[Dshield] WINSNORT

DigitalNation dshield at digitalnation.ca
Fri Feb 24 21:44:34 GMT 2006


Thanks.

So if SNORT shouldn't be run on Windowes why do you offer a version?

Jusy curious.

Great info though.

------------------
M. McBride
Security Admin
DigitalNation
Vancouver, Canada
 
.





-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of JE
Sent: Friday, February 24, 2006 1:11 PM
To: General DShield Discussion List
Subject: Re: [Dshield] WINSNORT


K..  Time for me to say something about it ;)

Intro -- For those that aren't aware... which.. on this list..  is few My
name is Joel Esler, I work for Sourcefire, makers of Snort. </intro>

IMHO, an IDS should never be run on Windows.  (not just because of  
it's vulnerabilities, but because Window's kernel can't keep up)

In our testing, the Linux and BSD Kernels are much faster at doing  
all the various analyzation that we force Snort to do on traffic.   
You shouldn't have a problem at low speeds, but I wouldn't run Snort  
on a Windows box on anything more than say... 100 Mg a second.  (That  
is not an official Sourcefire statement, just my opinion)

winsnort.com compiles their own version of Snort.  Now, I'm not aware  
if we have done a comparison between "theirs" and "ours", but we also  
compile a version of Snort that runs on Windows.  (see www.snort.org/dl)

If you are considering going with any kind of Sourcefire solution,  
RNA..IS.. what have you.  I would go all the way with it.  You'll get  
a better deal, plus you'll have the full backing of VRT, Support, and  
the rest of the Sourcefire team.

Joel

On Feb 24, 2006, at 1:53 PM, DigitalNation wrote:

> Thanks Sue!
>
> By necessity we run some WIN32 boxes and need to have some form of
> packet
> capture and analysis. This looks pretty stable from what I have heard.
>
> Again, many thanks for your comment.
>
> ------------------
> M. McBride
> Security Admin
> DigitalNation
> Vancouver, Canada
>
>
>
> -----Original Message-----
> From: list-bounces at lists.dshield.org [mailto:list-
> bounces at lists.dshield.org]
> On Behalf Of Sue Young
> Sent: Thursday, February 23, 2006 11:18 AM
> To: General DShield Discussion List
> Subject: Re: [Dshield] WINSNORT
>
>
> I run it successfully.  I run it as a service and use Base as a
> front end.
> I'm seriously considering going with the professional RNA console but
> running the free one is great for getting used to managing an IDS  
> system.
>
> Sue Young
>
>
> -----Original Message-----
> From: list-bounces at lists.dshield.org [mailto:list-
> bounces at lists.dshield.org]
> On Behalf Of DigitalNation
> Sent: Tuesday, February 21, 2006 3:29 PM
> To: 'General DShield Discussion List'
> Subject: [Dshield] WINSNORT
>
> Here's a question from a somewhat new-to-this member.
>
> Is WINSNORT a stable IDS for WIN32? (http://www.winsnort.com)
>
> Can you install it on an existing server? (the install instructions
> say to
> install on new OS). I assume that would be for a gateway IDS  
> system. Will it
> work on a standalone box?
>
> Any info or experiences with this would be much appreciated.
>
> ------------------
> M. McBride
> Security Admin
> DigitalNation
> Vancouver, Canada
>
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your own
> couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
>
> _______________________________________________
> send all posts to list at lists.dshield.org To change your
> subscription options
> (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>
>
> Statement of Confidentiality
>
> The contents of this e-mail message and its attachments are  
> intended solely
> for the addressee(s) hereof.   In addition, this e-mail  
> transmission may be
> confidential and it may be subject to privilege protecting  
> communications
> between attorneys or solicitors and their clients.  If you are not  
> the named
> addressee, or if this message has been addressed to you in error,  
> you are
> directed not to read, disclose, reproduce, distribute, disseminate or
> otherwise use this transmission.  Delivery of this message to any  
> person
> other than the intended recipient(s) is not intended in any way to  
> waive
> privilege or confidentiality.  If you have received this  
> transmission in
> error, please alert the sender by reply e-mail; we also request  
> that you
> immediately delete this message and its attachments, if any.   
> Grosvenor
> Capital Management, L.P. and its related entities reserve the right to
> monitor all e-mail communications through their networks.
>
>
>
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your  
> own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>
>
>
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your  
> own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http:// 
> www.dshield.org/mailman/listinfo/list

_________________________________________
Learn about Intrusion Detection in Depth from the comfort of your own couch:
https://www.sans.org/athome/details.php?id=1341&d=1

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list