[Snort-users] Comparison question

Eric Hines eric.hines at ...8860...
Mon Feb 28 09:38:48 EST 2005

1) With open source Snort, you're not bound to any costly licensing
restrictions like you would be with the Sonicwall. E.g. if you wanted to
deploy additional Snort installations around your network, all you'd have to
do is lynx to www.snort.org rather than calling someone to order additional

2) Also, Snort and its signature language are in much greater use and more
popularly supported than say the proprietary rules language of Sonicwall,
NFR (NCODE), etc or any other commercial IDS vendor that doesn't use Snort's
signature syntax. I suppose a shift is happening in the commercial vendor
space where vendors are now looking to or have already added support for
Snort's language (e.g. ISS and their addition of TRON). So when hiring a new
IDS analyst, its going to be a far easier finding someone who used Snort at
home or the office rather than trying to sift through resumes of people
looking for someone whose used Sonicwall's IDS. Also, notice that when
Symantec and the other AV companies that release a whitepaper on a new worm,
they'll typically include a Snort signature(s) for detection.

3) Price! Snort == free. Sonicwall == $$$

4) I am unaware of Sonicwall's ID and IPS capabilities, however, Snort
obviously having protocol anomaly detection, stateful pattern detection, and
other capabilities as an IDS etc.. Also, with the latest 2.3 of Snort, users
have the capability to also go inline in addition to its use of flexresp for
passive IPS through shunning.

5) How confident is the company running a stateful packet inspection IDS/IPS
on the same system routing traffic in/out of your network at the perimeter?
Separation of duties please :)

Just my 2 cents. Take it as you will. I hope it helps you in providing a
good argument to the powers that be.

Best Regards,

Eric Hines, GCIA, CISSP
CEO, President, Chairman
Applied Watch Technologies, LLC
1134 N. Main St.
Algonquin, IL 60102
Tel: (877) 262-7593 x327
Fax: (877) 262-7593
Web: http://www.appliedwatch.com
"Browserless, Enterprise Snort Management"

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Shaun T.
Sent: Sunday, February 27, 2005 7:24 PM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Comparison question

First, I'm not trying to start a religious war. I'm just looking for
information to educate myself with, so I can make the best decision for
*my* organization. That said ...

I am wondering if anyone can give me any idea as to how well, or not, a
Snort installation (of whatever is latest) would compare to using the
IDS/IPS features of my SonicWall firewall (a Pro 4060, running their latest
firmware). I have the firewall, with those features licensed. I could set up
Snort. I'm trying to decide the merits of either decision.


SF email is sponsored by - The IT Product Guide Read honest & candid reviews
on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

More information about the Snort-users mailing list