Where’s the Snort representative?

Long-time intrusion-detection system watchers will inevitably want to know: what about Snort?

Long-time intrusion-detection system watchers will inevitably want to know: what about Snort? The popular open source IDS has a fanatical following and is respected as an excellent detection engine. Why wasn’t it included in this review?

Testing open source products has always been a difficult proposition. The lack of timely technical support, as well as a heavy reliance on lore and custom (rather than defaults and documentation) for proper and speedy operation has often caused test results that might reflect how open source products at their worst, rather than their best.

Snort makes this even more difficult, because it is far from a complete IDS solution. In this review, we spent little time analyzing the detection engine and most of our effort evaluating how well the product supports security analysts in their day-to-day job. Snort, out of the box, would have fared miserably in this test – and Snort’s advocates would legitimately cry “foul.” Snort’s enthusiastic user community has built its own extensive set of add-ons and plug-ins – more than 20 of them – that take Snort from a good detection engine to a full-fledged network IDS.

For many network managers, having so many possibilities is a blessing. For a reviewer, it’s a curse. If we pick a particular set of add-ons to provide an environment similar to, for example, what Cisco or Internet Security Systems sell, then how do we pick the add-ons? What operating system should it run on? How should the hardware be configured, and what kinds of I/O subsystems are needed? More generally, how do we architect an IDS implementation out of the thousands of possible options that would fairly represent how Snort compares with the commercial products we tested?

Snort, like many complex open source tools, requires the security analyst to also be a system integrator: pick operating system, hardware, multiple applications, and bring them all together into a high-performance network IDS. Reviewing Snort would require us to play system integrator to start to capture the possibilities surrounding the popular detection engine.

Our experience has taught us one important thing: no matter what choice of product, add-on and architecture we make, it won’t satisfy the set of hard-core Snort aficionados who believe that Snort is the answer to any (or most) intrusion-detection questions. While the hate mail wouldn’t bother us, there’s a bigger point to be made. Our goal in these reviews is to help enterprise network managers understand products in the marketplace, their strengths and weaknesses, capabilities and deficiencies. How would picking a particular set of options meet those goals?

One option might be to let the open source community act as system integrators. While that could be an easy way to deflect criticism from our own choice of products, options, and tuning, we found that it doesn’t matter: no one was willing to bell the cat. Our call for assistance to the Snort community, for someone to act as the “vendor” for our Snort solution, brought a number of volunteers who expressed interest. However, none were actually willing and/or able to spend the time required to put Snort in the review as a peer product.

Snort did get in this review, at least partially, with the Barbedwired product, which includes Snort as an integral part of its IDS. We also invited Sourcefire, the company where Snort’s authors work, to submit their commercialized version of Snort for review, although it declined.