[Snort-users] Snort IDS vs my firewall
pratik.cse.bits at ...11827...
Sat Aug 25 09:35:36 EDT 2012
On Fri, Aug 24, 2012 at 10:45 PM, Joel Esler <jesler at ...1935...> wrote:
> On Aug 24, 2012, at 12:23 PM, Pratik Narang <pratik.cse.bits at ...11827...>
> I wish to set up Snort as an IDS and then benchmark its performance
> with the performance of the firewall which my network runs. I dont
> intend to use Snort as an IPS as yet. All I want is that my IDS should
> be able to generate alerts, warnings etc. for all that stuff for which
> the firewall is presently doing. And when that is achieved, the IDS,
> equipped with suitable IPS capabilities, will be fit enough to replace
> the firewall.
> So, Question One. Are my plans wise enough? Can Snort IDS do all the
> work which a professional firewall is presently doing? (Since I am
> asking about an IDS, you can safely assume I am going to run captured
> data of the firewall traffic)
> No. Snort is not a firewall, it's an IPS. These are different
> technologies. There is a new class of devices now called "NGFW", which I'll
> talk about in a second.
> Question two - I see that to a good extent Snort rules are directed
> towards alerts for buffer overflows, injection attacks, information
> leak etc. While a firewall surely does alert for these, a firewall
> also does a good deal of content blocking. As an example our present
> firewall blocks access to all gaming sites, gambling sites, hacking
> sites, sites containing adult material, etc. I am unable to understand
> how such a thing is to be achieved through Snort.
> That kind of stuff is easy to write custom rules for. But there are other
> products you may want to look into as well.
Other products like?
> For the Sourcefire guys out there- Will it be right to call the
> Snort's commercial version a 'firewall' ?
> No. Our NGIPS devices have Snort as a component in them, a long with many
> other software features to be able to do above and beyond the massive amount
> of things that Snort already takes care of for you.
> As for a firewall functionality, we developed and released the Sourcefire
> Next-Generation Firewall (NGFW).
> This is Snort, a firewall, and much more.
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
More information about the Snort-users