Get started Bring yourself up to speed with our introductory content.

Why is the Snort IDS still alive and thriving?

The Snort IDS has continued to remain popular alongside intrusion prevention systems (IPS) because companies understand that intrusion detection systems and intrusion prevention systems must work hand-in-hand to reduce the risk of harmful security incidents.

No one wants to simply "detect" intrusions. Everyone, quite rationally, wants to prevent intrusions. Leading up to 2003, IDS vendors claimed ever greater capabilities to detect intrusions, with supposedly lower false positive rates. Customers naturally asked the question, "If you can detect it, why can't you prevent it?" Companies selling so-called "intrusion prevention systems" answered "We can!" and dealt a body blow to the IDS market.

About the author
Richard Bejtlich is director of incident response at General Electric Company in Manassas, Va. and blogs at and Listen to the rest of Richard's answers on Snort by downloading our Snort podcast.

The undeniable fact of the matter, however, is that preventing a network-based intrusion requires detecting it. No one has built, or ever will build, a network-based (or host-based, or anything-else-based) system that performs 100% accurate detection, so that means 100% prevention is also impossible. What should you do with events that are not regarded with 100% confidence as being malicious? If you block them, you could deny legitimate business traffic. The sensible alternative is to alert on them and let a human analyst investigate the situation. Hence, we have returned to seeing IDS as a useful tool. IPS, incidentally, is quickly becoming another feature on the network firewall.

Dig Deeper on Managed network security services

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.