DISCLAIMER: I work for Sourcefire. >>Hi everyone!!!, I'm an EDP auditor and I want to know some >>commentaries about the use of Snort IDS...I'de like to know if >>anyone recommend it and if it's a good choice to install in a >>financial organization. > > > We use snort. It works great. > > As I work for a University we are not lush with cash Snort has been a > nice "free" choice. It was fairly easy to setup (others who haven't > become one with their inner TCP/IP stack may not find it overly easy > to tweak), there is quite a bit of third party tools for it (a module > for HalfLife that shows you alerts while you are playing, for > example....) Love the comment and I think there is a ton of potential with the HalfLife concept.
Imagine being able to interactively respond to attackers in a game, shutting them down by playing the game ;-) Sounds like a research project for the university world if you ask me. Just needs time and imagination. > > If you have a bit of cash to play with you might consider the > comercial support for Snort. Silicon Defense, and SourceFire both > provide comercial support for snort. The latter also provides a > commercial version of Snort (much like Sendmail now does, heres our > free version, and if you want to cough up, we also make a less cutting > edge easier to use version). Both company homepages can be found by > adding .com to the name. Since Sourcefire was mentioned. In no way, shape, or form is it less cutting edge. It is the same Snort if we compile it or you compile it. We do however know all the bits and pieces to make it squeal and make it easy to use. Updates at the click of a button for example. <start section="slight vendor bias"> Snort as an open source tool is consistently ranked among the best in IDS shootouts without support. We are taking it to the next level for the people who require scalability, performance, management, and support in the enterprise. Everything is wrapped up into appliances that allow you to do intrusion analysis as the primary function instead of intrusion architecture. We have solutions that run at gig speed in a box and smaller solutions for the remote office. We can manage millions of events in the database we have built and do it at the enterprise level not just the sensor level while being fast enough that you can actually interact with the data near realtime. To top that off, you don't have to be a DBA, OS GURU, Network GURU... I will be happy to speak off list to anyone who is curoius about the capabilities of the Sourcefire offering. </start> All enhancements we make to Snort are provided back to the community and will always be available for everyone to use. > > I also find myself doing forensics on some machines on occassion. > Snort can read in a libpcap file and report back the interesting > things to you. This can be super handy if you have one too many > gigabytes of network capture files to sift through. <plug severity="blatant"> Sounds like you could benefit from our sensors and mgmt console appliances. </plug> > > And finally, Snort runs and compiles on a Variety of platforms. Linux, > *BSD, Solaris, Win32, and I think IRIX. This can be handy if you have > some old hardware sitting around collecting dust. It is also handy if > you have a Win32 shop, and have discovered most NIDS are Unix based. > If I recall, at last count it, was over 30 platforms including OSX. > All and all, snort gets 4 of 5 stars. > > Barnyard (output handler for Snort) raises this to 4.5 of 5 stars > > If 2.0 ever comes out (with the much improved pattern matching > algorythm), I will have to give it 5 of 5 stars. It is currently underway. Check out 1.9beta6 for a lot of other stuff too. Thanks I will pass it on. Jason. http://www.sourcefire.com > ----------------------------------------------------------------------- > __o Bradley Arlt Security Team Lead > _ \<_ [EMAIL PROTECTED] University Of Calgary > (_)/(_) I should be biking right now. Computer Science > > > > ------ End of Forwarded Message >
