Problem solve Get help with specific problems with your technologies, process and projects.

Is Snort better than proprietary IDS?

How is Snort (open source) "better" than proprietary software? Is Snort difficult to manage or to find support...


I would argue that Snort is better than a proprietary solution because it is open source. See http://www.dwheeler.com/oss_fs_why.html and http://www.opensource.org/ for the general arguments, but I'll address some specifics here.

First, open source has the potential for more peer review, which translates into quality assurance. No software is bug free, but no company can afford to hire the number of people worldwide who take an interest in reviewing and securing open source code. Be aware that just because the potential exists does not mean that all open source code is extensively reviewed, but given Snort's popularity it's safe to say that a lot of people have looked at the code.

Second, and more important in this case, Snort's rules are open source also. The rules or signatures are the heart of a signature-based IDS. They describe the malicious traffic patterns to look for and alert on if found. The problem with many of the commercial products is that you don't get to see the actual rule. All you get to see is a couple of paragraphs that someone at the vendor wrote about what that rule is SUPPOSED to do. Some vendor descriptions are better than others, but the bottom line with Snort is that I can see the actual code that triggered the alert. That means that I get to evaluate how relevant I find the alert, and I don't have to depend on the person at the vendor who wrote the paragraph. When you spend a lot of time looking at IDS events, which I do, this is key.

Snort is no more difficult to manage than any other IDS. The biggest challenge is probably picking which tools and operating system you want, since Snort runs on Windows and all major UNIX variations. Several companies support Snort appliances with Web GUI management and reporting tools. If you work in an environment where it's easier to get a product by paying for it than by downloading it for free, definitely check out SourceFire, the actual creators of Snort. There are other options as well. Google is your friend.

Finally, you will receive free support from the Snort user community. Check the Snort.org Web site for the FAQ and mailing lists.

  • Best Web Links: Open source security
  • Network Security Tip: Snort -- The poor man's intrusion-detection system
  • Guest Commentary: IDS and IPS in 2004
  • For more info on this topic, please visit these SearchSecurity.com resources:
    This was last published in January 2004

    Dig Deeper on Open source security tools and software