 |
|
Is the product supplied as software only or as a hardware
appliance? If supplied as an appliance, please provide the hardware
specification (CPU, memory, network cards, etc)
Software only (appliances available thru commercial vendors)
What
is the maximum speed/network load (Mbps) claimed with zero packet loss?
1Gbps
At
the maximum load, what is the maximum TCP connection rate (connections per
second) claimed?
10000
Product architecture (2-tier/3-tier management? Brief
description)
Sensor only, users define their own architecture around the
sensor software
What are the minimum/recommended sensor OS and hardware
requirements? Is a dedicated machine required/recommended?
Dedicated machine recommended. No minimum OS/Hardware
combination recommended, Snort runs on just about anything that gcc will build
binaries for. For max performance (i.e. gigabit speed), recommend fast dual
Xeon CPU setup with 1GB RAM minimum, running Linux.
What are the minimum/recommended console OS and hardware
requirements? Is a dedicated machine required/recommended?
No recommendations, console can be local on the sensor or on a
remote system.
What are the minimum/recommended management server OS and
hardware requirements (if applicable)? Is a dedicated machine
required/recommended?
N/A
List required open ports on sensor and their use
None.
List required open ports on management server (if applicable) and
their use
N/A
List required open ports on GUI/management console and their use
N/A
Communication protocol between sensor and management server
N/A
Communication protocol between management server and GUI/console
N/A
Encryption between sensor and management server
N/A
Encryption between management server and GUI/console
N/A
Once deployed and configured, can sensors be managed from a
central console?
N/A
Capacity of the system? How many endpoints can be monitored?
Ratio of endpoints to management servers/consoles, etc.
User defined by requirements.
What
anti-flooding methods are employed (sensor to management server, and management
server to console)?
N/A
Maximum insertion rate into alerts database
N/A
Maximum size of database
N/A
Maximum number of alerts stored
N/A
What happens to alerts in main alert database once capacity
limits exceeded (deleted/archived/etc)
N/A
What is maximum recommended size of alerts database to maintain
acceptable query performance?
N/A
When alerts are removed from main alert database, are they still
available for reporting directly (i.e. can reporting tools merge current and
archived alerts)
N/A
Which database product is used for alert storage? Is schema open?
N/A
What happens when communications between sensor and management
server/console are interrupted? Local logging on sensor? Maximum capacity? What
happens when local sensor logs are full? Is the local repository secure?
N/A
Secure logon for policy management?
N/A
Granular access (i.e. read only/read-write/etc) granted on a
per-user basis? What levels of granularity are supported?
N/A
Is it possible to define multiple policies for the sole purpose
of distributing to multiple sensors with different functions?
Yes.
How are policies distributed to sensors?
User defined (typically via shell scripts).
Can policies be deployed on a per-sensor or per-group basis, or
globally only?
N/A
How are policy changes handled? Will the central console detect
which agents are using a changed policy and redeploy automatically, or does the
administrator have to do this manually?
N/A
Can policy deployment be scheduled?
N/A
Does the sensor remain able to detect alerts at all times during
policy/signature updates? Explain how this is achieved.
No, Snort has to
restart to load a new policy. Snort�s stateful systems are capable of
re-acquiring a session in mid-stream.
Can the administrator define custom attack signatures?
Yes.
Regex supported when creating custom signatures?
N/A
How are new vendor attack signatures obtained and deployed?
Via CVS or distributed off of snort.org
Frequency of signature updates?
Several times a week.
What infrastructure does the vendor have behind the signature
update process (i.e. dedicated team of engineers? How many? Does it have a
name?)
Sourcefire Inc. has a 5 person research team that develops and
vets new Snort rules.
Can one signature update file be downloaded to the local network
and used to update all IDS engines from a central location, or is it necessary
to initiate a live connection to the Internet download server for each
sensor/management server?
N/A
Can signature updates be scheduled and fully automated?
N/A
Which network types are supported by the sensor?
Ethernet, FDDI, Token Ring, 802.1q, SLIP, PPP, 802.11b
What network protocols are analysed?
IP, ARP
What application-level protocols are analysed?
All
Can the product perform protocol decodes?
Yes.
Can the product perform protocol anomaly detection?
Yes.
Is the detection engine �stateful�? If so, please explain how
this works.
Yes. Snort has several stateful subsystems for performing
stateful inspection, TCP stream reassembly, flow analysis, IP defragmentation,
and portscan detection.
If stateful - how many open connections can be tracked? Is this
value configurable?
Configurable. Tested up to 1 million sessions.
If stateful - for how long are partially opened connections
tracked? Is this configurable?
Configurable.
