I have seen that you already have a wealth of information pertaining to your question but I would like to offer my two cents also. We have been using snort for about a year now and have been very pleased with its functionality. The Silicon defense folks are very efficient at providing easy to follow instructions on installing the snort product and getting it running with some type of log monitoring method via the web. There are two ways you can monitor the logs from a web page; via snortsnarf and ACID. We have tried both, starting with SnortSnarf and ending with ACID. We have found that for the information as well as the ease of use, ACID is the better way to go. I do, however, have to agree with the gentleman that sent out the last response in the fact that all IDSs do produce many false positives. However, Snort does work on rulesets that are made out of text files which makes it easy to either disable a rules file that doesn't apply to your network or disable individual rules within the rules file. There is also a very big development community out there as previously stated that give instructions on tweaking, discussions of certain log files, etc. The biggest problem I've found in using snort is the difficulty in finding out what some of the alerts mean. This is not an inherent problem to snort itself but rather problems in having to search for the material. This can be a very lengthy process, especially for the administrator who has many other tasks to take care of. All this said, I would recommend it to anyone who doesn't need all the flair or expense of a commercial, name-brand product but rather just something that can let them know what's hitting their network and at what frequency. I would however, recommend running snort on its own machine passively (by this I mean removing the TCP/IP stack from all monitoring network adapters and only leave it on the adapter you will use to monitor the logs with. This is only possible on a machine with multiple network interfaces.) The reason I suggest this is that the ability of an attacker to be able to get access to your logs and corrupt them, if they can find your machine easily, defeats the purpose of having the IDS as a forensics tool in the case of a network compromise.
Chad Butler Security Administrator GSEC iPay, LLC -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, September 23, 2002 5:07 PM To: [EMAIL PROTECTED] Subject: Snort IDS Hi everyone!!!, I'm an EDP auditor and I want to know some commentaries about the use of Snort IDS...I'de like to know if anyone recommend it and if it's a good choice to install in a financial organization. Thanks Héctor E. Jiménez Coordinador-Auditoria de Sistemas Banco Agrícola, S.A. Tel. 279-4545 Ext. 123 email:[EMAIL PROTECTED]