[Snort-users] Cisco IDS

John Hally

unread,

Jan 17, 2005, 9:28:58 AM1/17/05

to

This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.

------_=_NextPart_001_01C4FBD0.2853BD84
Content-Type: text/plain

Hello Group,

Out of curiosity, has anyone had any experience with Cisco's IDS? I'm
curious how Snort stacks up in strengths/weaknesses including Sourcefire's
commercial products.

Thanks in advance!

------_=_NextPart_001_01C4FBD0.2853BD84
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

</head>

Hello Group,<o:p></o:p>

<o:p> </o:p>

Out of curiosity, has anyone had any experience with =
Cisco's
IDS?  I'm curious how Snort stacks up in strengths/weaknesses =
including
Sourcefire's commercial products.  <o:p></o:p>

<o:p> </o:p>

Thanks in advance!<o:p></o:p>

</div>

</body>

</html>

------_=_NextPart_001_01C4FBD0.2853BD84--

-------------------------------------------------------
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Theodore Stout

unread,

Jan 17, 2005, 10:40:11 AM1/17/05

to

Hello John,

Yeah I have used Cisco IDS. In fact I used to sell
it. I used to sell ISS RealSecure too. Now I build
and Sell Snort as well as Sourcefire.

So, which is better? I like Sourcefire a lot. It is
easy to use and fun.

After that, I am devoted to Snort. Love it. Great!
Have it at home.

Following this, I have to say that Cisco IDS is good
in conjunction with the 65XX class of switches. If
you need like +5Gig of throughput, this is a nice
solution.

However, I have always though that IDS should not be
deployed in this manner. I suppose for a ISP, this
would be useful however I still do not think it is
smart due to system degregation problems. Of their 1
gig devices, I do not think they have a better
solution than Sourcefire.

So I would go with Sourcefire if you have the bugdet
and want 250meg to 1 Gig throughput. However, other
purposes, Snort is quite good. Additionally, if you
don't have the skills to actually build Snort using
Fedora Core or OpenBSD, then using Sourcefire is my
suggestion since it is just so easy for normal Admins
to use. However, if you got the skills, or your staff
has the skills, consider Snort as well.

It is also good pointing out that with Cisco, the
signatures really are dependant with your maintenance
contract with your vendor. With Snort, you get that
stuff for free.

Hope that helps,

Theodore Stout, CISSP
CCSP, CCNP, CCIP
ISS MSS Engineer
(Yeah I studied too much.....)

--- John Hally <JHa...@epnet.com> wrote:

> Hello Group,
>
>
>
> Out of curiosity, has anyone had any experience with
> Cisco's IDS? I'm
> curious how Snort stacks up in strengths/weaknesses
> including Sourcefire's
> commercial products.
>
>
>
> Thanks in advance!
>
>

__________________________________
Do you Yahoo!?
The all-new My Yahoo! - Get yours free!
http://my.yahoo.com

Alex Butcher, ISC/ISYS

unread,

Jan 17, 2005, 12:26:15 PM1/17/05

to

--On 16 January 2005 08:36 -0500 John Hally <JHa...@epnet.com> wrote:

> Out of curiosity, has anyone had any experience with Cisco's IDS? I'm
> curious how Snort stacks up in strengths/weaknesses including
> Sourcefire's commercial products.

When using CSIDS back in 2002, I found it was impossible to determine why
signatures had been triggered. Further, it was hard to tune rules (other
than by source/dest IP). Things may have improved since then, but I've not
heard anything that indicates that this is the case.

> Thanks in advance!

HTH,
Alex.
--
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9

Brian

unread,

Jan 17, 2005, 2:50:55 PM1/17/05

to

On Mon, Jan 17, 2005 at 07:12:37AM -0800, Theodore Stout wrote:
> So, which is better? I like Sourcefire a lot. It is
> easy to use and fun.

Sure, but is it funalicious?

Brian

Joe Patterson

unread,

Jan 17, 2005, 3:24:43 PM1/17/05

to

> -----Original Message-----
> [mailto:snort-us...@lists.sourceforge.net]On Behalf Of Theodore
> Stout
> Sent: Monday, January 17, 2005 10:13 AM
> To: John Hally; 'snort...@lists.sourceforge.net'
> Subject: Re: [Snort-users] Cisco IDS
...

> Following this, I have to say that Cisco IDS is good
> in conjunction with the 65XX class of switches. If
> you need like +5Gig of throughput, this is a nice
> solution.

