snort

Is it worth paying $10,000 for source fire to make using SNORT easier?
Does using source fire with SNORT make SNORT a middle weight IDS solution as
opposed to a lightweight?

http://www.insecure.org/tools2000.html

_Or_ is it worth the time and energy to write your own scripts and updates.

Dan

"Dan" <> wrote in message
news:Zb-dnVqkX42Kh2GiRVn-...
> Is it worth paying $10,000 for source fire to make using SNORT easier?
> Does using source fire with SNORT make SNORT a middle weight IDS solution
as
> opposed to a lightweight?
>
> http://www.insecure.org/tools2000.html
>
> _Or_ is it worth the time and energy to write your own scripts and
updates.

IMHO. Let's say that again: "IMHO"

Any IDS tool (or something that acts as an IDS tool) is only useful if
someone can act on the results.

Not sure where $10k came from..? It's an interesting interface to LibPCap,
isn't it? Just like Ethereal? Are you looking at buying-in a monitoring
service, or deploying something yourself? Did I miss something about
Commercial licensing?

Please point out where the shoe's going to drop.. ;o)

H1K

Hairy One Kenobi

"Dan" <> wrote in message
news:Zb-dnVqkX42Kh2GiRVn-...
> Is it worth paying $10,000 for source fire to make using SNORT easier?
> Does using source fire with SNORT make SNORT a middle weight IDS solution
as
> opposed to a lightweight?
>
> http://www.insecure.org/tools2000.html
>
> _Or_ is it worth the time and energy to write your own scripts and
updates.

No! A friend of mine bought sourcefire box for their school. The thing was a
waste of money. They had to send it back at least two times for repairs. It
never worked properly.

If you're going to use Snort, just save your money and build your own
system. Or use a different IDS entirely.

Alex

Alexander Delarge

In article <Zb-dnVqkX42Kh2GiRVn->, bitsandbytes88
@hotmail.com says...
> Is it worth paying $10,000 for source fire to make using SNORT easier?
> Does using source fire with SNORT make SNORT a middle weight IDS solution as
> opposed to a lightweight?
>
> http://www.insecure.org/tools2000.html
>
> _Or_ is it worth the time and energy to write your own scripts and updates.
>

Setup snort to log to mysql then front end it with acid. If you need
help with the setup, there are half a dozen open source front ends to
help. If you are willing to put in the config time, you can build a
very nice solution from snort with remote probes at all ingress and
egress points centrally logging with a nice web interface for anlyzation
of results all from freely available software. I've done such for a
number of larger companies with excellent results. Spend the money on
hardware.

/steve
--
You simply cannot get more server side control of
your e-mail without running your own mail server and
knowing how to program.
http://www.cotse.net/privacyservice.html

Stephen K. Gielda

On Wed, 07 Jan 2004 09:39:19 -0500, Dan wrote:

> Is it worth paying $10,000 for source fire to make using SNORT easier?
> Does using source fire with SNORT make SNORT a middle weight IDS solution as
> opposed to a lightweight?
>
> http://www.insecure.org/tools2000.html
>
> _Or_ is it worth the time and energy to write your own scripts and updates.


You may be confused about "lightweight IDS". The term refers to the
adaptability/flexibility of the program, not its capability.

In other words, snort runs on multiple platforms, is relatively easy to
setup and doesn't require lots of power from the host system.

Can't speak for the price you quote but Sourcefire sells hardware
solutions using snort plus technical support. You can roll your own rather
easily if you have someone available with good network/security skills.
Updated signatures are available from a variety of sources, you can also
create or modify existing signatures unlike many proprietery IDS systems.

John