[Snort-users] Snort Vs Cisco

Erik Engberg Erik.Engberg at ...511...
Tue Oct 10 08:36:06 EDT 2000

>The frequency of updates that you get from cisco is extremely low,
>resulting in a not very up to date set of rules. Because you don't have
>real control over the sigs (you can't even view what the builtin sigs
>are triggered on) the amount of falses is fairly high in practice, again
>making the device less effective because you tend to ignore it after a
>while ;-)

This is more or less true for all commercial IDS I have worked

>Of all the NIDS products I know, I like Cisco's one the least. They're
>basically selling this because it's branded 'cisco', not because it's a
>good product. 

I agree.

>There are good commercial IDS's out there (AFJ, Realsecure) but if you
>want to be really up to date with your ruleset, stick to snort. 

Actually I haven´t tried AFJ (prohibitive price/extended NFR) but I have
worked with NFR and I must say although it´s one of the better IDS´s writing
sigs is powerful but to complicated and the gui/alarm management are weak
and unwieldy as well as 

I have extensive RealSecure knowledge (lots of implementation and I
instructed the certification course) and I must say that although it´s
perhaps the easiest and best IDS to get started it stays on the "lamerlevel"
as it is perhaps the most inflexible IDS I know next to BlackICE defender
(the home version for $40, but it works better than RS ;).
IMHO ISS lost all credibility after first doing so heavy a marketing then
not updating a single signature from december 99 (version 3.2.1) to july
31st 2000 (version 5, which is a totally weird version hop as almost
everything still is the same exept the flex updates, it should be 3.5).

Besides there are all sorts of annoying bugs and limitations as well as
several sigs that are plain faulty. Trying to get ISS to fix these issues
has resulted in nothing, even though  we have had "positive" indications
from them.

I am definately sticking to snort as development, stability, sigs,
flexibility et all and not least price are far better ;). And it runs on
OpenBSD, not inflexible NT ;)
I think that about the only thing missing from snort to really make it a
relly big "hit" is a decently powerful windows gui client so less unix &
technical oriented people can use it.
Are there any plans/projects for this?

There are pros & cons to this as well. Some say that less skilled people
shouldn´t/don´t know how to operate an IDS effectively anyway.




Tom Vandepoel
Sr. Network Security Engineer

tel +32 (0)16 28 70 00 - fax +32 (0)16 28 71 00 
Ubizen - Grensstraat 1b - B-3010 Leuven - Belgium

More information about the Snort-users mailing list