[Snort-users] Fallacies and lies.

Marc Quibell mquibell at ...7759...
Thu Nov 6 06:58:09 EST 2003

The problem is that Gartner and many others don't quite know how to use IDS.
They think we use it to somehow PROTECT OUR SYSTEMS! Does anyone use it in that
fashion? OH! So let's throw away our firewalls then....How do YOU use Snort, for

-To see how many PCs are infected with the Blaster worm?
-To make sure your firewalls are doing the job?
-To audit the malicious traffic?
-To make sure your company policies concerning IM usage or Kazaa are being
-To make sure your servers are not affected by malicious traffic?
-To gather historical reports and baselines of the attacks directed at your
-To report attacks directed at your network to your company Execs so that they
will see the need for your existence?

To name a few...

ANd now what does, "Most network-based IDS products don't detect
attacks in real time" have to do with this? I don't want it to react to
anything! (Even though I'm sure we could make it do that, in real-time.) And the
wire-speed statement is a bunch of bull.

IDS is not an IPS, and IDS is a very good tool, much like MRTG no?



Message: 2
Date: Thu, 6 Nov 2003 12:10:22 +1300
From: Jason Haar <Jason.Haar at ...294...>
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Fallacies and lies.
Organization: Trimble Navigation New Zealand Ltd.

I don't want to be seen to be standing up for Gartner - but one thing is

They say:

"They don't work at wire speeds. Most network-based IDS products don't detect
attacks in real time, and they can't handle the high speeds of internal

The last piece is correct - in a different context. If you want to start
pushing IDS "features" into your core INTERNAL network - then you really are
looking at IDS functionality within routers and switches - not extra boxes.

If you have 40 switches on your LAN - what would you prefer? 40 new IDS in
front of each, or switches that "do" IDS? What about the extra 70 Wireless
APs you have? You can't have them all sitting next to one IDS now can you...

Either switches add IDS functionality, or IDS needs to add switch
functionality ;-)

...or we all go to migrating to HIDS [that's where I think the future lies -
even IDS in switches can't handle IPSec]


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list