[Snort-users] Snort IDS vs my firewall

Pratik Narang pratik.cse.bits at ...11827...
Sat Aug 25 09:35:36 EDT 2012

On Fri, Aug 24, 2012 at 10:45 PM, Joel Esler <jesler at ...1935...> wrote:
> On Aug 24, 2012, at 12:23 PM, Pratik Narang <pratik.cse.bits at ...11827...>
> wrote:
> I wish to set up Snort as an IDS and then benchmark its performance
> with the performance of the firewall which my network runs. I dont
> intend to use Snort as an IPS as yet. All I want is that my IDS should
> be able to generate alerts, warnings etc. for all that stuff for which
> the firewall is presently doing. And when that is achieved, the IDS,
> equipped with suitable IPS capabilities, will be fit enough to replace
> the firewall.
> So, Question One. Are my plans wise enough? Can Snort IDS do all the
> work which a professional firewall is presently doing? (Since I am
> asking about an IDS, you can safely assume I am going to run captured
> data of the firewall traffic)
> No.  Snort is not a firewall, it's an IPS.  These are different
> technologies.  There is a new class of devices now called "NGFW", which I'll
> talk about in a second.
> Question two - I see that to a good extent Snort rules are directed
> towards alerts for buffer overflows, injection attacks, information
> leak etc. While a firewall surely does alert for these, a firewall
> also does a good deal of content blocking. As an example our present
> firewall blocks access to all gaming sites, gambling sites, hacking
> sites, sites containing adult material, etc. I am unable to understand
> how such a thing is to be achieved through Snort.
> That kind of stuff is easy to write custom rules for.  But there are other
> products you may want to look into as well.

Other products like?

> For the Sourcefire guys out there- Will it be right to call the
> Snort's commercial version a 'firewall' ?
> No.  Our NGIPS devices have Snort as a component in them, a long with many
> other software features to be able to do above and beyond the massive amount
> of things that Snort already takes care of for you.
> As for a firewall functionality, we developed and released the Sourcefire
> Next-Generation Firewall (NGFW).
> http://www.sourcefire.com/security-technologies/network-security/next-generation-firewall
> This is Snort, a firewall, and much more.
> --
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire

More information about the Snort-users mailing list