Re: Snort as IDS/IPS in mission-critical enterprise network

[Mark <fd () mchsi com>]

Native.Code wrote:
> Dear all,
>
> Thanks for valuable input. It was very much appreciated. I kind of get the
> impression that Snort is very stable product but it needs a lot of effort
> configuring, monitoring and customizing. 

This is very true. And, I suspect; it is true of any IDS.  If you have
any kind of sizable network no IDS can be pre-packaged that will work
perfectly for your network.  They are all going to need "a lot of effort
configuring, monitoring and customizing" if you are going to do it
correctly.  I don't see how it could be any other way, because, they
don't know your network.

> We will definitely give it a try. I
> assume I did not mention, we will be using Windows binary. Is this as stable
> as Linux version?

I doubt it would be as stable.  Do you have a reason for using a Windows
binary?

> Some of you mentioned that many commercial productions are based on Snort.
> Can anyone name another product besides those from Sourcefire?

If you are looking for something outside of Sourcefire I would consider
Sentarus from demarc.com  I was really happy with their PureSecure
product before they discontinued it.  But, when they told us it would be
10X the price to upgrade to Sentarus we started looking elsewhere and
ended up with the Sourcefire products with mixed results.  (Their RNA
software is not even close to what it's cracked up to be.)

But, now that Sourcefire has pretty much locked up the signature
database, demarc.com has drastically reduced their pricing on their
Sentarus product.

Kind of underhanded on Sourcefire's part in my opinion.  But, business
is business I guess.  I just thought Marty was above that.

--
Mark
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/