Note, however, that the IDS component of this, the IDSM-2 (I'm assuming this
is what you are referring to) doesn't exactly have multi-gigabit inspection
capability. From
http://www.cisco.com/en/US/products/hw/modules/ps2706/products_data_sheet091
86a00801e55dd.html:
"600 megabits per second (Mbps) of IDS inspection provides high-speed
packet-examination capabilities and allows for more protection of a wider
variety of networks and traffic"

It sounds to me like you'd actually get better performance by taking a
gigabit IDS and plugging it into a SPAN port.

That, and it's also a $20K box.

Which is, of course, one of the reasons that I prefer snort. :)

-Joe

Will Metcalf

unread,

Jan 17, 2005, 4:38:14 PM1/17/05

to

I turned my 4235s into snort boxes ;-)

Regards,

Will

Will Metcalf

unread,

Jan 17, 2005, 7:32:50 PM1/17/05

to

Debian woody. I had to use the debian install disk built for dell servers.

http://wiki.osuosl.org/display/LNX/Debian+on+Dell+Servers

Regards,

Will

On Mon, 17 Jan 2005 17:15:05 -0500, shane mullins
<tsmu...@optidynamic.com> wrote:
> Cool,
>
> What OS did you use?
>
> Shane

Theodore Stout

unread,

Jan 17, 2005, 11:55:50 PM1/17/05

to

funalicious???

I had to google the word for around 30 mins to
discover what it means.

Over here in Japan, we usually say "Oishii" instead.

Yeah, it is funalicious. I like it is a lot.
Actually, RNA with Snort together is quite Sexy. The
first time I booted those 2 on a 1 Gig Fiber
connection...! Man! Don't get me started. I was
Coo-coo for quite a while. Hadn't felt that way since
I built my Firewall in OpenPF. Shoot, maybe not since
I met a Japanese chick for the first time. Like when
that happened, I knew I was going to Japan. In the
same way, when I saw RNA, I knew I had been stupid to
use IDS only for such a long time. I was seeing the
future.

Very Oishii indeed.

Theo

--- Brian <b...@snort.org> wrote:

> On Mon, Jan 17, 2005 at 07:12:37AM -0800, Theodore
> Stout wrote:
> > So, which is better? I like Sourcefire a lot. It
> is
> > easy to use and fun.
>
> Sure, but is it funalicious?
>
> Brian
>
>
>

-------------------------------------------------------
> The SF.Net email is sponsored by: Beat the
> post-holiday blues
> Get a FREE limited edition SourceForge.net t-shirt
> from ThinkGeek.
> It's fun and FREE -- well,
> almost....http://www.thinkgeek.com/sfshirt
> _______________________________________________
> Snort-users mailing list
> Snort...@lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

Theodore Stout

unread,

Jan 18, 2005, 12:12:00 AM1/18/05

to

Joe,

Yeah I am talking about the IDSM-2 Module.

Only $20k?? No way! It is way more than that, at
least it is here in Japan. Last time I got a quote on
it, the price was well into the $60Ks.

I agree with Using Gig Snort instead, better yet,
Sourcefire.

This is not a commercial plug but just, it is easy to
use and customers can understand it. And it is so
much prettier than ACID or Aanval.

Yeah, pretty sells here in Japan.

Theo

-------------------------------------------------------
> The SF.Net email is sponsored by: Beat the
> post-holiday blues
> Get a FREE limited edition SourceForge.net t-shirt
> from ThinkGeek.
> It's fun and FREE -- well,
> almost....http://www.thinkgeek.com/sfshirt
> _______________________________________________
> Snort-users mailing list
> Snort...@lists.sourceforge.net
> Go to this URL to change user options or
> unsubscribe:
>
https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
>
http://www.geocrawler.com/redir-sf.php3?list=snort-users
>

__________________________________
Do you Yahoo!?
Yahoo! Mail - 250MB free storage. Do more. Manage less.
http://info.mail.yahoo.com/mail_250

M. Shirk

unread,

Jan 18, 2005, 2:41:47 PM1/18/05

to

LOL. Way to use the hardware :-)

Shirkdog
http://www.shirkdog.us

>From: Will Metcalf <william...@gmail.com>
>Reply-To: Will Metcalf <william...@gmail.com>
>To: Joe Patterson <jpatt...@asgardgroup.com>

>CC: snort...@lists.sourceforge.net, theodo...@yahoo.com
>Subject: Re: [Snort-users] Cisco IDS

>Date: Mon, 17 Jan 2005 13:47:43 -0600
>
>I turned my 4235s into snort boxes ;-)
>
>Regards,
>
>Will
>
>

>On Mon, 17 Jan 2005 14:22:59 -0500, Joe Patterson

_________________________________________________________________
Don’t just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/