[Snort-users] any support / plug-in / integration plan for HID

Matt Kettler mkettler at ...4108...
Fri Jul 12 09:04:03 EDT 2002

Agreed wholeheartedly. Although the two are related conceptually, ie: both 
are used for security, the practical relationship in terms of integrating 
the code or functionality is non-existent.

I guess I'm also a bit biased in that I too agree with the tenets of UNIX. 
I've seen way too many Microsoftish "do everything, and do them badly" 
applications (ie: HTML editing in Word?) to take any pleasure at all in 
these "swiss army knife" applications. If two tools are completely 
different, putting them on a common handle doesn't do you any good, other 
than making the tools easier to keep together, and harder to use. I'd much 
rather eat with a knife and fork than a swiss army knife that has a knife 
blade and a fork blade.

So no, snort should never include HIDS, firewall, email generation, GUI 
graph generation, SMTP proxy-thru email virus scanning, HTTP proxies, nmap 
or nessus type network scanning or anything else that doesn't belong as 
part of a NIDS. The community is much better served by the snort devel team 
focusing on making snort the best NIDS there is, and leaving tasks that 
don't directly benefit from integration with snort as separate tools. 
Integration of unrelated tools with a common interface is best left to 
"control center" type applications.

At 01:26 AM 7/12/2002 -0500, Moyer, Shawn wrote:

>Prolly you got a lukewarm response because it's a question that's fraught 
>with other issues.
>First, define what you mean by HID, since what this means changes on a 
>vendor-by-vendor basis. Is what you want simply monitoring interfaces on 
>hosts for bad traffic in addition to monitoring the whole network? If so, 
>Snort can easily be run in non-promisc mode on individual hosts logging to 
>a central server to get this.
>If you mean more in-depth monitoring of events at an app, kernel, stack 
>write, and log level on hosts and such, I'd check out Dragon Squire or ISS 
>Server Sensor (yes, I said the I-word, hugs and kisses to Klaus and co., I 
>know they read this list, they have to get their ideas somewhere) if you 
>want to pay money, get support, yadda yadda. I think Cisco has some crap 
>that purports to do this as well.
>I've had pretty good luck myself with Syslog-NG, NTsyslog, Logcheck, 
>Swatch, Tripwire, Samhain, (google for 'em or look on Sourceforge) and a 
>number of other homebaked toys to do host IDS-ish things on boxes, and 
>from what I understand you can push some of that data into the Snort DB 
>for perusing in ACID if you're so inclined, although personally I haven't 
>done it. There's also tons of other free auditing / logging tools out 
>there for whatever OS you like, not to mention vendor docs on enabling 
>stronger logging / auditing / security measures.
>The question is, what do you gain by integrating the two, other than 
>navel-gazing? Let the host stuff do its thing, and the NIDS stuff do its 
>thing, and as long as both of them make your pager go off at 3 in the 
>morning when the fit hits the shan everybody's happy, right?
>This sf.net email is sponsored by:ThinkGeek
>Gadgets, caffeine, t-shirts, fun stuff.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list