Menu
▾
▴
Re: [Snort-inline-users] Does Sourcefire's IPS use snort-inline?
|
From: Adrian S. <soo...@gm...> - 2005-11-10 00:21:55
|
I don't know whether Sourcefire uses snort-inline or not, but I do know that one limitation they have run into in the past with their IPSs and IDSs is the database. The database is a bottleneck that I think many people overlook. They may use snort-inline, but what gives them and a few other IPS vendors their "competitive edge" if you will, is the database that collects all their information. I've never used an IPS from ISS, but I hear they don't bother logging alerts in as great of a detail as Sourcefire's and other's IPSs do because of the database problem. For example, when MySQL or Oracle get a million or so records, record insertion rates drop down to somewhere in the hundreds per second (or slower, depending on the database schema and how many indexes you have - the more the indexes, the slower the insertion rates) -- not good if you're on a busy network or having one database collecting alerts for many sensors! I think they use a proprietary high-speed database that they license from some other company. The database boasts they can do orders of magnitude more insertions per second, even with hundreds of millions of records (Oracle will fall on its face with that many records!). The database also has a crazy fast record retrieval rate, even when there are millions of records to search through. For the users that has a small internet pipe, perhaps this solution will work. But when getting into the 30, 100 mbit or gigabit space, the database is going to be the biggest bottleneck. You wouldn't be able to use one of these honeywall or live-cd IPSs to protect an internal network, if there are alerts being generated. -Adrian On 11/8/05, Richard Compton <ric...@gm...> wrote: > Ok, so that's the answer? Sourcefire uses an older version of snort_inli= ne > which is developed by William Metcalf and others for their "SC best buy" > IPS. I'm running a newer version of snort-inline and it was free. I'd s= ay > that's the real "best buy" :) > > It occurs to me that it would be very convienent for folks out there to > have a live cd or a install cd that would have the OS, snort-inline, > iptables, clamav, base, ntop, etc preconfigured so users could just downl= oad > the cd, install it on a box w/ 3 ethernet interfaces and PRESTO! you have= an > IPS. > > Maybe the honeywall cd could be modified? It has pretty much everything > listed. > > Any comments? > > > On 11/7/05, Nick Rogness <ni...@ro...> wrote: > > > > > I am not subscribed to the list from this address so please copy me o= n > > > any replies. > > > > > > Nick Rogness wrote: > > >>>Sourcefire maintains and uses the inline capabilities of snort prope= r > > >>> > > >>>EG: > > >>> > > >>>$ wget > http://www.snort.org/dl/current/snort-2.4.3.tar.gz > > >>>$ tar -xvzf snort-2.4.3.tar.gz > > >>>$ cd snort-2.4.3 > > >>>$ ./configure --enable-inline && make && make install > > >>> > > >> > > >> > > >> I would be very surprised if SourceFire is using snort_inline for > > >> their > > >> production branch. More likely, it is a modified version of > > >> snort+flexresponse. Is anyone at SourceFire on this list that could > > >> comment? > > > > > > Sourcefire does not use snort-inline or a modified version of > > > snort+flexresp, we maintain and use the inline capabilities of snort > > > proper. > > > > > > The same capabilities are available in Snort from > > > http://www.snort.org/dl and can be enabled by fetching the latest > > > sources and enabling inline mode by doing ./configure --enable-inline > > > during the build process. > > > > > > Ummm, that IS snort_inline then (an older version patch). I'll be > > damned... > > > > > > Nick Rogness <ni...@ro...> > > > > > > > > -- > Thanks, > Rich Compton |
