Home page logo

snort logo Snort mailing list archives

Re: Snort 0,01 seconds too late?
From: waldo kitty <wkitty42 () windstream net>
Date: Sun, 01 Dec 2013 13:12:52 -0500

On 12/1/2013 4:12 AM, Gregor Mahnic wrote:

I hope no one gets upset with me for this question but is it possible for snort
to fail to stop an attack? I hear this a lot when I google for some thing about
snort. I mean not that I have any doubts my self about snort but I just wondered
how would a snort user comment on some one who sarcastically states that snort
would be 0,001 seconds too late to stop an attack. I am wondering because in
part I want to become an avid snort user. I need to do a lot more research and
reading about every thing connected with snort such as oink, barnyard,...

regardless of using other tools, this highly depends on how snort is implemented 
in one's setup...

snort in inline mode (IPS) places snort directly in the path of the traffic... 
snort gets the traffic when it arrives, analyzes it and then either passes the 
traffic thru to the outbound side or drops the traffic in the bitbucket... the 
traffic cannot pass unless snort allows it to...

inline mode is also known as IPS (intrusion prevention system)... IDS mode, 
(intrusion detection system) is different in that snort is watching the ball 
game from the sidelines... if it sees something then it raises a flag (an alert) 
which another tool may react to... in this situation, yes, the response will be 
delayed by some small period of time...

Are these sort of sentiments expressed by individuals who are too lazy to
implement snort? I mean I my self see how long it has taken me to understand the
basics and as I have said I need to do a whole lot more reading!

lazy? maybe... maybe not... only aware of one method of implementation? yes, 
most likely...

NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

Rapidly troubleshoot problems before they affect your business. Most IT 
organizations don't have a clear picture of how application performance 
affects their revenue. With AppDynamics, you get 100% visibility into your 
Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org to stay current on all the latest Snort news!

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]