Snort mailing list archives
RE: Snort comparisons
From: "Cavey, Mark A." <mark_a_cavey () md northgrum com>
Date: Mon, 20 May 2002 11:46:11 -0700
Here's some info that I've been using as a foundation for an OpenSnort vs RealSecure document. I'm in the same position in which I'm trying to convince management about OpenSnort over ISS: RealSecure. Hope it helps! Sourcefire, Inc. OpenSnort Sensor<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /> Developed by the creators of the original Snort IDS, Sourcefire's OpenSnort Sensor is an appliance-based network intrusion detection system that performs real-time traffic analysis, packet logging and alerting on IP networks. Sourcefire leverages the stability and performance of the open source Snort intrusion detection engine with the convenience and support of a commercial product. OpenSnort Sensor builds on the valuable contributions of the open source model by offering an easy to use, fully supported appliance version of Snort. There are several key areas where OpenSnort Sensor technology outshines the competition. This document is not intended to compare any specific vendor to Sourcefire. FLEXIBILITY & CUSTOMIZATION By providing an open source rule language, OpenSnort Sensor allows administrators to write and edit rules, easily reducing false positives and detecting organization-specific threats. Additionally, administrators can view alerts in a variety of formats, including payload of packets triggering alerts. OpenSnort Sensor also allows restricted access, allowing users to analyze traffic while denying them access to configuration options. ICMP TRAFFIC HANDLING Attackers regularly use ICMP toolkits to scan the networks they wish to expose. It is important to be able to recognize these scans, however, many IDS's handle this traffic by sending an alert that a Traceroute has occurred. This can result in inaccurate information -- a toolkit that uses ICMP to scan a network is completely different from a Traceroute and security analysts can react more appropriately if they are given more detailed information. OpenSnort Sensor addresses this by providing an extensive library of ICMP rules. OpenSnort Sensor provides users the ability to see exactly what kind of ICMP activity is occurring on the network. In some instances, a security analyst may not want to see alerts on most of the ICMP traffic. OpenSnort Sensor provides the ability to alert on specified types of ICMP traffic. For example, a rule can be written to alert on ICMP traffic that is not generated from internal routers. Sourcefire has an experienced team dedicated to continually enhancing the detection engine as well as writing new and optimizing existing rules. This effort, along with that of the open source community, enables OpenSnort Sensor to have the most comprehensive set of ICMP rules available. Here are a few examples of OpenSnort Sensor ICMP rules. alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Sniffer Pro/NetXRay network scan";itype: 8;content:"|43696e636f204e6574776f726b2c20496e632e|";depth:32;sid:484;classt ype:misc-activity;rev:2;) alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING CyberKit 2.2 Windows";content:"|aaaaaaaa aaaaaaaaaaaaaaaaaaaaaaaa|";itype:8;depth:32;reference:arachnids,154;sid:483; classtype:misc-activity;rev:2;) SESSION TAGGING AND RECORDING OpenSnort Sensor allows administrators to "trap and trace" someone or something that has generated an alert. This powerful capability enables the sensor to record follow-on information for further analysis instead of just the attack itself. This feature allows users to see what happens after an alert is triggered even if it causes things that wouldn't normally be picked up. For example, when an IMAP buffer overflow is detected, OpenSnort can start logging all the traffic coming from the source host of the packet that set off the alert for the next 5 minutes STABILITY AND PERFORMANCE OpenSnort Sensor is the most stable and robust IDS on the market and has a strong self-preservation mechanism built into it. It operates in a "probabilistic defense" mode when there is heavy traffic on the network. OpenSnort Sensor frees up memory by randomly deleting sessions. This prevents attackers from predicting which sessions will be removed, hence they can never be sure if their sessions are seen. OpenSnort Sensor also has the most powerful and robust code for TCP stream reassembly and IP defragmentation. This is normally where most IDS's crash. FILTERS Snort supports TCPdump filters, which help eliminate traffic that does not require inspection. For example, if an administrator does not want to inspect SSH traffic, OpenSnort Sensor can be instructed to ignore SSH connections by using a TCPdump filter of "not port 22." By utilizing TCPdump filters Sourcefire once again harnesses the power of