[Snort-users] Cheaper Snort!

Davis Ray Sickmon, Jr midryder at ...5013...
Thu Mar 14 11:33:12 EST 2002


> > Here is a silly question:
> >
> > Why do some users of snort choose to run snort on win32 platforms? Does
> > that not defeat ONE of the benefits of using snort?  That benefit being
> > free?
>
> Short story, the hardware costs money, so that's not free.  The Windows
> license may already be owned (sunk money.) But really, the major factor
> will probably be OS expertise of the administrator.  The cost of hiring,
> and perhaps training, a systems administrator totally dwarfs the cost of a
> Windows license.  If the SA has never installed unix before, then having
> Snort on Win32 probably means that they now have an opportunity to run
> Snort, when they probably would have had to skip it otherwise.  In many
> places, if it's a Windows shop, even if that particular SA can at least
> install Linux, the boss may not allow it.  I've seen many managers who had
> the attitude that they don't want that weird box in the corner that only
> one guy can run, because what happens when he leaves?
>
> I'm not saying that it's a good idea, or that there isn't some benefit to
> having it on unix, but that's how it works.
>
> Ryan

I gotta agree with Ryan's comment.  I'm running Snort 1.8.3 on Windows NT
4.0 (service packed up).  Why?  Because at the time, the hardware was
available (it's a retired box), and WinNT was already loaded on it, so I
cleaned it and secured it, and loaded Snort on it.  No fuss, no muss (except
for IDS Center.  GROAN...)  Later, when I got more hardware available, my
new firewall was OpenBSD based.  Recently they let me convence them to buy
me more hardware, so my newest web server is a Linux box.  Snort will
eventually move to a slightly larger box, Linux based, when the company
looses the purse strings a bit more for me (but it's not a priority right
now.)

By using the hardware I had at the time, I got to install an NIDS without
incurring extra expenses, and it's a piece of cake to tell my sidekick how
to adjust things (an MCSE who is now getting a liberal education in OpenBSD
bridges / firewalling and Linux ;-)  So, in this case, it was *MUCH* cheaper
for me to use Snort on Win32.  A blanket statement that Snort on Linux is
cheaper isn't always true.  Of course, most blanket statements about any
product or situtation are less than universally true!

As for the 'Total Cost of Ownership' type issues, well, it's pretty much a
wash either way.  With the Win32 box, I install NT or 2K, service pack it,
shut down unnessisary services, test it, etc.  On the Linux box, I've got to
install Linux, (if it's from a distro) I have to install any patched
versions to kill off vulnerabilities (like the recent PHP one), setup
services and make sure nothing extra is running, test it, etc.  The process
is the same.  I don't reboot my NT servers any more often than my Linux
servers - basically, almost never.  Only if I've patched something up, the
last stage is to reboot it, confirm things are working proper and that no
new holes or services are available, etc.  So if I happen to have a license
already available, then for me the price is identical.  If not, then the TCO
becomes only SLIGHTLY higher for a Windows based server, but just barely.

Personally, this still sounded like an attempt at starting an OS Holy War,
reguardless of the original author's statement that this wasn't an attempt
to start an OS Holy War.  I prefer OpenBSD or Linux for servers (OpenBSD
slightly more prefered these days), and Win32 for workstations.  And it's
just that - preference.  Other people prefer other setups than what I like,
and as long as they know how to secure a system, what the heck does it
matter.  If they use a different setup than what they know or like, then it
takes more time, money, and energy to get things right.  If it were to take
an admin twice as long to set up Snort on a Linux box than a Win32 box, then
what's the cost of Snort?

Davis Ray Sickmon, Jr
Owner, Midnight Ryder Technologies
http://www.midnightryder.com
or,
J R Sickmon,
Creek Electric, Inc.






More information about the Snort-users mailing list