I work in a relatively small organisation of about 30 people (but with a complex network) and we've been looking to move our firewall to Microsoft's Threat Protection Manager on a mostly Windows network. I've been thinking we should have an IDS/IPS inside the firewall and I've been thinking about Snort in NIDS mode but have some basic questions:

1. Can anyone recommend a good web GUI for Snort?

2. Is it advisable to run both on the same machine? (Both from a POV of security and resources.)

3. Would Snort add any real benifit to using TPM?

For Snort, you can use Base as a GUI to monitor the status and work with the databases. There are several utilities for working with the rules, such as Oinkmaster and Barnyard. Putting Snort behind your firewall is a good choice. That way it will monitor what makes it through the firewall rather than everything that hits it. As long as you have the resources I don't see why you can't run the Snort and the GUI on the same machine. Here are some articles regarding running snort on a separate machine. After reading the article I settled on using a NIC card in stealth mode (not configured with an IP or anything) and set up a span port on the switch to capture all of the traffic on all of the machines. I think it works quite well. You will get a lot of false positives with the Snort so you will have to tune it. The pre-compiled rules seem to be a particular source of positives. You can suppress rules effectively using the threshold.conf file to filter a rule and even base it upon the source and / or destination IP rather than blocking the entire rule. You should also look into the emerging-threats rules. These seem to pick up a lot more cutting edge stuff than the base snort rules.

I am not familiar with TPM, so I can't really comment on it.

1 members found this post helpful.

There are several. BASE is tried and proven, but is actually rather complex in setting up (actually, they all are). Another is Sguil. Yet another is Snorby. Those are free. Since you're comparing to MS products, you probably can afford some commercial solutions also (they're probably cheaper than MS products, too): Aanval, Astaro, Splunk (mainly for correlation).

You want to try to segregate those duties, if at all possible. In fact, you might want to spread out the snort backend (have one machine running the GUI and another running the database, and if your network is sprawling, you might even want to dedicate a machine to snort itself).

Snort is very solid and is a proven product, as long as you know its capabilities. I'm not familiar with TPM, but I'm almost positive that it won't outgun Snort. Or, you can do a bake-off between the two and pick what is better for your organization.

1 members found this post helpful.