February 23, 2019

Snort: IDS Done Well (and Good) - page 2

The Joys of Success

  • July 2, 2007
  • By Jeffrey Carr

Snort is, by far, the gold standard among open source NIDS systems, with over 100,000 users and 3 million downloads to date. Snort signatures are kept up-to-date by its dedicated users and the Snort website has ample documentation including tutorials. It is not, however, easy to use and requires an experienced security IT professional to configure it properly. The fact that it's free makes it the darling of small and medium-sized businesses that cannot afford the fancy GUIs and wizards of commercial network security products.

In 2004, InfoWorld published a review of 4 network intrusion detection systems (ISS, Lancope, Snort, and StillSecure), and found that although they were all equally effective in recognizing attacks on a network, there were differences "ranging from ease of setup and management to depth of packet analysis and reporting, but especially the fundamental approach taken in detecting threats." Snort 2.10 with ACID scored high in configurability, but low in its dependence on signatures. The reviewers acknowledged that all signature-dependent systems suffered from the same problem--how do you defend against an attack whose signature you don't yet know? Overall, Snort scored a "Very Good" rating of 7.3, which put it in last place among the 4 contenders, however it was the only open source candidate in the group.

In October, 2006, UnixReview.com published a review of Snort 2.6. The author liked the upgrade from ACID to BASE (Basic Analysis and Security Engine), which is Snort's latest user interface, although she acknowledged that was still a challenge to manage the output of data in a way that was easily readable.

Most Popular LinuxPlanet Stories