Snort mailing list archives
Re: Total Cost of Ownership for Snort Implementation?
From: twig les <twigles () yahoo com>
Date: Wed, 18 Jun 2003 09:54:20 -0700 (PDT)
I've said this before on this list but it bears repeating. NEVER get an IDS that doesn't allow you to look at the actual signatures. You want to factor TCO? Try spending 30 minutes trying to figure out what set off a single signature with a combo of tcpdump and netcat. Even then you aren't really sure. --- Derek Glidden <dglidden () illusionary com> wrote:
On Wed, 2003-06-18 at 10:11, Bennett Todd wrote:2003-06-18T01:45:44 Nicholas Brawn:[...] I've been approached to put together someinformation on theTCO of implementing Snort at 5-10 locations throughout ournetwork(internal and perimeter). We're going to be comparingthis to theTCO for implementing a commercial solution.That's enough boxes that I'd base the snort TCO estimate on building and configuring boxes, deploying them, tuning them, organizing alerting and/or reporting to meet your needs, and updating sigs. Hardware costs are in the noise. Howexpensive is it?Depends entirely on the skills you have available to buildon. Ifyou have folks who are really good at configuringappliance-styledevices, automating their building and rebuilding,automatingdistribution of config updates and collection of alerts,etc. thensnort can be an amazing winner. If on the other hand you don't have folks who areexperienced atorganizing an automated appliance build/maint process aroundopensource tools, then getting an appliance from a vendor isliableto be a better value. Note that Snort is available on thatbasisas well as do-it-yourself free open source. Sourcefire sellsandsupports appliances built on Snort."What he said." :) We've been an ISP/consulting shop for a number of years based around Linux, so we have the infrastructure. I spent some time building some scripts around the snort engine to handle things like alerting and reporting that it doesn't do itself, and a certain amount of regular maintenance, and now our "cost" for deploying a new sensor is literally the cost of the hardware plus about 30 seconds of time to put the hostname in a config file to have the packages installed and maintained. Up-front, I maybe spent 80-100 hours over a month or so, but for a final result, we now have several dozen snort sensors deployed throughout our and our customers' environments and they effectively manage themselves. As Bennett said, the open nature of Snort makes it really easy to pull it into any existing infrastructure you may have, if you have someone who can do it. And we're proof that you *can* build an infrastructure around it that makes it essentially hands-off once you get it all sorted out. (And we know it works in a "real-world" situation because we've been getting woken up with pages this week as one of our customers started doing intrusion testing on their network without informing us of the fact.) For only 5-10 installations, it may not be worth the up-front effort, although on the flip side, you may not need the amount of effort we put into the project. As Bennett also said, if you don't have the expertise in-house, or you don't have a large enough deploy to make it worth the trouble, you can always go with Sourcefire. --
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
"We all enter this world in the | Support Electronic Freedom same way: naked; screaming; soaked | http://www.eff.org/ in blood. But if you live your | http://www.anti-dmca.org/ life right, that kind of thing |--------------------------- doesn't have to stop there." -- Dana Gould ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
===== ----------------------------------------------------------- Emo is what happens when the glee club goes punk. ----------------------------------------------------------- __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com ------------------------------------------------------- This SF.Net email is sponsored by: INetU Attention Web Developers & Consultants: Become An INetU Hosting Partner. Refer Dedicated Servers. We Manage Them. You Get 10% Monthly Commission! INetU Dedicated Managed Hosting http://www.inetu.net/partner/index.php _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Total Cost of Ownership for Snort Implementation? Nicholas Brawn (Jun 17)
- Re: Total Cost of Ownership for Snort Implementation? Bennett Todd (Jun 18)
- Re: Total Cost of Ownership for Snort Implementation? Derek Glidden (Jun 18)
- Re: Total Cost of Ownership for Snort Implementation? twig les (Jun 18)
- Re: Total Cost of Ownership for Snort Implementation? Derek Glidden (Jun 18)
- Re: Total Cost of Ownership for Snort Implementation? Bennett Todd (Jun 18)