[Dshield] WINSNORT

Chris Wright dshield at yaps4u.net
Fri Feb 24 23:50:22 GMT 2006


He (Joel) never said it shouldn't be run on windows and made a point of
stating that.
What he said was, windows isnt' the best choice platform if you are going to
be running it on a high traffic network.
It is probably ok for me to install winsnort on my spare windows box (I
don't really have one), connected to my 1meg ADSL line, but not something I
would really want to have snorting my Gigabit ports/networks on my work
systems.
As he states the system overhead of the Wins boxes pretty much ties it to
100M or less, or the windows boxes simply wouldn't keep up.

And I suppose officially, there is nothing wrong with getting the worlds
biggest PC with the fastest processor(s), loads of RAM, loads of the fastest
drives etc etc, and you would still get a better performance running it on a
*nix box with a 386 and 640k of base memory (ok, slight exageration, but you
get my point).

Just like you wouldn't want a Windows box doing Real Time Data Acquisition,
or some other time critical operations, to do a proper job, you need a
proper OS, built for the purpose.  Windows just ain't it. (And I run more
windows boxes than *nix boxes so I am definetly NOT anti-MS. I am just
careful about what I run on them).


My $0.02 

Regards

Chris 

> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org] On Behalf Of DigitalNation
> Sent: 24 February 2006 21:45
> To: 'General DShield Discussion List'
> Subject: Re: [Dshield] WINSNORT
> 
> Thanks.
> 
> So if SNORT shouldn't be run on Windowes why do you offer a version?
> 
> Jusy curious.
> 
> Great info though.
> 
> ------------------
> M. McBride
> Security Admin
> DigitalNation
> Vancouver, Canada
>  
> .
> 
> 
> 
> 
> 
> -----Original Message-----
> From: list-bounces at lists.dshield.org 
> [mailto:list-bounces at lists.dshield.org]
> On Behalf Of JE
> Sent: Friday, February 24, 2006 1:11 PM
> To: General DShield Discussion List
> Subject: Re: [Dshield] WINSNORT
> 
> 
> K..  Time for me to say something about it ;)
> 
> Intro -- For those that aren't aware... which.. on this 
> list..  is few My name is Joel Esler, I work for Sourcefire, 
> makers of Snort. </intro>
> 
> IMHO, an IDS should never be run on Windows.  (not just 
> because of it's vulnerabilities, but because Window's kernel 
> can't keep up)
> 
> In our testing, the Linux and BSD Kernels are much faster at doing  
> all the various analyzation that we force Snort to do on traffic.   
> You shouldn't have a problem at low speeds, but I wouldn't 
> run Snort on a Windows box on anything more than say... 100 
> Mg a second.  (That is not an official Sourcefire statement, 
> just my opinion)
> 
> winsnort.com compiles their own version of Snort.  Now, I'm 
> not aware if we have done a comparison between "theirs" and 
> "ours", but we also compile a version of Snort that runs on 
> Windows.  (see www.snort.org/dl)
> 
> If you are considering going with any kind of Sourcefire 
> solution, RNA..IS.. what have you.  I would go all the way 
> with it.  You'll get a better deal, plus you'll have the full 
> backing of VRT, Support, and the rest of the Sourcefire team.
> 
> Joel
> 
> On Feb 24, 2006, at 1:53 PM, DigitalNation wrote:
> 
> > Thanks Sue!
> >
> > By necessity we run some WIN32 boxes and need to have some form of 
> > packet capture and analysis. This looks pretty stable from 
> what I have 
> > heard.
> >
> > Again, many thanks for your comment.
> >
> > ------------------
> > M. McBride
> > Security Admin
> > DigitalNation
> > Vancouver, Canada
> >
> >
> >
> > -----Original Message-----
> > From: list-bounces at lists.dshield.org [mailto:list- 
> > bounces at lists.dshield.org] On Behalf Of Sue Young
> > Sent: Thursday, February 23, 2006 11:18 AM
> > To: General DShield Discussion List
> > Subject: Re: [Dshield] WINSNORT
> >
> >
> > I run it successfully.  I run it as a service and use Base 
> as a front 
> > end.
> > I'm seriously considering going with the professional RNA 