If stateful - for how long are fully opened connections tracked
if not used? Is this configurable?
Configurable.
If stateful � explain the behaviour of the system when the state
tables are filled
Snort�s �state tables� are actually splay trees, Unused/stale
sessions migrate to the leaf nodes of the tree over time and in the event of the
system�s memory cap being hit the system will scrub the tree for stale sessions,
then pick a number of leaf nodes at random to eliminate predictability.
Will the detection engine alert on ALL suspicious activity, or
only when an attack is made against a vulnerable server? If so, please explain
in detail how this works. Can this behaviour be modified (i.e. to alert on ALL
attacks if required)?
It will detect all suspicious activity that it has been
configured to detect. Snort�s detection engine is built at run-time based on
the rules that are loaded into it, so the rules can be configured individually
to be as tight or broad as desired.
Are server responses monitored and alerted upon?
Yes.
Ability to monitor user-defined connections (i.e. report on an
FTP connection to a specific server?)
Yes.
Detect network-level packet based attacks?
Yes.
Detect all types of port scans (full connect, SYN stealth, FIN
stealth, UDP)?
Yes.
Detect SYN floods? Manual or automatic thresholds? Configurable?
No. Configurable thresholds are under development.
Perform packet/stream reassembly?
Yes.
Perform deobfuscation?
Yes.
List all �prevention� features available (TCP reset, ICMP
unreachable, firewall reconfiguration, drop packets (in-line only))
All of the above (inline available with snort-inline, firewall
reconfiguration available with SnortSAM).
Packet capture capabilities? Only the trigger packet, or before
and after? How are packet captures stored/viewed?
Yes. Snort has a feature called �tagging� that allows it to
capture a configurable amount of traffic on a per-rule basis. Packets are
stored/viewed with whatever output mechanism the user has defined (unified
format recommended for tagging).
Option to record entire sessions for �forensic� investigation?
Where is this data stored? How is it secured from tampering?
Yes. Data is stored using user-defined logging facility. User
secures data from tampering.
Reporting from sensor to console - range of alert response
options (detail these, i.e. log, alert, e-mail, pager, packet capture, etc)
N/A
Can alert response options be set only at a global policy level,
only at individual signature level, or to groups of signatures (or a mixture of
all three)?
N/A
Can alerts be reported to the central console in real time
without the use of third party software? How easy is it to filter and extract
individual events?
N/A
Can alerts from all sensors be viewed at a single console at the
same time (i.e. without having to connect to separate sensors from the console)?
N/A
Can the central console correlate alerts from multiple sensors
(i.e. not just display alerts from multiple sensors, but attempt to infer a
connection between different alerts on different sensors)?
N/A
Can alerts be correlated manually by the administrator - grouped
together in the database as a single event for further investigation?
N/A
Can alerts/events be annotated and tracked for investigation by
multiple administrators/investigators?
N/A
Does the software offer advice on preventative action to ensure
the attack does not happen again?
N/A
What
industry standards are supported - Intrusion Detection Exchange Format working
group (IDWG), Intrusion Alert Protocol (IAP), Intrusion Detection Message
Exchange Format (IDMEF), IDXP - and in what way?
IDMEF is available from a 3rd party.
Which third
party event correlation systems are supported and in what way?
N/A
Integration with other scanning/IDS products?
N/A
Log file maintenance � automatic rotation, archiving, reporting
from archived logs, etc.
Some output modules support automatic rotation.
Management reporting � range of reports/custom reports/how easy
is it to filter and extract detail? Different reports for technicians and
management/end users?
N/A
Are trend/comparison reports available?
N/A
Does reporting allow customised filtering down to the level of
reporting all activity on a specific network resource/object by a specific
user/machine on a specific date?
N/A
Report management � can they be scheduled for automatic
production? Can they be e-mailed to administrators or published straight to a
Web site?
N/A
What are the limitations and restrictions on enterprise-wide
alerting and reporting? Can reports consolidate output from every 1) server, 2)
detector
N/A
Ability to define custom reports?
N/A
Provide brief description of any management software included in
the base price of the product.
N/A
Provide brief description of any additional management products
available as extra cost options.
N/A
Documentation provided
Several documents are provided covering deployment, installation
and configuration of Snort. Additionally, there are several books available
covering Snort deployment and configuration.
How is the product licensed? How is the license enforced?
GPL license. License enforced under the auspices of Sourcefire
Inc.
End user pricing information
Free!
Ongoing cost of maintenance/updates
Free!
Click here to return to
the Snort 2.0 Review
Click here to return to the Snort 2.0
results
Click here to return to the IDS Index Section
Send mail to webmaster
with questions or
|