the open source community. Users can create their own filters, or get filters from the vast open source community. FORENSIC EVIDENCE OpenSnort Sensor displays packet payloads of traffic that generates alerts. This level of detail enables administrators to more quickly and easily determine if an alert signifies an attack. Without the full information users cannot make that determination. MANAGEMENT OpenSnort Sensor is easy to install and deploy. An easy-to-use web-based interface is provided for: · Data and forensic analysis · Rule creation, loading and management · User, disk and sensor management · Network and alert configuration · Database queries, packet display and report generation. In addition, Sourcefire offers OpenSnort Management Console, which enables: · Correlation of events and packet logs from multiple sensors · Advanced analysis capabilities using aggregated data · Database query generation and storage · Data sharing and cooperative analysis of network incidents OPEN SOURCE MODEL Sourcefire believes that the open source model produces the best code. The Snort user community is made up of some of the best security people in the world: University PhD's, software developers, and security experts. The more people that have access to the source code and can employ their expertise to examine it, the fewer secrets are embedded in the code and the harder it is to compromise that code by hiding backdoors, bugs or other security-threatening code in it. Bugs rarely stay hidden when exposed to thousands of experienced programmers who carefully scrutinize every line of code and who use the Snort engine in an expansive variety of environments. The Snort community is growing daily. Sourcefire supports the Snort community by putting resources back into it. Sourcefire currently enables and oversees new releases of the Snort engine through the open source model. The popularity and acceptance of Snort throughout the world is impressive. It is currently the most widely deployed intrusion detection system worldwide. The Snort open source community is a highly organized community. Aside from the seasoned developers at Sourcefire, there are thousands of experienced programmers adding to the functionality and rule sets. Their contributions can be seen on the numerous mailing lists and web sites. Users can learn more about the community and these sites at <http://www.snort.org/> www.snort.org. Individuals participating in open source projects take great pride in finding or fixing problems. These recognitions are coveted by open source developers. Just as these users want to claim credit for their contributions, the Sourcefire developers who are known by their peers, not hidden behind a corporate logo, have added incentive to create top-notch software. Sourcefire provides the technical expertise of a full engineering and support team as well as the ongoing scrutiny, reporting and expertise of programmers throughout the world. While the open source model does have its opponents, their legitimacy is waning. Source code can be restricted but that does not keep it hidden. Any code can be reverse engineered so that its vulnerabilities can be discovered. One does not even have to be an experienced coder to find the vulnerabilities. The Internet is loaded with sites maintained by individuals who have uncovered and published these vulnerabilities. Users of closed source software feel a false sense of security and are dependent upon the vendors to identify and fix bugs and to generate new rules and signatures to alert on new types of attacks. Sourcefire's OpenSnort Sensor runs on technology that reaps the benefits of both a paid, experienced engineering team as well as thousands of experts around the world analyzing, testing, and fixing the code, and creating new rules. -----Original Message----- From: Tim Prendergast [mailto:tprendergast () ReserveAmerica com] Sent: Monday, May 20, 2002 2:35 PM To: snort-users () lists sourceforge net Subject: [Snort-users] Snort comparisons Greetings, I'm seeking any information people have on Snort vs Cisco NetRanger comparisons that may have been done professionally or for educational reasons. I'm seeking as much info as possible to provide a fair comparison of the two products to my organization for IDS solutions. We don't need gigabit performance or anything, something that does 100Mbps would be fine for a lonnnnggg time. I'm a big fan of Snort, but need more data to back my position. I'd appreciate it if anyone could help. Thanks, Tim Prendergast tprendergast () reserveamerica com <mailto:tprendergast () reserveamerica com>
Current thread:
- Snort comparisons Tim Prendergast (May 20)
- <Possible follow-ups>
- Re: Snort comparisons Piotr Bulczak (May 20)
- RE: Snort comparisons McCammon, Keith (May 20)
- RE: Snort comparisons Cavey, Mark A. (May 20)