On 3/21/06, Jason Crawford <[EMAIL PROTECTED]> wrote: > On 3/21/06, Hutger H. <[EMAIL PROTECTED]> wrote: > > Hi folks, > > > > I've been looking for a consolidated IDS solution that I can deploy in > > my network. Snort is really a good option but currently it seems that > > they are charging for updates, it that true? I'd like to find out a free > > of charge Linux, or BSD, solution that can works as good as snort works > > and, rather with some successful deployment cases. > > > > Any ideas? > > Well as far as charging for updates goes, that's only for rulesets I > believe. Basically, the rules that you get with the snort tar ball are > all you get, if you want updates to them you gotta pay. But later > versions of snort are free, so upgrading from 2.4.3 to 2.4.4 is free, > just not the extra snort rules. And even then, only the SourceFire VRT > Certified Rules cost money (for subscriptions and redistribution > rights I believe), a community driven rule group is still free, > however they don't "Guarentee" the rules. If I were you, I'd stick > with snort, you'll be hard pressed to find a free NIDS that is as > robust, and I speak from experience, as I've setup some pretty damn > large and complex snort deployments for my work in the past. > > Jason > > Hutger:
VRT Rules are free after you register an account. You are not entitled to new VRT rule drops until 1 week after they are initially released with the free registration. Paying subscribers get the rules when they are first available. In the rules download section you will notice four download sections: - Sourcefire VRT Certified Rules (subscription release) - Sourcefire VRT Certified Rules (registered user release) - Sourcefire VRT Certified Rules (unregistered user release) - Community Rules The 'subscription release' requires a paid subscription The 'registered user release' is one week behind the subscription release and is free with a registered account The 'unregistered user release' is the ruleset included with the source distribution and are free for all The 'Community Rules' are free for all There is also http://www.bleedingsnort.com/ that has it's own rule sets available to supplement the VRT rules. The one thing that is missing while using snort on BSD is the ability to run snort inline, where you can have snort block certain network traffic based on rules (aka IPS). There is a project, pq - http://www.openbeer.it/?open=pq that is attempting to address this for BSD. You have to request an oink code to get the VRT rules using oinkmaster. This is free with a registered account. Axton Grams
