[Snort-users] Snort 0,01 seconds too late?

waldo kitty wkitty42 at ...14940...
Sun Dec 1 13:12:52 EST 2013

On 12/1/2013 4:12 AM, Gregor Mahnic wrote:
> Hello,
> I hope no one gets upset with me for this question but is it possible for snort
> to fail to stop an attack? I hear this a lot when I google for some thing about
> snort. I mean not that I have any doubts my self about snort but I just wondered
> how would a snort user comment on some one who sarcastically states that snort
> would be 0,001 seconds too late to stop an attack. I am wondering because in
> part I want to become an avid snort user. I need to do a lot more research and
> reading about every thing connected with snort such as oink, barnyard,...

regardless of using other tools, this highly depends on how snort is implemented 
in one's setup...

snort in inline mode (IPS) places snort directly in the path of the traffic... 
snort gets the traffic when it arrives, analyzes it and then either passes the 
traffic thru to the outbound side or drops the traffic in the bitbucket... the 
traffic cannot pass unless snort allows it to...

inline mode is also known as IPS (intrusion prevention system)... IDS mode, 
(intrusion detection system) is different in that snort is watching the ball 
game from the sidelines... if it sees something then it raises a flag (an alert) 
which another tool may react to... in this situation, yes, the response will be 
delayed by some small period of time...

> Are these sort of sentiments expressed by individuals who are too lazy to
> implement snort? I mean I my self see how long it has taken me to understand the
> basics and as I have said I need to do a whole lot more reading!

lazy? maybe... maybe not... only aware of one method of implementation? yes, 
most likely...

NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

More information about the Snort-users mailing list