[Snort-users] re: 1. Network World IDS report (Jason Haar)

Hicks, John JHicks at ...5857...
Thu Jun 27 11:26:05 EDT 2002

<2 cents>
I'd never read that magazine before, and after this article, I never will
again. How many 'network professionals' wouldn't tune a sensor on deployment
and would even consider placing a vanilla system live on the Net and waiting
for complaints???

One of the key goals of any 'honeypot' deployment is the control of activity
and the acceptance of responsibility for allowing an attacker to use it as a
launching pad.

WRT Snort itself ... on my Government IIS Web site, I have never had snort
hang, crash, or even report dropped packets. The only problem I have
experienced with a running sensor to date are some database errors citing
duplicate entries, but since snort logs activity locally, I find this a
minimal threat since the base IDS itself is still functioning.

Even the sensors on my development LAN keep up with my constant whiskers,
nmaps and other pen-testing. Should I ignore myself, maybe, but my point is
those sensors have *never* crashed or hung. My Dev Lan doesn't even have a
dedicated sensor, that same 'node' also does host monitoring and off-line
log analysis.

Does snort take some expertise??? Of course. Would I trade it for a
commercial system to placate my managers and limit my functionality and
flexibility? NEVER!  I've used a total of 3 commercial IDS systems and
wouldn't trade Snort for the world.

IMHO this article is a complete joke.
</2 cents>


John Hicks
Electronic Communications Coordinator
Canadian Firearms Centre


-----Original Message-----
From: Joe Pampel [mailto:joe at ...3851...]
Sent: Thursday, June 27, 2002 10:28 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] re: 1. Network World IDS report (Jason Haar)

Thanks for the heads up Jason!

uh oh.. feel a rant coming on!

It just bums me out that they kinda short-changed Snort two, well really 3
1. by having it misconfigured during that one test you don't know if it
would have detected the SYN flood.. 
2. They use the lack of a GUI and event correlation as a "con" at the end..
In 3 months of working on Snort
they've never heard of ACID or IDS Center or DMARC or or.. Let alone SPADE?
C'mon guys!! Who are they writing
3. If the load is a problem, you get a bigger box. <a big rousing "thank you
Dr. Von Braun!"> Part of the package with an OS implimentation.. they also
didn't say what they ran Snort on. Did I miss that part?  (BSD? Win32?
Redhat? Solaris? i386?)  I have had Snort crash on me once the past 18
months, and that's running on NT4, multiple sensors (3MB internet &
100MB/switched LAN) and I think it was Windows that dropped the ball, not
Snort...  As soon as I become a better nixer that box will be BSD for sure. 

Are they afraid of giving it too high marks and angering advertisers? Nah,
that never happens. 

Just call me Jaded.

- The net admin formerly known as Joe.

Message: 1
Date: Thu, 27 Jun 2002 11:17:06 +1200
From: Jason Haar <Jason.Haar at ...294...>
To: snort-users at lists.sourceforge.net 
Organization: Trimble Navigation New Zealand Ltd.
Subject: [Snort-users] Network World IDS report


Good read I feel. Sums up the biggest problem with IDS today (false
positives - or information overload).

Interesting to see how almost all these commercial IDS systems crashed under
load... :-)


Jason Haar
Information Security Manager, Trimble Navigation Ltd.

This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.

This footnote also confirms that this email message has been swept by
MIMEsweeper for the presence of computer viruses.


Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list