RE: [Snort-users] Cisco IDS
This is a discussion on RE: [Snort-users] Cisco IDS within the Snort forums, part of the System Security and Security Related category; Thanks Theodore, That wasn't so bad, I figured I'd get flamed for posing the question :-) Actually, I have ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-19-2005
|
|||
|
|||
RE: [Snort-users] Cisco IDS
Thanks Theodore,
That wasn't so bad, I figured I'd get flamed for posing the question :-) Actually, I have no problem building Snort, and have used it since v1.8 with good results. The main problem I have is a couple things. First, no real good mgmt interface. Snort Center was great, but it's fallen on hard times, and you can't get anything but 2.0 to run on it without doing a lot of php hacking, and I just don't have the time. For a php developer, I'm sure it can be done, but I'm the biggest hack, so it would take a lot more time for me. Second, ACID is good, but there's no real correlation/mitigation. Sguil looks like it's going to be something, but its just a little young, and it can be a pain to get working. I haven't tried BASE, though it looks like it's basically the same thing. I love the idea of RNA. I've played around with p0f recently, and even at a low level, the idea of passive OS identification is slick. I'm guessing at some point someone will hack up a version of p0f to attempt to detect applications as well. Any of you Sguil guys out there, feel free to incorporate this in as well ;-) Defense Center would be OUTSTANDING at the price they want, if their snort agent allowed you to manage your home-grown sensors as well as accept their alerts, but it doesn't. I guess at least I can't complain too much. At least I could leverage what I have on some level. They have to make money to, otherwise no one would by sensors. BTW - Sourcefire list pricing is comparible to Cisco, it's just that depending on your relationship w/cisco, they can practically give it away if they want. They have purchased Okena, and I believe at least another security-centric company, so at some point I'm guessing that their ids solution will change for the better. I feel that snort/Sourcefire is better hands down, but wanted to see what the group had to say. Thanks again for the reply. -----Original Message----- From: Theodore Stout [mailto:theodorestout@yahoo.com] Sent: Monday, January 17, 2005 10:13 AM To: John Hally; 'snort-users@lists.sourceforge.net' Subject: Re: [Snort-users] Cisco IDS Hello John, Yeah I have used Cisco IDS. In fact I used to sell it. I used to sell ISS RealSecure too. Now I build and Sell Snort as well as Sourcefire. So, which is better? I like Sourcefire a lot. It is easy to use and fun. After that, I am devoted to Snort. Love it. Great! Have it at home. Following this, I have to say that Cisco IDS is good in conjunction with the 65XX class of switches. If you need like +5Gig of throughput, this is a nice solution. However, I have always though that IDS should not be deployed in this manner. I suppose for a ISP, this would be useful however I still do not think it is smart due to system degregation problems. Of their 1 gig devices, I do not think they have a better solution than Sourcefire. So I would go with Sourcefire if you have the bugdet and want 250meg to 1 Gig throughput. However, other purposes, Snort is quite good. Additionally, if you don't have the skills to actually build Snort using Fedora Core or OpenBSD, then using Sourcefire is my suggestion since it is just so easy for normal Admins to use. However, if you got the skills, or your staff has the skills, consider Snort as well. It is also good pointing out that with Cisco, the signatures really are dependant with your maintenance contract with your vendor. With Snort, you get that stuff for free. Hope that helps, Theodore Stout, CISSP CCSP, CCNP, CCIP ISS MSS Engineer (Yeah I studied too much.....) --- John Hally <JHally@epnet.com> wrote: > Hello Group, > > > > Out of curiosity, has anyone had any experience with > Cisco's IDS? I'm > curious how Snort stacks up in strengths/weaknesses > including Sourcefire's > commercial products. > > > > Thanks in advance! > > __________________________________ Do you Yahoo!? The all-new My Yahoo! - Get yours free! http://my.yahoo.com ------------------------------------------------------- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
