[Snort-users] Snort IDS vs my firewall

Pratik Narang pratik.cse.bits at ...11827...
Fri Aug 24 12:23:51 EDT 2012

Dear Snort experts,

Thanks a lot to Joel, Tony, Waldo and others for the great responses
and help on my previous question with the subject line: pcaps for
triggering rules.The inputs are very helpful.

Continuing with that same spirit:

I wish to set up Snort as an IDS and then benchmark its performance
with the performance of the firewall which my network runs. I dont
intend to use Snort as an IPS as yet. All I want is that my IDS should
be able to generate alerts, warnings etc. for all that stuff for which
the firewall is presently doing. And when that is achieved, the IDS,
equipped with suitable IPS capabilities, will be fit enough to replace
the firewall.

So, Question One. Are my plans wise enough? Can Snort IDS do all the
work which a professional firewall is presently doing? (Since I am
asking about an IDS, you can safely assume I am going to run captured
data of the firewall traffic)

Question two - I see that to a good extent Snort rules are directed
towards alerts for buffer overflows, injection attacks, information
leak etc. While a firewall surely does alert for these, a firewall
also does a good deal of content blocking. As an example our present
firewall blocks access to all gaming sites, gambling sites, hacking
sites, sites containing adult material, etc. I am unable to understand
how such a thing is to be achieved through Snort.

For the Sourcefire guys out there- Will it be right to call the
Snort's commercial version a 'firewall' ?


More information about the Snort-users mailing list