Full Disclosure mailing list archives
RE: Snort as IDS/IPS in mission-critical enterprisenetwork
From: "Paul Melson" <pmelson () gmail com>
Date: Fri, 9 Dec 2005 10:03:29 -0500
-----Original Message----- Subject: Re: [Full-disclosure] Snort as IDS/IPS in mission-critical enterprisenetwork
....and fix all the off-by-ones in the code if you run it on an old linux
distro, oh, and
audit the preprocessors for more cracking overflows lol Would be a terrible shame to loose your network because of your IDS.
You're totally right that there have been some serious vulns found in Snort preprocessors recently, which is bad. But I would hate for anyone to get the impression (not that you intended it) that Snort is somehow worse than other network IDS products out there when it comes to its own security. There have been and continue to be bugs and vulns in all of the major IDS products on the market today - and the minor players are often worse still - that have no business being there. In two separate instances I have contacted a vendor and had them admit to knowing about the bug. Neither had plans to release a patch for it, just wait for the next minor release and fix it quietly. And my personal favorites; "Our product was never intended to be deployed outside the firewall." and, "The sensors and managers should be on their own private network."
Most "enterprise" IDS products are built upon Snort code my friend. Snort is definately ready for whatever type of environment you put it in. Just make sure you follow the snort mailing list from time to time to keep up on new signatures that may not be added to the snort release.
Remember RealSecure TRONS? :) Anyway, to the guy contemplating Snort vs. RealSecure, I have the following advice: Try both. With the proper hardware and admin skills, Snort can be stable and effective in an enterprise environment. Plus, the price is right. I think that what you'll find is that RealSecure gives you the easy management and scalability that is a challenge with Snort. But you may decide that your environment needs something that can be easily tweaked and customized and that you're willing to do the tuning work to get the details you want from your IDS, which is where Snort is stronger. PaulM _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Snort as IDS/IPS in mission-critical enterprise network Native.Code (Dec 08)
- Re: Snort as IDS/IPS in mission-critical enterprise network none none (Dec 09)
- Re: Snort as IDS/IPS in mission-critical enterprise network c0ntex (Dec 09)
- RE: Snort as IDS/IPS in mission-critical enterprisenetwork Paul Melson (Dec 09)
- New paper on theory of disclosure for security & competitive reasons Peter Swire (Dec 13)
- Re: Snort as IDS/IPS in mission-critical enterprise network coderman (Dec 09)
- Re: Snort as IDS/IPS in mission-critical enterprise network c0ntex (Dec 09)
- Re: Snort as IDS/IPS in mission-critical enterprise network Michael Holstein (Dec 09)
- RE: Snort as IDS/IPS in mission-critical enterprisenetwork Paul Melson (Dec 09)
- Re: Snort as IDS/IPS in mission-critical enterprisenetwork Michael Holstein (Dec 09)
- Re: Snort as IDS/IPS in mission-critical enterprise network none none (Dec 09)
- Re: Snort as IDS/IPS in mission-critical enterprisenetwork sk (Dec 09)
- Re: Snort as IDS/IPS in mission-critical enterprise network coderman (Dec 09)
- Re: Snort as IDS/IPS in mission-critical enterprise network Technica Forensis (Dec 09)