Comment Several comments (Score 2, Informative) 125
I just got in from a busy day and what do I find but a little Snort action on ole Slashdot...
So, I've got a few comments about the comments:
Snort signatures and the quality thereof. Anyone who complains about the quality of Snort signatures is a lazy bastard, they're open source and easy to modify, if you find that much wrong with them make the appropriate changes and mail them back to me or Brian Caswell, our own official Snort Rules Nazi. Just because we write Snort sigs doesn't mean you have to use them, the original concept behind Snort and the rules files that came with the distro was that the users could look at examples of how to write them and develop their own set for the site they were protecting. This has gotten way out of hand over the past three years and has blossomed into the approximately 1300 rules we have now. The quality isn't always the best, but we're working on it (and if you've been tracking them over the past 6 months they've gotten much better.
Performance. People from ISS talking about the superior performance of their solution is laughable, it's been shown repeatedly in third party IDS roundups that Snort performs on par with or better than almost all of the other commercially available NIDS solutions out there. In fact, I know of one large entertainment company that sank a decent chunk of money into hardware that's running Snort at OC-12 speeds on their network successfully with no packet loss at all. Moral of the story? IDS performance is tied directly to the configuration and horsepower of the sensor hardware. No big revelations there. The fact of the matter is that's Snort's capabilities and performance keep increasing as we continue to develop it. We're also about to revisit some major architectural components of the system as we begin development on Snort 2.0 this month, but that's a different topic...
Love Snort but need a commercial company to back it? Check out Sourcefire, a company that I founded this year precisely to do that. We are selling network IDS appliances complete with a web-based GUI, data analysis console, and full blown configuration management system built in. We're also working on a Management Console appliance that will allow you to deploy and manage a distributed Snort NIDS infrastructure and manage all the data that comes out of the system and perform multi-sensor correlation.
Rapid response. When the shit hits the fan on the Internet, Snort is usually the leader in getting out new sigs to the user community. Case in point, the W32/Voyager MS SQL worm that recently came out, we were the first with sigs to pick it up.
So in the end, Snort gives you speed and accuracy (in that I mean you can identify specific exploits very precisely), has an active development and user community and is flexible to meet users needs. I think that this is a really good combo for most people's needs. Now that Sourcefire is out there, I think that the needs of "pro" users can be satisfied as well as those of the open source world.
On the other hand I might be biased, as I did write the thing...
-Marty
