Anthony,
> Luca
>
> Now I had time to ponder this a bit more and had a look at my snort
> database after installing snort a few days ago, do you see ntop as a
> complimentary tool or an alternative tool to snort in a short while?
>
> Regards
>
I run snort on ntop.org and I believe ntop will never replace snort.
I'll tell you why. Snort is like an antivirus, where you add very
precise signatures (e.g. snort rules) from time to time and the tool
tries to match such signatures.
ntop has not been designed as an IDS 'a la snort' although it sports
some nice features (some of which need to be further tested). The idea
of ntop is the following: analyse the traffic, detect situations where
the traffic doesn't look good (e.g. portscan or traffic sent to a closed
port) and report them to the user. If you look at the ntop rules you
will see that they are very very generic (i.e. they are not coupled to a
specific net) because this is ntop's nature.
In the coming months (mid summer I hope) expect to see some major
improvements. Gaia, a student of mine (I'm currently a lecturer at the
University of Pisa), is designing a tool (we still have to decide
whether it will be part of ntop or just an external tool) whose goal is
to report you in 1 (one) single page about the network status. In
practice you will read "Relax: everything is fine." or "ntop detected
the following problems: ....". This is why 1) average users are not able
to read/understand/interpret all the data ntop emits and 2) because a
sys admin should not waste time glancing through the ntop pages just to
understand if there's something wrong/suspicious.
Keep on running snort: it's a great tool.
Cheers, Luca
--
Luca Deri Telecom Italia IT
Via Matteucci 34/B 56124 Pisa, Italy.
Ph. +39/050/968.639 Fax. +39/050/968.626
Email: [EMAIL PROTECTED] WWW: http://luca.ntop.org/
ICQ: 68183632
Software is about stuff, about getting hands dirty - Jim Coplien
