Snort mailing list archives
RE: re: 1. Network World IDS report (Jason Haar)
From: "Hicks, John" <JHicks () JUSTICE GC CA>
Date: Thu, 27 Jun 2002 14:23:04 -0400
<2 cents> I'd never read that magazine before, and after this article, I never will again. How many 'network professionals' wouldn't tune a sensor on deployment and would even consider placing a vanilla system live on the Net and waiting for complaints??? One of the key goals of any 'honeypot' deployment is the control of activity and the acceptance of responsibility for allowing an attacker to use it as a launching pad. WRT Snort itself ... on my Government IIS Web site, I have never had snort hang, crash, or even report dropped packets. The only problem I have experienced with a running sensor to date are some database errors citing duplicate entries, but since snort logs activity locally, I find this a minimal threat since the base IDS itself is still functioning. Even the sensors on my development LAN keep up with my constant whiskers, nmaps and other pen-testing. Should I ignore myself, maybe, but my point is those sensors have *never* crashed or hung. My Dev Lan doesn't even have a dedicated sensor, that same 'node' also does host monitoring and off-line log analysis. Does snort take some expertise??? Of course. Would I trade it for a commercial system to placate my managers and limit my functionality and flexibility? NEVER! I've used a total of 3 commercial IDS systems and wouldn't trade Snort for the world. IMHO this article is a complete joke. </2 cents> Regards, John Hicks Electronic Communications Coordinator Canadian Firearms Centre http://www.cfc-ccaf.gc.ca -----Original Message----- From: Joe Pampel [mailto:joe () ardsley com] Sent: Thursday, June 27, 2002 10:28 AM To: snort-users () lists sourceforge net Subject: [Snort-users] re: 1. Network World IDS report (Jason Haar) Thanks for the heads up Jason! uh oh.. feel a rant coming on! <rant> It just bums me out that they kinda short-changed Snort two, well really 3 ways: 1. by having it misconfigured during that one test you don't know if it would have detected the SYN flood.. 2. They use the lack of a GUI and event correlation as a "con" at the end.. In 3 months of working on Snort they've never heard of ACID or IDS Center or DMARC or or.. Let alone SPADE? C'mon guys!! Who are they writing for? 3. If the load is a problem, you get a bigger box. <a big rousing "thank you Dr. Von Braun!"> Part of the package with an OS implimentation.. they also didn't say what they ran Snort on. Did I miss that part? (BSD? Win32? Redhat? Solaris? i386?) I have had Snort crash on me once the past 18 months, and that's running on NT4, multiple sensors (3MB internet & 100MB/switched LAN) and I think it was Windows that dropped the ball, not Snort... As soon as I become a better nixer that box will be BSD for sure. Are they afraid of giving it too high marks and angering advertisers? Nah, that never happens. </rant> Just call me Jaded. - The net admin formerly known as Joe. Message: 1 Date: Thu, 27 Jun 2002 11:17:06 +1200 From: Jason Haar <Jason.Haar () trimble co nz> To: snort-users () lists sourceforge net Organization: Trimble Navigation New Zealand Ltd. Subject: [Snort-users] Network World IDS report http://www.nwfusion.com/techinsider/2002/0624security1.html Good read I feel. Sums up the biggest problem with IDS today (false positives - or information overload). Interesting to see how almost all these commercial IDS systems crashed under load... :-) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com ********************************************************************** ------------------------------------------------------- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- re: 1. Network World IDS report (Jason Haar) Joe Pampel (Jun 27)
- <Possible follow-ups>
- RE: re: 1. Network World IDS report (Jason Haar) Hicks, John (Jun 27)
- RE: re: 1. Network World IDS report (Jason Haar) Detmar Liesen (Jun 27)