October 30, 2007

SNORT IDS

SNORT

http://www.snort.com/

Snort is an open source IDS solution owned and developed by Sourcefire. According
to Wikipedia:

“Snort
can perform protocol analysis, content searching/matching and can be used to detect
a variety of attacks and probes, such as buffer overflows, stealth port scans, web
application attacks, SMB probes, and OS fingerprinting attempts, amongst other features.
The system can also be used for intrusion prevention purposes, by dropping attacks
as they are taking place.”

What Rocks:

It’s
free and amazingly feature rich. I challenge any of the commercial products to match
it in terms of quality of signatures and versatility. Built from the ground up to
be modular, the amount of “features” that can be enabled through snap on or interoperable
modules is amazing.

Want
an inline packet virus scanning? No problem – Add on the ClamAV –an open source antirust
scanner. Want visualization? Got it – use Snort output with OSSIM tools in BSD.

Also,
as a compliance issue, snort will be accepted by virtually every auditor as an acceptable
solution for IDS requirements. If for some reason your auditor doesn’t accept it,
get a new auditor.

What Doesnt:

WHO
INVITED THIS GUY?

In my opinion, you need to be tech geek to take full
advantage of Snort.

If you have no idea what I am
talking about, close your eyes and think Linux, open source, and sparse documentation.
Viola you have Snort! In the end, its probably one of the easier open source tools
to implement but definitely a tear jerker for the business analyst who is in charge
of implementing Sarbox Controls that some accounting firm needs to audit.

The good news is that with Sourcefire, you can hire that support and expertise required
for an “enterprise” solution. Not a tech geek? No problem. Let them set you up with
a preloaded box and maintenance so you can start running report.

And so with that we get to…

BRING THE BLING
For being free,it’s
not really free.

For starters, you have to buy a server to put it on. That costs money. The
bigger the pipe, the bigger the server. The bigger the server, the bigger the cost.
And if you want the latest signatures, you have to pay. Funny thing about Snort these
days: the newest signatures are not released
to the general public until 30 days AFTER paid subscribers get them – circa SourceFire.

But maybe thats not a bad thing. Free also means inconsistant and unreliable. The
adage that you get what you pay for comes to mind…