[Snort-users] Cisco IDS

John Hally JHally at ...5637...
Tue Jan 18 20:04:17 EST 2005

Thanks Theodore,

That wasn't so bad, I figured I'd get flamed for posing the question :-)

Actually, I have no problem building Snort, and have used it since v1.8 with
good results.  The main problem I have is a couple things.

First, no real good mgmt interface.  Snort Center was great, but it's fallen
on hard times, and you can't get anything but 2.0 to run on it without doing
a lot of php hacking, and I just don't have the time.  For a php developer,
I'm sure it can be done, but I'm the biggest hack, so it would take a lot
more time for me.

Second, ACID is good, but there's no real correlation/mitigation.  Sguil
looks like it's going to be something, but its just a little young, and it
can be a pain to get working.  I haven't tried BASE, though it looks like
it's basically the same thing.  

I love the idea of RNA.  I've played around with p0f recently, and even at a
low level, the idea of passive OS identification is slick.  I'm guessing at
some point someone will hack up a version of p0f to attempt to detect
applications as well.  Any of you Sguil guys out there, feel free to
incorporate this in as well ;-)

Defense Center would be OUTSTANDING at the price they want, if their snort
agent allowed you to manage your home-grown sensors as well as accept their
alerts, but it doesn't.  I guess at least I can't complain too much.  At
least I could leverage what I have on some level.  They have to make money
to, otherwise no one would by sensors.

BTW - Sourcefire list pricing is comparible to Cisco, it's just that
depending on your relationship w/cisco, they can practically give it away if
they want.  They have purchased Okena, and I believe at least another
security-centric company, so at some point I'm guessing that their ids
solution will change for the better.  

I feel that snort/Sourcefire is better hands down, but wanted to see what
the group had to say.  

Thanks again for the reply.

-----Original Message-----
From: Theodore Stout [mailto:theodorestout at ...131...] 
Sent: Monday, January 17, 2005 10:13 AM
To: John Hally; 'snort-users at lists.sourceforge.net'
Subject: Re: [Snort-users] Cisco IDS

Hello John,

Yeah I have used Cisco IDS.  In fact I used to sell
it.  I used to sell ISS RealSecure too.  Now I build
and Sell Snort as well as Sourcefire.

So, which is better?  I like Sourcefire a lot.  It is
easy to use and fun.  

After that, I am devoted to Snort.  Love it.  Great! 
Have it at home.

Following this, I have to say that Cisco IDS is good
in conjunction with the 65XX class of switches.  If
you need like +5Gig of throughput, this is a nice

However, I have always though that IDS should not be
deployed in this manner.  I suppose for a ISP, this
would be useful however I still do not think it is
smart due to system degregation problems.  Of their 1
gig devices, I do not think they have a better
solution than Sourcefire.

So I would go with Sourcefire if you have the bugdet
and want 250meg to 1 Gig throughput.  However, other
purposes, Snort is quite good.  Additionally, if you
don't have the skills to actually build Snort using
Fedora Core or OpenBSD, then using Sourcefire is my
suggestion since it is just so easy for normal Admins
to use.  However, if you got the skills, or your staff
has the skills, consider Snort as well.

It is also good pointing out that with Cisco, the
signatures really are dependant with your maintenance
contract with your vendor.  With Snort, you get that
stuff for free.

Hope that helps,

Theodore Stout, CISSP
ISS MSS Engineer
(Yeah I studied too much.....)

--- John Hally <JHally at ...5637...> wrote:

> Hello Group,
> Out of curiosity, has anyone had any experience with
> Cisco's IDS?  I'm
> curious how Snort stacks up in strengths/weaknesses
> including Sourcefire's
> commercial products.  
> Thanks in advance!

Do you Yahoo!? 
The all-new My Yahoo! - Get yours free! 

More information about the Snort-users mailing list