[Snort-users] Total Cost of Ownership for Snort Implementation?

Derek Glidden dglidden at ...7172...
Wed Jun 18 08:35:13 EDT 2003

On Wed, 2003-06-18 at 10:11, Bennett Todd wrote:
> 2003-06-18T01:45:44 Nicholas Brawn:
> > [...] I've been approached to put together some information on the
> > TCO of implementing Snort at 5-10 locations throughout our network
> > (internal and perimeter).  We're going to be comparing this to the
> > TCO for implementing a commercial solution.
> That's enough boxes that I'd base the snort TCO estimate on
> building and configuring boxes, deploying them, tuning them,
> organizing alerting and/or reporting to meet your needs, and
> updating sigs. Hardware costs are in the noise. How expensive is it?
> Depends entirely on the skills you have available to build on. If
> you have folks who are really good at configuring appliance-style
> devices, automating their building and rebuilding, automating
> distribution of config updates and collection of alerts, etc. then
> snort can be an amazing winner.
> If on the other hand you don't have folks who are experienced at
> organizing an automated appliance build/maint process around open
> source tools, then getting an appliance from a vendor is liable
> to be a better value. Note that Snort is available on that basis
> as well as do-it-yourself free open source. Sourcefire sells and
> supports appliances built on Snort.

"What he said."   :)

We've been an ISP/consulting shop for a number of years based around
Linux, so we have the infrastructure.  I spent some time building some
scripts around the snort engine to handle things like alerting and
reporting that it doesn't do itself, and a certain amount of regular
maintenance, and now our "cost" for deploying a new sensor is literally
the cost of the hardware plus about 30 seconds of time to put the
hostname in a config file to have the packages installed and
maintained.  Up-front, I maybe spent 80-100 hours over a month or so,
but for a final result, we now have several dozen snort sensors deployed
throughout our and our customers' environments and they effectively
manage themselves.  

As Bennett said, the open nature of Snort makes it really easy to pull
it into any existing infrastructure you may have, if you have someone
who can do it.  And we're proof that you *can* build an infrastructure
around it that makes it essentially hands-off once you get it all sorted
out.  (And we know it works in a "real-world" situation because we've
been getting woken up with pages this week as one of our customers
started doing intrusion testing on their network without informing us of
the fact.)  For only 5-10 installations, it may not be worth the
up-front effort, although on the flip side, you may not need the amount
of effort we put into the project.

As Bennett also said, if you don't have the expertise in-house, or you
don't have a large enough deploy to make it worth the trouble, you can
always go with Sourcefire.

"We all enter this world in the    | Support Electronic Freedom
same way: naked; screaming; soaked |        http://www.eff.org/
in blood. But if you live your     |  http://www.anti-dmca.org/
life right, that kind of thing     |---------------------------
doesn't have to stop there." -- Dana Gould

More information about the Snort-users mailing list