[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <003901c5fcd1$b745da60$4f20320a@ad.priorityhealth.com>
Date: Fri Dec 9 15:03:38 2005
From: pmelson at gmail.com (Paul Melson)
Subject: Snort as IDS/IPS in mission-critical
enterprisenetwork
-----Original Message-----
Subject: Re: [Full-disclosure] Snort as IDS/IPS in mission-critical
enterprisenetwork
> ....and fix all the off-by-ones in the code if you run it on an old linux
distro, oh, and
> audit the preprocessors for more cracking overflows lol
>
> Would be a terrible shame to loose your network because of your IDS.
You're totally right that there have been some serious vulns found in Snort
preprocessors recently, which is bad. But I would hate for anyone to get
the impression (not that you intended it) that Snort is somehow worse than
other network IDS products out there when it comes to its own security.
There have been and continue to be bugs and vulns in all of the major IDS
products on the market today - and the minor players are often worse still -
that have no business being there. In two separate instances I have
contacted a vendor and had them admit to knowing about the bug. Neither had
plans to release a patch for it, just wait for the next minor release and
fix it quietly. And my personal favorites; "Our product was never intended
to be deployed outside the firewall." and, "The sensors and managers should
be on their own private network."
> > Most "enterprise" IDS products are built upon Snort code my friend.
> > Snort is definately ready for whatever type of environment you put it
> > in. Just make sure you follow the snort mailing list from time to time
> > to keep up on new signatures that may not be added to the snort release.
Remember RealSecure TRONS? :)
Anyway, to the guy contemplating Snort vs. RealSecure, I have the following
advice: Try both. With the proper hardware and admin skills, Snort can be
stable and effective in an enterprise environment. Plus, the price is
right. I think that what you'll find is that RealSecure gives you the easy
management and scalability that is a challenge with Snort. But you may
decide that your environment needs something that can be easily tweaked and
customized and that you're willing to do the tuning work to get the details
you want from your IDS, which is where Snort is stronger.
PaulM
Powered by blists - more mailing lists