Cisco Sourcefire SNORT Reviews

Endpoint protection is the main use case. The main aspect involves specifying different rules, and when network traffic hits these rules, it will try to block the traffic or at least log the traffic in general.

The logging is mainly what I consider one of the best features with Cisco Sourcefire SNORT. Being able to log and store it in a file allows you to push it to a centralized repository.

The logging and reporting help improve incident response. You should always be logging threats, any sort of misconfiguration, and anything that could be an issue. It's important to at least log and monitor it.

The basic rules provide a good baseline in assessing Cisco Sourcefire SNORT's ability in providing real-time analytics for threat detection, but as a professional, you should look to constantly modify that baseline. They provide extensive customizability so you can define your own rules.

The customizability allows it to be adaptable in protecting against diverse network threats to the constant change.

I have not had much experience with the community-driven rule set while utilizing Cisco Sourcefire SNORT.

I don't have experience with recognizing zero-day vulnerabilities, but based on my knowledge, it's up to whoever creates the Cisco Sourcefire SNORT rules to try and understand the system to identify zero days. Cisco Sourcefire SNORT has the ability, but it's up to who actually creates the rules.

I don't feel I have enough experience to comment on areas that could be improved or could be continuously improved upon with Cisco Sourcefire SNORT.

I have about a year of experience with Cisco Sourcefire SNORT overall.

I would rate the stability of Cisco Sourcefire SNORT 7.5 on a scale of one to ten. You're never going to hit a 10 on my scale regarding issues from time to time. You will always have issues, whether it's with the application or the actual machine running it. It's not necessarily inherent in Cisco Sourcefire SNORT, but it's just something about computers.

Cisco Sourcefire SNORT can scale, but if you have too much, you could fill up your log files, which I consider when discussing scalability. You have to make sure you have boundaries in place so you're not overloading the machine it's running on.

The issues are not significant; you just have to understand how it's capturing logs and how to set boundaries on how much logs can actually get stored to manage that requirement.

I've used Wazuh before, but I haven't had a chance to use CrowdStrike when it comes to any XDRs.

I do have some experience with endpoint solutions. I've used Cisco Sourcefire SNORT and Wazuh, but only basic experience with the latter. I don't have enough experience to write a review on other types of networking solutions or endpoint solutions.

My last time using Cisco Sourcefire SNORT was yesterday.

The initial setup is pretty straightforward. There's extensive documentation on how to set it up, so it wasn't too difficult to set up at all.

I cannot disclose the use cases of the solutions in my company because we operate in the financial industry.

One of the significant benefits of using the tool in our company is the skill we get for Cisco's networking, troubleshooting, and implementation phases that we can easily acquire from the market. In Hong Kong, there are a lot of people who know about Cisco products. They are familiar with how to set it up and how to troubleshoot, as it is quite easy to acquire such skills. It is easy to get a skilled engineer to help us out.

The tool's most valuable feature is threat detection, which is important because we have multiple layers not only in Cisco. However, I cannot disclose more information about this. The tool also has ease of setup and documentation.

Cisco offers the Cisco DNA Center, which is a source that provides crucial information for us to monitor performance, and see whether there is any trouble. We are using Cisco DNA center, but again, we have a multiple layer set up. Other than Cisco DNA Center, we do have some other products. For Cisco, we are using DNA Center now. I want to see a better dashboard for the product. The dashboard can be a bit modified or enhanced.

I have been using Cisco Sourcefire SNORT for five to six years.

Stability-wise, I rate the solution a nine out of ten.

Scalability-wise, I rate the solution an eight out of ten.

There are several thousand users of the tool in my company.

The solution's technical support is helpful. I rate the technical support a nine out of ten.

Positive

When it comes to the product's deployment phase, we have a lot of vendor support. We have a lot of skills here in Hong Kong. Our company doesn't find any problem deploying Cisco solutions.

The solution is deployed on an on-premises version.

Speaking about the time required to deploy the solution, I would say that we have quite a lot of previous experience with deploying Cisco products. We have our company's standard design document, which we need to follow. We have a standard testing procedure for all those features. We just take out some appropriate parts and then compile them into one document for an individual project. It is actually quite easy for us to do the documentation, so it just takes one or two hours, and we can do the implementation because all the materials and testing procedures are already in our company standard documents, so it is not that difficult for us.

Our vendor performs the actual implementation, but my company provides the expected configuration. We also provide the testing procedure, the test cases, and the expected result. Our company provides all the documents to the vendor before implementation. The vendor will follow through with the document to implement. Once there are no problems, we will do the second-tier troubleshooting. Actually, we are not the ones who are doing the actual configuration, but we are doing all the planning. We formulate all the testing procedures and formulate all the documents.

My company gets vendor support to maintain the tool.

Speaking about ROI, the tool's price increases year by year, and then the product pushes us to upgrade existing boxes. Cisco does its business in a particular manner, and we know about it. Price rise is a method followed by Juniper, Aruba, and HP.

If one is an extremely expensive product, and ten is cheap, I rate the tool's price as a five. There are some other tools in the market that are more expensive than Cisco. There are no additional costs in addition to the tool's standard licensing fees.