> console but 
> > running the free one is great for getting used to managing an IDS 
> > system.
> >
> > Sue Young
> >
> >
> > -----Original Message-----
> > From: list-bounces at lists.dshield.org [mailto:list- 
> > bounces at lists.dshield.org] On Behalf Of DigitalNation
> > Sent: Tuesday, February 21, 2006 3:29 PM
> > To: 'General DShield Discussion List'
> > Subject: [Dshield] WINSNORT
> >
> > Here's a question from a somewhat new-to-this member.
> >
> > Is WINSNORT a stable IDS for WIN32? (http://www.winsnort.com)
> >
> > Can you install it on an existing server? (the install instructions 
> > say to install on new OS). I assume that would be for a gateway IDS 
> > system. Will it work on a standalone box?
> >
> > Any info or experiences with this would be much appreciated.
> >
> > ------------------
> > M. McBride
> > Security Admin
> > DigitalNation
> > Vancouver, Canada
> >
> > _________________________________________
> > Learn about Intrusion Detection in Depth from the comfort 
> of your own
> > couch:
> > https://www.sans.org/athome/details.php?id=1341&d=1
> >
> > _______________________________________________
> > send all posts to list at lists.dshield.org To change your 
> subscription 
> > options (or unsubscribe), see: 
> > http://www.dshield.org/mailman/listinfo/list
> >
> >
> > Statement of Confidentiality
> >
> > The contents of this e-mail message and its attachments are 
> intended 
> > solely
> > for the addressee(s) hereof.   In addition, this e-mail  
> > transmission may be
> > confidential and it may be subject to privilege protecting 
> > communications between attorneys or solicitors and their 
> clients.  If 
> > you are not the named addressee, or if this message has 
> been addressed 
> > to you in error, you are directed not to read, disclose, reproduce, 
> > distribute, disseminate or otherwise use this transmission. 
>  Delivery 
> > of this message to any person other than the intended 
> recipient(s) is 
> > not intended in any way to waive privilege or 
> confidentiality.  If you 
> > have received this transmission in error, please alert the 
> sender by 
> > reply e-mail; we also request that you
> > immediately delete this message and its attachments, if any.   
> > Grosvenor
> > Capital Management, L.P. and its related entities reserve 
> the right to 
> > monitor all e-mail communications through their networks.
> >
> >
> >
> > _________________________________________
> > Learn about Intrusion Detection in Depth from the comfort 
> of your own 
> > couch:
> > https://www.sans.org/athome/details.php?id=1341&d=1
> >
> > _______________________________________________
> > send all posts to list at lists.dshield.org To change your 
> subscription 
> > options (or unsubscribe), see:
> > http://www.dshield.org/mailman/listinfo/list
> >
> >
> >
> > _________________________________________
> > Learn about Intrusion Detection in Depth from the comfort 
> of your own 
> > couch:
> > https://www.sans.org/athome/details.php?id=1341&d=1
> >
> > _______________________________________________
> > send all posts to list at lists.dshield.org To change your 
> subscription 
> > options (or unsubscribe), see: http:// 
> > www.dshield.org/mailman/listinfo/list
> 
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of 
> your own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
> 
> _______________________________________________
> send all posts to list at lists.dshield.org To change your 
> subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 
> 
> 
> _________________________________________
> Learn about Intrusion Detection in Depth from the comfort of 
> your own couch:
> https://www.sans.org/athome/details.php?id=1341&d=1
> 
> _______________________________________________
> send all posts to list at lists.dshield.org To change your 
> subscription options (or unsubscribe), see: 
> http://www.dshield.org/mailman/listinfo/list
> 



More information about the list mailing list