Comments on: Snort Rocks! http://blog.jabawoki.com/2008/07/02/snort-rocks/?utm_source=rss&utm_medium=rss&utm_campaign=snort-rocks Nothing to see here, move along... Tue, 10 Jan 2012 12:18:18 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Jabs http://blog.jabawoki.com/2008/07/02/snort-rocks/comment-page-1/#comment-17 Jabs Wed, 26 Nov 2008 19:32:09 +0000 http://blog.jabawoki.com/?p=28#comment-17 "The only issue I had was configuring all of the rules".... Neil, I think you some up the issue quite clearly with that one point. Some would in fact ague that IDS solutions died because of that exact problem, others of course would argue that in the right hands, its a powerful view of your network. “The only issue I had was configuring all of the rules”…. Neil, I think you some up the issue quite clearly with that one point. Some would in fact ague that IDS solutions died because of that exact problem, others of course would argue that in the right hands, its a powerful view of your network.

]]> By: Neil http://blog.jabawoki.com/2008/07/02/snort-rocks/comment-page-1/#comment-2 Neil Sat, 25 Oct 2008 01:06:02 +0000 http://blog.jabawoki.com/?p=28#comment-2 I can confirm SNORT's a great piece of kit, particularly if you use port mirroring in which case you could run in stealth mode. The only issue I had was configuring all of the rules, which can be overcome using a third party piece of software like Activeworx Enterprise ( www.activeworx.com ). This also gives you a landscape view of your network, similar to any NMS system. The price tags not alot and if budgets don't allow you to purcahse it just yet, at least use their trial to help you set up the kit. In my oppinion, SNORT combined with third party software is nearly as good as other products like Cisco MARS ( http://www.cisco.com/en/US/products/ps6241/ ). I've been playing with this product for a while now and the biggest difference is the ability for it to update rules upon routers and firewalls (IDS/IPS all in one) if the IDS tripwires are triggered. Now SNORT will do things like TCP resets, but in this day and age these can be overcome. Cisco MARS has been tested by many of my professional friends and they can't break it. I would suggest asking Cisco to loan you some kit and try attacking it yourself, see whether you can break it! Going back to SNORT though, because it's free there shouldn't be any excuse for not using it. Forensically, it could be the missing piece in the puzzle. I can confirm SNORT’s a great piece of kit, particularly if you use port mirroring in which case you could run in stealth mode.

The only issue I had was configuring all of the rules, which can be overcome using a third party piece of software like Activeworx Enterprise ( http://www.activeworx.com ). This also gives you a landscape view of your network, similar to any NMS system. The price tags not alot and if budgets don’t allow you to purcahse it just yet, at least use their trial to help you set up the kit.

In my oppinion, SNORT combined with third party software is nearly as good as other products like Cisco MARS ( http://www.cisco.com/en/US/products/ps6241/ ). I’ve been playing with this product for a while now and the biggest difference is the ability for it to update rules upon routers and firewalls (IDS/IPS all in one) if the IDS tripwires are triggered. Now SNORT will do things like TCP resets, but in this day and age these can be overcome. Cisco MARS has been tested by many of my professional friends and they can’t break it. I would suggest asking Cisco to loan you some kit and try attacking it yourself, see whether you can break it!

Going back to SNORT though, because it’s free there shouldn’t be any excuse for not using it. Forensically, it could be the missing piece in the puzzle.

]]>