Re: Total Cost of Ownership for Snort Implementation?

[twig les <twigles () yahoo com>]

I've said this before on this list but it bears repeating. 
NEVER get an IDS that doesn't allow you to look at the actual
signatures.  You want to factor TCO?  Try spending 30 minutes
trying to figure out what set off a single signature with a
combo of tcpdump and netcat.  Even then you aren't really sure.

--- Derek Glidden <dglidden () illusionary com> wrote:
> On Wed, 2003-06-18 at 10:11, Bennett Todd wrote:
> > 2003-06-18T01:45:44 Nicholas Brawn:
> > > [...] I've been approached to put together some
> information on the
> > > TCO of implementing Snort at 5-10 locations throughout our
> network
> > > (internal and perimeter).  We're going to be comparing
> this to the
> > > TCO for implementing a commercial solution.
> >
> > That's enough boxes that I'd base the snort TCO estimate on
> > building and configuring boxes, deploying them, tuning them,
> > organizing alerting and/or reporting to meet your needs, and
> > updating sigs. Hardware costs are in the noise. How
> expensive is it?
> > Depends entirely on the skills you have available to build
> on. If
> > you have folks who are really good at configuring
> appliance-style
> > devices, automating their building and rebuilding,
> automating
> > distribution of config updates and collection of alerts,
> etc. then
> > snort can be an amazing winner.
> >
> > If on the other hand you don't have folks who are
> experienced at
> > organizing an automated appliance build/maint process around
> open
> > source tools, then getting an appliance from a vendor is
> liable
> > to be a better value. Note that Snort is available on that
> basis
> > as well as do-it-yourself free open source. Sourcefire sells
> and
> > supports appliances built on Snort.
>
> "What he said."   :)
>
> We've been an ISP/consulting shop for a number of years based
> around
> Linux, so we have the infrastructure.  I spent some time
> building some
> scripts around the snort engine to handle things like alerting
> and
> reporting that it doesn't do itself, and a certain amount of
> regular
> maintenance, and now our "cost" for deploying a new sensor is
> literally
> the cost of the hardware plus about 30 seconds of time to put
> the
> hostname in a config file to have the packages installed and
> maintained.  Up-front, I maybe spent 80-100 hours over a month
> or so,
> but for a final result, we now have several dozen snort
> sensors deployed
> throughout our and our customers' environments and they
> effectively
> manage themselves.  
>
> As Bennett said, the open nature of Snort makes it really easy
> to pull
> it into any existing infrastructure you may have, if you have
> someone
> who can do it.  And we're proof that you *can* build an
> infrastructure
> around it that makes it essentially hands-off once you get it
> all sorted
> out.  (And we know it works in a "real-world" situation
> because we've
> been getting woken up with pages this week as one of our
> customers
> started doing intrusion testing on their network without
> informing us of
> the fact.)  For only 5-10 installations, it may not be worth
> the
> up-front effort, although on the flip side, you may not need
> the amount
> of effort we put into the project.
>
> As Bennett also said, if you don't have the expertise
> in-house, or you
> don't have a large enough deploy to make it worth the trouble,
> you can
> always go with Sourcefire.
>
> -- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> "We all enter this world in the    | Support Electronic
> Freedom
> same way: naked; screaming; soaked |       
> http://www.eff.org/
> in blood. But if you live your     | 
> http://www.anti-dmca.org/
> life right, that kind of thing    
> |---------------------------
> doesn't have to stop there." -- Dana Gould
>
>
>
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: INetU
> Attention Web Developers & Consultants: Become An INetU
> Hosting Partner.
> Refer Dedicated Servers. We Manage Them. You Get 10% Monthly
> Commission!
> INetU Dedicated Managed Hosting
> http://www.inetu.net/partner/index.php
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


=====
-----------------------------------------------------------
Emo is what happens when the glee club goes punk.       
-----------------------------------------------------------

__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com


-------------------------------------------------------
This SF.Net email is sponsored by: INetU
Attention Web Developers & Consultants: Become An INetU Hosting Partner.
Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission!
INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users