When Snort is not enough

As an independent security consultant I offered a course to customers called Network Security Operations, which covered network-centric intrusion detection, response and forensics. Students often asked, "Is this the Snort course?" And I answered, "Not exactly, but you're probably in the right place."

I've been inspecting and acting upon network traffic for 10 years. When I tell people that I use network traffic as one means to detect and respond to intrusions, many respond by saying, "So you use Ethereal, right?" I find myself responding in a similar manner to the Snort question: "Not exactly, but sometimes."

Both of these questions point to customer perceptions of common ways to detect and respond to intrusions. The digital security field is incredibly complicated and anyone who claims to be a master of the entire field is a fool. In fact, mastery of any single subject might require such narrow focus as to be of little relevance to the remainder of the field. Those who are most successful have carved some niche out of the security landscape, but still understand the rest of the arena.

Similarly, it's important to understand how a network intrusion detection system (IDS) like Snort and techniques based upon its use fit into a holistic detection and response operation. Placing Snort within an entire security program is too broad a topic to cover in this Snort Report. Rather, let's consider when a tool like Snort is independently helpful and when you should support Snort with complementary tools and techniques.