Snort

What do you like best?

Snort is a open source network intrusion system. Snort when installed on the system, it captures the network packets the system receives and either saves it to a log file, displays it on the console. It also has a mode where it just applies the rules which are defined for analyzing the packets it receives and identify any malicious content which is harmful for the system and then alert the user. The performance of snort is depends on the configuration and might also give false positives.

What do you dislike?

Snort can be installed as a network intrusion detection system on even desktop but it requires a lot of configuration to be done before it could be effectively used. The configuration needs to be done in a snort.conf file, which contains lot of properties to be defined. So it requires a lot of domain knowledge about networks for using it. It does not come with any user interface and requires lot of commands to be run and used. It also might give false positives to applications which might have legitimate network traffic and make user suspicious. Thats depends a lot of the configuration done in the configuration file. But the snort website provides lot of documentation and example configuration files.

Recommendations to others considering the product:

Would recommend to one who has good knowledge about networks and could configure snort by doing changes in the configuration files and who has knowledge about executing commands from the command prompt to use the product.

What problems are you solving with the product? What benefits have you realized?

I have used Snort on my personal linux desktop and did not find it too useful. But it could be used on large systems assuming you have knowledge and resources for understanding the product.