IDS has failed to impress the market, Martin Roesch told delegates at the AusCERT computer security conference in Queensland. The inability of many to "tune" an IDS -- minimising the number of false alarms triggered by the monitoring devices -- has been a major draw-back for the widespread acceptance of the technology, he said.
The next generation of Snort will include "passive discovery" features, Roesch said, which will automatically tweak the package's settings.
"IDS is not working as well as had been hoped, or as well as had been hyped," he said. "People have been saying... IDS can be used to secure your network. But that's not the role of an IDS."
Now the chief technology officer of US-based Sourcefire, which sells Snort-based intrusion detection systems, Roesch says auto-discovery features could be used to apply specific detection policies to particular devices on a network.
If the new software detects an Apache server running on Linux, it will only look for attacks relevant to that configuration, instead of monitoring the device for an attack that would affect a Cisco router or Windows server.
"If you don't have a technology that's capable of understanding what's out there on the network... then you going to have big problems," he said.
Speaking to ZDNet Australia after his presentation, Roesch said the new features had been discussed within Sourcefire, but an actual release date to the open-source community is still unclear. "We haven't really talked about this with the open source community yet," he said. "Some big changes need to be made to the [Snort] engine to make this work."
Unlike more passive intrusion detection set-ups, re-vamped Snort will be able to enforce policies through its new capabilities. "The idea is to take a policy like 'thou shalt not run OS X on the network,' and then if someone with a Mac plugs into our network... it can tell the firewall to [block them]," he said.
IDS is only one part of securing a network. It needs to be combined with other tools like antivirus, application-level proxies, packet filtering firewalls and more.
Normalizing and correlating all that info and make intelligent decisions is the job of a Security Event Manager, not the IDS. The IDS can only make decisions based on what *it* knows, and is in the dark on the other devices.
TriGeo Network Security (http://www.trigeo.com/), where I work, makes a security event manager called Contego that does exactly what is being called for -- the ability to normalize, correlate, tune and act on all the data coming in.
While it would be nice to have Snort be able to auto-tune, I fear it would also increase the perception of its ability to act alone. IDS needs to be marketed not as an "end-all, be-all" solution but as a key component to securing a network.