[Snort-users] Snort Vs Cisco

Tom Vandepoel Tom.Vandepoel at ...271...
Mon Oct 9 03:49:06 EDT 2000

Erik Engberg wrote:
> I must admit I haven´t even looked at a CiscoSecure in about 6 months or so,
> but I have worked with them and I´m certified (when it was still NetRanger).
> There may have been developments in CiscoSecure that I´m not aware of.
> Some good points:

> 2) Cisco uses HP openview (if they haven´t moved the IDS into their ACS yet)
> and it plain sucked to managed alarms. We fired up some automatic
> exploit/scanner scripts to generate a few thousand alarms and it
> "overflowed" the console with icons (one icon per alarm)

Well you can redirect them to a logfile or external program, but
basically, yes, the gui is *very* irritating.

> 6) In snort, you have full control over signatures, maybe you don´t have
> regexp or some of the "really cool advanced analysis". But you have speed
> and you can always get/write your own preprocessor. With a Cisco you are
> stuck with the sigs that come with it (some 200 awful ones this spring) and
> you can do some regexp matching, although put in quite a few of those and it
> gets sloooow.

The frequency of updates that you get from cisco is extremely low,
resulting in a not very up to date set of rules. Because you don't have
real control over the sigs (you can't even view what the builtin sigs
are triggered on) the amount of falses is fairly high in practice, again
making the device less effective because you tend to ignore it after a
while ;-)

Of all the NIDS products I know, I like Cisco's one the least. They're
basically selling this because it's branded 'cisco', not because it's a
good product. 

There are good commercial IDS's out there (AFJ, Realsecure) but if you
want to be really up to date with your ruleset, stick to snort. 



Tom Vandepoel
Sr. Network Security Engineer

tel +32 (0)16 28 70 00 - fax +32 (0)16 28 71 00 
Ubizen - Grensstraat 1b - B-3010 Leuven - Belgium
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2884 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20001009/ad0abbd4/attachment.bin>

More information about the Snort-users mailing list