If you're not running IIS, then these really aren't meaningful (except for scare tactics -- "we were probed 200 times last night" ... "So what, we're not vulnerable to ANY of the probes"). But on a major or high-profile site, you will have a tremendous number of log messages to deal with every day... That brings up the second "flaw": 2. They only detect attacks/probes where signatures have been created. I.e. yesterday's and (if you keep current) today's attacks, but not tomorrow's. -----Burton -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, September 23, 2002 5:07 PM To: [EMAIL PROTECTED] Subject: Snort IDS Hi everyone!!!, I'm an EDP auditor and I want to know some commentaries about the use of Snort IDS...I'de like to know if anyone recommend it and if it's a good choice to install in a financial organization. Thanks Héctor E. Jiménez Coordinador-Auditoria de Sistemas Banco Agrícola, S.A. Tel. 279-4545 Ext. 123 email:[EMAIL PROTECTED]