[Snort-users] Snort comparisons
Cavey, Mark A.
mark_a_cavey at ...5265...
Mon May 20 11:58:05 EDT 2002
Here's some info that I've been using as a foundation for an OpenSnort vs
RealSecure document. I'm in the same position in which I'm trying to
convince management about OpenSnort over ISS: RealSecure. Hope it helps!
Sourcefire, Inc. OpenSnort Sensor<?xml:namespace prefix = o ns =
Developed by the creators of the original Snort IDS, Sourcefire's OpenSnort
Sensor is an appliance-based network intrusion detection system that
performs real-time traffic analysis, packet logging and alerting on IP
networks. Sourcefire leverages the stability and performance of the open
source Snort intrusion detection engine with the convenience and support of
a commercial product. OpenSnort Sensor builds on the valuable contributions
of the open source model by offering an easy to use, fully supported
appliance version of Snort.
There are several key areas where OpenSnort Sensor technology outshines the
competition. This document is not intended to compare any specific vendor
FLEXIBILITY & CUSTOMIZATION
By providing an open source rule language, OpenSnort Sensor allows
administrators to write and edit rules, easily reducing false positives and
detecting organization-specific threats. Additionally, administrators can
view alerts in a variety of formats, including payload of packets triggering
alerts. OpenSnort Sensor also allows restricted access, allowing users to
analyze traffic while denying them access to configuration options.
ICMP TRAFFIC HANDLING
Attackers regularly use ICMP toolkits to scan the networks they wish to
expose. It is important to be able to recognize these scans, however, many
IDS's handle this traffic by sending an alert that a Traceroute has
occurred. This can result in inaccurate information -- a toolkit that uses
ICMP to scan a network is completely different from a Traceroute and
security analysts can react more appropriately if they are given more
detailed information. OpenSnort Sensor addresses this by providing an
extensive library of ICMP rules.
OpenSnort Sensor provides users the ability to see exactly what kind of
ICMP activity is occurring on the network. In some instances, a security
analyst may not want to see alerts on most of the ICMP traffic. OpenSnort
Sensor provides the ability to alert on specified types of ICMP traffic.
For example, a rule can be written to alert on ICMP traffic that is not
generated from internal routers.
Sourcefire has an experienced team dedicated to continually enhancing the
detection engine as well as writing new and optimizing existing rules. This
effort, along with that of the open source community, enables OpenSnort
Sensor to have the most comprehensive set of ICMP rules available.
Here are a few examples of OpenSnort Sensor ICMP rules.
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING Sniffer
Pro/NetXRay network scan";itype:
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"ICMP PING CyberKit 2.2
SESSION TAGGING AND RECORDING
OpenSnort Sensor allows administrators to "trap and trace" someone or
something that has generated an alert. This powerful capability enables the
sensor to record follow-on information for further analysis instead of just
the attack itself. This feature allows users to see what happens after an
alert is triggered even if it causes things that wouldn't normally be picked
up. For example, when an IMAP buffer overflow is detected, OpenSnort can
start logging all the traffic coming from the source host of the packet that
set off the alert for the next 5 minutes
STABILITY AND PERFORMANCE
OpenSnort Sensor is the most stable and robust IDS on the market and has a
strong self-preservation mechanism built into it. It operates in a
"probabilistic defense" mode when there is heavy traffic on the network.
OpenSnort Sensor frees up memory by randomly deleting sessions. This
prevents attackers from predicting which sessions will be removed, hence
they can never be sure if their sessions are seen. OpenSnort Sensor also
has the most powerful and robust code for TCP stream reassembly and IP
defragmentation. This is normally where most IDS's crash.
Snort supports TCPdump filters, which help eliminate traffic that does not
require inspection. For example, if an administrator does not want to
inspect SSH traffic, OpenSnort Sensor can be instructed to ignore SSH
connections by using a TCPdump filter of "not port 22." By utilizing
TCPdump filters Sourcefire once again harnesses the power of the open source
community. Users can create their own filters, or get filters from the vast
open source community.
OpenSnort Sensor displays packet payloads of traffic that generates alerts.
This level of detail enables administrators to more quickly and easily
determine if an alert signifies an attack. Without the full information
users cannot make that determination.
OpenSnort Sensor is easy to install and deploy. An easy-to-use web-based
interface is provided for:
· Data and forensic analysis
· Rule creation, loading and management
· User, disk and sensor management
· Network and alert configuration
· Database queries, packet display and report generation.
In addition, Sourcefire offers OpenSnort Management Console, which enables:
· Correlation of events and packet logs from multiple sensors
· Advanced analysis capabilities using aggregated data
· Database query generation and storage
· Data sharing and cooperative analysis of network incidents
OPEN SOURCE MODEL
Sourcefire believes that the open source model produces the best code. The
Snort user community is made up of some of the best security people in the
world: University PhD's, software developers, and security experts. The more
people that have access to the source code and can employ their expertise to
examine it, the fewer secrets are embedded in the code and the harder it is
to compromise that code by hiding backdoors, bugs or other
security-threatening code in it.
Bugs rarely stay hidden when exposed to thousands of experienced programmers
who carefully scrutinize every line of code and who use the Snort engine in
an expansive variety of environments. The Snort community is growing daily.
Sourcefire supports the Snort community by putting resources back into it.
Sourcefire currently enables and oversees new releases of the Snort engine
through the open source model.
The popularity and acceptance of Snort throughout the world is impressive.
It is currently the most widely deployed intrusion detection system
worldwide. The Snort open source community is a highly organized community.
Aside from the seasoned developers at Sourcefire, there are thousands of
experienced programmers adding to the functionality and rule sets. Their
contributions can be seen on the numerous mailing lists and web sites.
Users can learn more about the community and these sites at
<http://www.snort.org/> www.snort.org. Individuals participating in open
source projects take great pride in finding or fixing problems. These
recognitions are coveted by open source developers. Just as these users
want to claim credit for their contributions, the Sourcefire developers who
are known by their peers, not hidden behind a corporate logo, have added
incentive to create top-notch software.
Sourcefire provides the technical expertise of a full engineering and
support team as well as the ongoing scrutiny, reporting and expertise of
programmers throughout the world. While the open source model does have
its opponents, their legitimacy is waning. Source code can be restricted
but that does not keep it hidden. Any code can be reverse engineered so
that its vulnerabilities can be discovered. One does not even have to be an
experienced coder to find the vulnerabilities. The Internet is loaded with
sites maintained by individuals who have uncovered and published these
vulnerabilities. Users of closed source software feel a false sense of
security and are dependent upon the vendors to identify and fix bugs and to
generate new rules and signatures to alert on new types of attacks.
Sourcefire's OpenSnort Sensor runs on technology that reaps the benefits of
both a paid, experienced engineering team as well as thousands of experts
around the world analyzing, testing, and fixing the code, and creating new
From: Tim Prendergast [mailto:tprendergast at ...5901...]
Sent: Monday, May 20, 2002 2:35 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Snort comparisons
I'm seeking any information people have on Snort vs Cisco NetRanger
comparisons that may have been done professionally or for educational
reasons. I'm seeking as much info as possible to provide a fair comparison
of the two products to my organization for IDS solutions. We don't need
gigabit performance or anything, something that does 100Mbps would be fine
for a lonnnnggg time. I'm a big fan of Snort, but need more data to back my
I'd appreciate it if anyone could help.
tprendergast at ...5899... <mailto:tprendergast at ...5899...>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users