[Dshield] WINSNORT

JE eslerj at gmail.com
Fri Feb 24 21:51:36 GMT 2006


Because there is a demand.

Windows shouldn't be a public facing server anywhere.  ;)  Not just  
an IDS... IMO.

I'm not saying that Windows-based Snort is awful, I'm just saying the  
Linux/BSD versions are faster.

J


On Feb 24, 2006, at 4:44 PM, DigitalNation wrote:

> Thanks.
>
> So if SNORT shouldn't be run on Windowes why do you offer a version?
>
> Jusy curious.
>
> Great info though.
>
> ------------------
> M. McBride
> Security Admin
> DigitalNation
> Vancouver, Canada
>
> .
>
>
>
>
>
> -----Original Message-----
> From: list-bounces at lists.dshield.org [mailto:list- 
> bounces at lists.dshield.org]
> On Behalf Of JE
> Sent: Friday, February 24, 2006 1:11 PM
> To: General DShield Discussion List
> Subject: Re: [Dshield] WINSNORT
>
>
> K..  Time for me to say something about it ;)
>
> Intro -- For those that aren't aware... which.. on this list..  is  
> few My
> name is Joel Esler, I work for Sourcefire, makers of Snort. </intro>
>
> IMHO, an IDS should never be run on Windows.  (not just because of
> it's vulnerabilities, but because Window's kernel can't keep up)
>
> In our testing, the Linux and BSD Kernels are much faster at doing
> all the various analyzation that we force Snort to do on traffic.
> You shouldn't have a problem at low speeds, but I wouldn't run Snort
> on a Windows box on anything more than say... 100 Mg a second.  (That
> is not an official Sourcefire statement, just my opinion)
>
> winsnort.com compiles their own version of Snort.  Now, I'm not aware
> if we have done a comparison between "theirs" and "ours", but we also
> compile a version of Snort that runs on Windows.  (see  
> www.snort.org/dl)
>
> If you are considering going with any kind of Sourcefire solution,
> RNA..IS.. what have you.  I would go all the way with it.  You'll get
> a better deal, plus you'll have the full backing of VRT, Support, and
> the rest of the Sourcefire team.
>
> Joel
>
> On Feb 24, 2006, at 1:53 PM, DigitalNation wrote:
>
>> Thanks Sue!
>>
>> By necessity we run some WIN32 boxes and need to have some form of
>> packet
>> capture and analysis. This looks pretty stable from what I have  
>> heard.
>>
>> Again, many thanks for your comment.
>>
>> ------------------
>> M. McBride
>> Security Admin
>> DigitalNation
>> Vancouver, Canada
>>
>>
>>
>> -----Original Message-----
>> From: list-bounces at lists.dshield.org [mailto:list-
>> bounces at lists.dshield.org]
>> On Behalf Of Sue Young
>> Sent: Thursday, February 23, 2006 11:18 AM
>> To: General DShield Discussion List
>> Subject: Re: [Dshield] WINSNORT
>>
>>
>> I run it successfully.  I run it as a service and use Base as a
>> front end.
>> I'm seriously considering going with the professional RNA console but
>> running the free one is great for getting used to managing an IDS
>> system.
>>
>> Sue Young
>>
>>
>> -----Original Message-----
>> From: list-bounces at lists.dshield.org [mailto:list-
>> bounces at lists.dshield.org]
>> On Behalf Of DigitalNation
>> Sent: Tuesday, February 21, 2006 3:29 PM
>> To: 'General DShield Discussion List'
>> Subject: [Dshield] WINSNORT
>>
>> Here's a question from a somewhat new-to-this member.
>>
>> Is WINSNORT a stable IDS for WIN32? (http://www.winsnort.com)
>>
>> Can you install it on an existing server? (the install instructions
>> say to
>> install on new OS). I assume that would be for a gateway IDS
>> system. Will it
>> work on a standalone box?
>>
>> Any info or experiences with this would be much appreciated.
>>
>> ------------------
>> M. McBride
>> Security Admin
>> DigitalNation
>> Vancouver, Canada
>>
>> _________________________________________
>> Learn about Intrusion Detection in Depth from the comfort of your own
>> couch:
>> https://www.sans.org/athome/details.php?id=1341&d=1
>>
>> _______________________________________________
>> send all posts to list at lists.dshield.org To change your
>> subscription options
>> (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
>>
>>
>> Statement of Confidentiality
>>
>> The contents of this e-mail message and its attachments are
>> intended solely
>> for the addressee(s) hereof.   In addition, this e-mail
>> transmission may be
>> confidential and it may be subject to privilege protecting
>> communications
>> between attorneys or solicitors and their clients.  If you are not
>> the named
>> addressee, or if this message has been addressed to you in error,
>> you are
>> directed not to read, disclose, reproduce, distribute, disseminate or
>> otherwise use this transmission.  Delivery of this message to any
>> person
>> other than the intended recipient(s) is not intended in any way to
>> waive
>> privilege or confidentiality.  If you have received this
>> transmission in
>> error, please alert the sender by reply e-mail; we also request
>> that you
>> immediately delete this message and its attachments, if any.
>> Grosvenor
>> Capital Management, L.P. and its related entities reserve the  
>> right to
>> monitor all e-mail communications through their networks.
>>
>>
>>
>> _________________________________________
>> Learn about Intrusion Detection in Depth from the comfort of your
>> own couch:
>> https://www.sans.org/athome/details.php?id=1341&d=1
>>
>> _______________________________________________
>> send all posts to list at lists.dshield.org
>> To change your subscription options (or unsubscribe), see:
>> http://www.dshield.org/mailman/listinfo/list
>>
>>
>>
>> _________________________________________
>> Learn about Intrusion Detection in Depth from the comfort of your
>> own couch:
>> https://www.sans.org/athome/details.php?id=1341&d=1
>>
>> _______________________________________________
>> send all posts to list at lists.dshield.org
>> To change your subscription options (or unsubscribe), see: http://
>> www.dshield.org/mailman/listinfo/list
>
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your  
> own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>
>
>
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of your  
> own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see: http:// 
> www.dshield.org/mailman/listinfo/list



More information about the list mailing list