This isnt ment to be a flame thread. During a security audit our vendor said that the Cisco IDS's we use are not really that good and we should move to SNORT.
Is SNORT a good product to use in conjuction with the Cisco IDS or just by itself replacing out the Cisco IDS's? We have always stuck to CISCO equipment, and never really did anything else. Mainly because of the reliability and performance it offers.
In my experience, the statement that "SNORT is better than
IMNSHO, both products are excellent; they're just different. Cisco, at least when compared to the last version of SNORT I played with (1.9, 2.0), was better at both IP fragment and TCP session reassembly. Furthermore, you generally don't get contractually obligated support with SNORT (unless of course you buy Sourcefire, but that's not really the same thing...).
Snort's biggest advantages, again IMNSHO, are cost (generally hardware only, if you don't factor in configuration and maintenance man power costs...) and flexibility. By flexibility, I mean that you can deploy it on just about anything running Linux (desktop, server, inline) and you can choose to use it as either an IPS (Snort-inline), NNIDS (Snort running on a desktop or server) or NIDS (Snort on a system acting as a purpose-built sensor).
Both of them are fairly easy to modify with custom signatures and new signatures are coming out very frequently (user community for Snort, vendor-supplied for Cisco IDS), so neither has a distinct advantage here.
That's just a quick response. There is usually a deeper philosophical discussion here, but this goes back to my "bias favouring anything Open Source" comment.
I hope this helps,
I have been asked the same question in my organization as why we should pay Cisco $$ when Snort is available and
have people liking it so much? Any Cisco folks here who can justify Cisco IPS (apart from saying that Snort is open source). Any other real advantage as why one should move away from Snort and move to Cisco IPS?
Agreed. Each one has its own set of pros and cons, and which one is appropriate can be determined by several factors. But a blanket statement of one over the other is just ... naive.
Also, one of the MAJOR benefits for the Cisco products now, is the "Global Correlation" functionality. I'm not familiar enough with Snort to know if it has a similar feature set, but I can't imagine that it would.
The SouruceFire product has its rules compiled for faster responses therefore more rule sets can be turned on for detection. Snort is not compiled. Most CISA auditors have moved into Security Auditing from the Accounting Auditing world and have little knowledge of the security world.
umm. 6-11 year old thread. I think the original posters have most likely moved on.
Also, given that Cisco bought Sourcefire in 2014 and that FirePOWER incorporates the Snort engine, the original point is also moot.
My intention is to run Snort on Cisco 4K routers (they need SEC lic and 8G or DRAM/Flash).
So my question is what are the management offerings? I cannot see a Cisco one but can see a few 3rd party options.
Are there any recommendations for the Snort management?