> I am looking a broading my knowledge of using different types of IDS > programs. Snort seems like a good open source program.
The proof is in the pudding. > http://www.snort.org > > Does anyone have any comments about using Snort on their systems? We've been using snort on a medium size .edu for some time now and I have nothing but good things to say about snort. Some of these things include: * excellent support -- both in the docs included with Snort, the mailing list, and the all important #snort. Also check out the snort-sigs mailing list and the snort-db which is putting some documentation that will add some meat to nitty-gritty of an attack. This makes life easier for you, the sensor adminstrator, and also for the non-compoooter types that may get their hands on snort's output. * writing new rules for either new attacks or anomalies specific to your environment is trivial with the documentation provided by the Snort community. * speed with which bug fixes and new versions are released given the large and knowledgeable user base. * speed with which new rules for new attacks can be written. A good example is the SNMP vulnerability that got everyone on their toes -- prototype rules were released within hours of the announcement of the vulnerability. Instead of the traffic (potentially) sliding down the wire unnoticed, Snort's rules could catch it, false positives could be ironed out quickly, and eventually we had a concrete rule that could get merged into the collection of snort rules available from the website and/or CVS. * integration with your current environment -- because of the large user base and a skilled set of developers, support for darn near every setup is possible. You gotta database? Snort can log to it. xml, snmp, smb, syslog and email alerting. The list goes on. > Looking for comments also toward running SNORT on a Windows based > system vs Unix/Linux systems. The first time I touched snort was on a windows machine. snort itself was fine, but windows and I don't play well together so I hastily moved to a *nix platform. Currently, I have sensors in an OpenBSD environment, a Linux environment and I have been pondering Solaris as it is/was the main platform at my place of employment. I might also point out that not a day goes by where I don't find myself doing a 'snort -i eth0 -Cvdsxe'. I frequently use that technique as an alternative to tcpdump or $sniffer and rather enjoy snort's output when attempting to debug networking 'issues', traffic analysis, or satisfying some sick curiousity of mine. Give it a try. You'll love it. -warchild
