[Snort-users] Comparison question

David Glosser david_glosser at ...131...
Mon Feb 28 16:27:05 EST 2005


I believe the sonicwall will only pick up stuff coming from the internet...
(Shaun, will it also pick up outbound nasties?)

-With the right switch or Ethernet tap, you can monitor your internal
servers and network devices. So if a user is doing something naughty
(whether they know it or not, I'm thinking of malware here), you will pick
it up.

-With the bleeding snort rules, you should pick up the latest and greatest
malware infections and "0day" stuff.

I know there's a saying for this... "defense in depth"... "layered approach"
... "soft chewy center"  ... anyway, it's best to run both.

I'd be surprised if snort doesn't pick up something that the sonicwall
missed.  And I'd be very interested if you can come back and say "the
sonicwall was the greatest thing since sliced bread."

If you do set up a snort box, please let us know how well the sonicwall did.
I have a few and it would be informative to know if I should push for the
IDS/IPS license. Thanks


----- Original Message ----- 
From: "Eric Hines" <eric.hines at ...8860...>
To: <ste at ...11690...>; <snort-users at lists.sourceforge.net>
Sent: Monday, February 28, 2005 12:34 PM
Subject: RE: [Snort-users] Comparison question


> 1) With open source Snort, you're not bound to any costly licensing
> restrictions like you would be with the Sonicwall. E.g. if you wanted to
> deploy additional Snort installations around your network, all you'd have
to
> do is lynx to www.snort.org rather than calling someone to order
additional
> sensors.
>
> 2) Also, Snort and its signature language are in much greater use and more
> popularly supported than say the proprietary rules language of Sonicwall,
> NFR (NCODE), etc or any other commercial IDS vendor that doesn't use
Snort's
> signature syntax. I suppose a shift is happening in the commercial vendor
> space where vendors are now looking to or have already added support for
> Snort's language (e.g. ISS and their addition of TRON). So when hiring a
new
> IDS analyst, its going to be a far easier finding someone who used Snort
at
> home or the office rather than trying to sift through resumes of people
> looking for someone whose used Sonicwall's IDS. Also, notice that when
> Symantec and the other AV companies that release a whitepaper on a new
worm,
> they'll typically include a Snort signature(s) for detection.
>
> 3) Price! Snort == free. Sonicwall == $$$
>
> 4) I am unaware of Sonicwall's ID and IPS capabilities, however, Snort
> obviously having protocol anomaly detection, stateful pattern detection,
and
> other capabilities as an IDS etc.. Also, with the latest 2.3 of Snort,
users
> have the capability to also go inline in addition to its use of flexresp
for
> passive IPS through shunning.
>
> 5) How confident is the company running a stateful packet inspection
IDS/IPS
> on the same system routing traffic in/out of your network at the
perimeter?
> Separation of duties please :)
>
> Just my 2 cents. Take it as you will. I hope it helps you in providing a
> good argument to the powers that be.
>
>
>
> Best Regards,
>
>
> Eric Hines, GCIA, CISSP
> CEO, President, Chairman
> Applied Watch Technologies, LLC
> 1134 N. Main St.
> Algonquin, IL 60102
> Tel: (877) 262-7593 x327
> Fax: (877) 262-7593
> Web: http://www.appliedwatch.com
> "Browserless, Enterprise Snort Management"
>
>
>
> -----Original Message-----
> From: snort-users-admin at lists.sourceforge.net
> [mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Shaun T.
> Erickson
> Sent: Sunday, February 27, 2005 7:24 PM
> To: snort-users at lists.sourceforge.net
> Subject: [Snort-users] Comparison question
>
> First, I'm not trying to start a religious war. I'm just looking for
> information to educate myself with, so I can make the best decision for
> *my* organization. That said ...
>
> I am wondering if anyone can give me any idea as to how well, or not, a
> Snort installation (of whatever is latest) would compare to using the
> IDS/IPS features of my SonicWall firewall (a Pro 4060, running their
latest
> firmware). I have the firewall, with those features licensed. I could set
up
> Snort. I'm trying to decide the merits of either decision.
>
>     -ste
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide Read honest & candid
reviews
> on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list