Snort: IDS Done Well (and Good) - Page 2

 By Jeffrey Carr
Page 2 of 2   |  Back to Page 1
Print Article

In 2004, InfoWorld published a review of 4 network intrusion detection systems (ISS, Lancope, Snort, and StillSecure), and found that although they were all equally effective in recognizing attacks on a network, there were differences "ranging from ease of setup and management to depth of packet analysis and reporting, but especially the fundamental approach taken in detecting threats." Snort 2.10 with ACID scored high in configurability, but low in its dependence on signatures. The reviewers acknowledged that all signature-dependent systems suffered from the same problem – how do you defend against an attack whose signature you don't yet know? Overall, Snort scored a "Very Good" rating of 7.3, which put it in last place among the 4 contenders, however it was the only open source candidate in the group.

In October, 2006, UnixReview.com published a review of Snort 2.6. The author liked the upgrade from ACID to BASE (Basic Analysis and Security Engine), which is Snort's latest user interface, although she acknowledged that was still a challenge to manage the output of data in a way that was easily readable.

SourceFire: The Open Source/Proprietary Hybrid

SourceFire's proprietary advances have not only addressed the challenges that reviewers have mentioned about Snort, but have propelled SourceFire into a leadership role in IPS appliances.

The SourceFire 3D product (Discover, Determine, Defend) has 3 layers: SourceFire Intrusion Sensors and Agents, SourceFire RNA Sensors, and the SourceFire Defense Center. According to the company's website, "(b)y closely integrating and correlating the threat information provided by Sourcefire Intrusion Sensors and Agents with the network intelligence provided by Sourcefire RNA Sensors, the Sourcefire Defense Center prioritizes the millions of security events to determine the most critical events to an organization's business, and takes the appropriate actions."

Victor Garza and Charles Herring evaluated SourceFire 3D for InfoWorld and were impressed by the product. They found the RNA sensor interface "remarkably intuitive," along with the Defense Center, which allows users to "start at a 10,000-foot view of the network and drill down to the granular aspects of security events." The reviewers at SC magazine were equally happy with the RNA sensor, particularly its ability to "match what it knows about network resources with its vulnerability signature database." If SourceFire were defending against a storm of Slammer traffic, according to the SC review, the RNA sensor would know that, for example, its Microsoft SQL servers weren't vulnerable, and mark the attack as a low priority. Other IDS vendors would be "lit up like a Christmas tree."

One area that was found wanting in the SC review was SourceFire's ability to analyze data for trends. Their solution was to use a different product (ArcSight ESM) to further manipulate the data. The InfoWorld reviewers commented on SourceFire's inability to protect against VOIP-based attacks, however they acknowledged the edge given to SourceFire by its "bleeding-edge" Snort community.

Snort's influence is strongly present in the Intrusion Sensor aspect of SourceFire, as it's built atop the Snort IDS engine. This has pluses and minuses attached. On the plus side, Garza and Herring liked the ability to customize simple Snort signatures to fit the demands of their particular network. On the minus side, they needed to invest a few hours in adjusting those signatures to reduce the number of false positives they received. Gartner analysts also pointed out the need for more SourceFire developed signatures versus its dependency on Snort signatures.

Regarding future trends in the Network Intrusion sector, Gartner projects a problem area in "malicious executables that do not look to exploit known vulnerabilities." It'll be interesting to see how SourceFire, TippingPoint, StillSecure and other vendors address this potentially complex threat in the future.

Article courtesy of eSecurityPlanet

This article was originally published on Jun 20, 2007
Get the Latest Scoop with Networking Update Newsletter