lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri Dec  9 15:03:38 2005
From: pmelson at gmail.com (Paul Melson)
Subject: Snort as IDS/IPS in mission-critical
	enterprisenetwork

-----Original Message-----
Subject: Re: [Full-disclosure] Snort as IDS/IPS in mission-critical
enterprisenetwork

> ....and fix all the off-by-ones in the code if you run it on an old linux
distro, oh, and 
> audit the preprocessors for more cracking overflows lol
>
> Would be a terrible shame to loose your network because of your IDS.

You're totally right that there have been some serious vulns found in Snort
preprocessors recently, which is bad.  But I would hate for anyone to get
the impression (not that you intended it) that Snort is somehow worse than
other network IDS products out there when it comes to its own security.  

There have been and continue to be bugs and vulns in all of the major IDS
products on the market today - and the minor players are often worse still -
that have no business being there. In two separate instances I have
contacted a vendor and had them admit to knowing about the bug.  Neither had
plans to release a patch for it, just wait for the next minor release and
fix it quietly.  And my personal favorites; "Our product was never intended
to be deployed outside the firewall." and, "The sensors and managers should
be on their own private network."  


> > Most "enterprise" IDS products are built upon Snort code my friend. 
> > Snort is definately ready for whatever type of environment you put it 
> > in. Just make sure you follow the snort mailing list from time to time 
> > to keep up on new signatures that may not be added to the snort release.

Remember RealSecure TRONS? :)

Anyway, to the guy contemplating Snort vs. RealSecure, I have the following
advice:  Try both.  With the proper hardware and admin skills, Snort can be
stable and effective in an enterprise environment.  Plus, the price is
right.  I think that what you'll find is that RealSecure gives you the easy
management and scalability that is a challenge with Snort.  But you may
decide that your environment needs something that can be easily tweaked and
customized and that you're willing to do the tuning work to get the details
you want from your IDS, which is where Snort is stronger.

PaulM

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