[Snort-devel] Re: IDS Systems (fwd)

Fyodor fygrave at ...1...
Thu Oct 5 19:22:53 EDT 2000

:) I think these comments are interesting :)

---------- Forwarded message ----------
Date: Thu, 5 Oct 2000 13:29:25 -0600
From: Wozz <wozz+openbsd at ...73...>
To: dreamwvr <dreamwvr at ...74...>
Cc: openbsd-misc at ...75..., misc at ...76...
Subject: Re: IDS Systems

On Thu, Oct 05, 2000 at 10:40:04AM -0600, dreamwvr wrote:
> hi,
>    IMHO snort is definately one of the best open IDSs whereas NFR is most 
> likely the best commercial. the n-code language is very powerful component 
> that makes NFR the tool of choice for going deep.. so it depends how 
> much further than snort or tcpdump you want to go.. as well it depends on 
> your budget. if you have one for a co then use both .. or if you want to 
> do it all using open then use snort. got the choice to just pick and choose
> then use both.. 

I've got to get my $0.02 in.  I've used NFR for about a year now,
and I'm switching to Dragon (www.securitywizards.com).  I lose the
n-code, which is really nice, but I gain access to all sorts of
data that I'd have to write custom code for in NFR.  Dragon is
signature based, like Snort, but has several modules that do further
pre-processing of data (snort has this capability, but not as much
functionality as the Dragon modules do) to make signature matching
more accurate.  NFR makes a great IDS if you have a full time person
programming it.  For those of us without the budget/time for that
programming, Dragon fits the bill nicely.  Plus, I've found the
Network Security Wizards people to be much more accesible when I
have questions.  Stability wise, Dragon wins hands down.  NFR's
probes would crash due to network load (which is solvable by trimming
your filters) and the server would never notice it was down.  I had
one that was down for days before I noticed there was no data coming
from it.   Also, while I understand the appliance approach of NFR,
I much prefer having the choice of installing my own OS (OpenBSD
is Dragon's recommended platform, but it also works on Solaris and
FreeBSD) and therefore having extra tools (tcpdump for example) to
further diagnose incidents.   I can strip my own OS thank you ;).
Dragon also has a host-based intrusion detection piece (Dragon
Squire) which will watch files for checksum changes, parse syslogs
with regexps, etc.  In the end, either works, but Dragon makes the
management of the data much easier, and therefore makes our intrusion
detection much more effective.

(FWIW, NFR 5.0 addresses some of my concerns, but it was too little too
late for me)

More information about the Snort-devel mailing list