A call for help to open source integrators.
Long-time intrusion-detection system watchers will inevitably want to know: what about Snort?
Long-time intrusion-detection system watchers will inevitably want to know: what about Snort? The popular open source IDS has a fanatical following and is respected as an excellent detection engine. Why wasn't it included in this review?
Testing open source products has always been a difficult proposition. The lack of timely technical support, as well as a heavy reliance on lore and custom (rather than defaults and documentation) for proper and speedy operation has often caused test results that might reflect how open source products at their worst, rather than their best.
Snort makes this even more difficult, because it is far from a complete IDS solution. In this review, we spent little time analyzing the detection engine and most of our effort evaluating how well the product supports security analysts in their day-to-day job. Snort, out of the box, would have fared miserably in this test - and Snort's advocates would legitimately cry "foul." Snort's enthusiastic user community has built its own extensive set of add-ons and plug-ins - more than 20 of them - that take Snort from a good detection engine to a full-fledged network IDS.
For many network managers, having so many possibilities is a blessing. For a reviewer, it's a curse. If we pick a particular set of add-ons to provide an environment similar to, for example, what Cisco or Internet Security Systems sell, then how do we pick the add-ons? What operating system should it run on? How should the hardware be configured, and what kinds of I/O subsystems are needed? More generally, how do we architect an IDS implementation out of the thousands of possible options that would fairly represent how Snort compares with the commercial products we tested?
Snort, like many complex open source tools, requires the security analyst to also be a system integrator: pick operating system, hardware, multiple applications, and bring them all together into a high-performance network IDS. Reviewing Snort would require us to play system integrator to start to capture the possibilities surrounding the popular detection engine.
Our experience has taught us one important thing: no matter what choice of product, add-on and architecture we make, it won't satisfy the set of hard-core Snort aficionados who believe that Snort is the answer to any (or most) intrusion-detection questions. While the hate mail wouldn't bother us, there's a bigger point to be made. Our goal in these reviews is to help enterprise network managers understand products in the marketplace, their strengths and weaknesses, capabilities and deficiencies. How would picking a particular set of options meet those goals?
One option might be to let the open source community act as system integrators. While that could be an easy way to deflect criticism from our own choice of products, options, and tuning, we found that it doesn't matter: no one was willing to bell the cat. Our call for assistance to the Snort community, for someone to act as the "vendor" for our Snort solution, brought a number of volunteers who expressed interest. However, none were actually willing and/or able to spend the time required to put Snort in the review as a peer product.
Snort did get in this review, at least partially, with the Barbedwired product, which includes Snort as an integral part of its IDS. We also invited Sourcefire, the company where Snort's authors work, to submit their commercialized version of Snort for review, although it declined.
Payscale uses alumni post-grad pay to rank 187 colleges and universities with computer science...
Vint Cerf is known as a "father of the Internet," and like any good parent, he worries about his...
How mainstream is big data? We asked two speakers at HP's Big Data Conference 2015 in Boston whether...
Sponsored by SevOne
Sponsored by HP
The U.S. National Telecommunications and Information Administration will host a series of discussions...
Systemic flaws and a rapidly shifting threatscape spell doom for many of today’s trusted security...
Experienced software engineering leaders share what it takes to get the most out of your team.
These are 15 of the highest valued enterprise software companies that have received venture funding but...