On Tue, Apr 28, 2009 at 8:35 AM, Claudio Jeker <cje...@diehard.n-r-g.com> wrote:
> Did you ever check the security record of snort? It is at least as bad as > wireshark's but it is sitting in the middle of your network passing > packets. I couldn't sleep with such a system in my core. > It is also a lot easier to bypass unnoticed a bridging FW/IDS then a box > that does actual routing. I checked and it doesn't look that bad: http://secunia.com/advisories/product/16919/?task=statistics http://secunia.com/advisories/product/13116/?task=statistics In CERT, it looks like there were 4 vulnerabilities in 2008, 4 in 2007 and currently 2 in 2009 (one of them is related to libpng which Snort doesn't link to by default in Linux and other one is not specific to Snort). But I agree that using snort_inline is probably questionable, given how complex it is and it's security record. I also agree that, for passive systems, using a Tap is safer and better. > Go ahead, use it and get burned, I think you need pain to realize that it is > bad. Isn't this how humans learn? By making mistakes and learning from them? :)
