Network Intrusion Detection: portsentry vs Snort

Warren Togami warren at togami.com
Mon Jul 9 02:16:27 PDT 2001


http://www.linux.ie/articles/portsentryandsnortcompared.php

While surfing around looking for a solution to my portsentry problem, I came
upon this great article comparing portsentry to Snort, a more full featured
network intrusion detection system.  This article explains a lot about port
scan detection and general network security monitoring, while scathingly
saying why portsentry sucks and Snort rules.

"Port Sentry strikes me as a piece of software written by people who have
very little low level network programming experience (packet capturing using
an unportable and inefficient interface) and even less network security
experience (advertising commonly exploited ports that aren't there thus
enticing hackers to try to hack you, dynamically blocking IPs, unimpressive
performance against stealth scans). This is a poor piece of software and I
can't help but think that its only reasons for success are because of the
placebo that it proactively responds to scans and the fact that it was
written by a security company. It may be passable for the home user but
you'd be a fool to run it on any large commercial network."

"Snort can be configured to detect specific exploits going through your
network which a program like Port Sentry can not. It is legal to port scan a
machine in most countries, all a port scan detector is good for is to act as
an early warning system (because port scans often precede exploit attempts).
Software like snort can also analyse packets looking for specific exploits,
and logging the session. This is good from an evidence point of view, or
simply detecting what specific exploits are being launched against you."



More information about the LUAU mailing list