We want to evaluate other brand names, like iMaster. We are thinking of other tools, like Huawei and H3C, to see which is the most suitable tool for us. I am not the decision maker who chose Cisco Sourcefire SNORT. I only manage the tool on PCs and other infrastructures. There may be some other decision-makers in my company. At the moment, there are not too many choices against Cisco Sourcefire SNORT. Either you can go for Juniper, Extreme Network, or Cisco. In Hong Kong, we commonly use Cisco for its better upgrades.

As an end customer, we do not actually know whether the tool uses real AI to do the analysis and then gives us advice or feedback or if it just uses simple logic to do it. The tool claims it has AI, but as a result, it can be a simple traditional relational way of dealing with logic and then feed us back. We cannot differentiate whether the tool has real AI or is just a traditional way to detect threats.

If someone wants to deploy a product easily and has a lot of support staff, then they can easily acquire the tool.

I rate the tool as an eight out of ten.

We use the solution for IT security prevention systems. It comes with the Cisco next-generation firewall. We use Sourcefire as an IPS.

The solution provides visibility. The application’s environment hosted behind the firewall is very impressive. The protection is good.

The solution has some stability issues. Also, it's complicated compared to other products like FortiGate.

I have been using Cisco Sourcefire SNORT for 6 years.

The solution is scalable. Every appliance has its limitations concerning its throughput. When we propose an appliance to a customer, we ask about the current requirement and the requirements for the next five years. Then, we suggest to the client that we serve them for the following five-year requirement.

Some appliances support clustering. In the case of horizontal clustering, we can combine multiple appliances to enhance it.

We have 30-40 customers using this solution.

The quality of support depends upon the engineer who is assigned to the case. When we open a case on Cisco’s website. Upon opening a case, an engineer is assigned to the case. Some are well versed in the technology and have very good knowledge. There are some situations where the engineer we assigned is not an expert in the Sourcefire.

The initial setup is a little difficult compared to other products in the market. It depends on the environment. The deployment of a green-field environment might be completed in a week. If we are doing any migration, it might take months in a brown-field environment.

The product is inexpensive compared to leading brands such as Palo Alto or Fortinet. It is cheaper than Palo Alto and comparable to Fortinet. It also depends on Cisco’s discount. Sometimes it's cheaper than Fortinet, sometimes it's more expensive.

We assess the client's environment, including the size of the workforce responsible for firewall management. Sourcefire can be effective despite its complexity if you have a capable team. Sourcefire might not be more appropriate if you lack a strong IT team.

When it comes to real-time traffic analysis, the requirements can vary significantly. Discussing an organization's or individual user's security posture adds another layer of complexity. It's important to note that there isn't a single device that can fully meet the demands of real-time traffic analysis for security purposes. Multiple appliances and solutions are often necessary to achieve comprehensive real-time visibility.

We've successfully integrated Sourcefire into various environments, making the process relatively straightforward. We've incorporated it with certain NMS, so I foresee no significant challenges in integrating the Sourcefire.

Cisco Sourcefire SNORT offers visibility and robust support. Its resource management documentation is notably extensive, enhancing usability. However, its complexity may pose challenges, especially as the market trends toward simpler solutions for intricate issues. While concerns regarding maturity and stability exist, the development team has actively addressed these issues, requiring ongoing scrutiny to ensure complete resolution.

Overall, I rate the solution a 7 out of 10.

We use the solution to protect our virtual server funds.

The solution has improved our organization by helping us provide protection from our own internal networks and internal clients.

The most valuable feature is the visibility that we have across the virtual environment.

The solution is expensive and can improve by lowering the cost.

I would like to have analytics included in the suite.

I have been using the solution for six years.

The solution is very stable.

The solution is scalable. On a scale of one to ten for scalability, I give the solution an eight. We have three administrators using the solution and we have plans to acquire additional appliances.

For technical support, we engage with local resellers. The local resellers have distributorship here in the Philippines, but in some cases, we can escalate our problem directly to Sourcefire.

Positive

We previously used TippingPoint and switched to Cisco Sourcefire SNORT because all of our acquisitions are through public bidding and TippingPoint did not participate once their contract expired.

We have a complex environment because of the limited number of ports we have against the cost of acquiring more ports, the initial setup becomes more complicated. On a scale of one to ten, I  rate the setup a three for complexity.

The deployment took around 100 working days.

The implementation was completed by a system integrator. We purchased the solution through public bidding on the system and the resellers have system integrators that perform the services for us. After the deployment, we manage the solution ourselves.

We don't rate our ROI in pesos saved but rather on having no breaches and in this case we do see a return on investment.

The cost is per port and can be expensive but it does include training and support for three years.

I give the solution a nine out of ten.

We have an in-house engineer that has been assigned by the system integrators for a year. It's easier for our team to manage the solution because we have a local system integrator onsite. It's a type of hybrid managed service which is one way to mitigate the manpower that we have.

Before using this solution we must understand our infrastructure. We can reduce the cost by understanding which critical portion of our infrastructure needs to be protected.

We primarily use this solution as an intrusion prevention system for external firewalls. We use it for that firewall IPS/IDS and deploy the solution on-premises.

The security landscape is changing, so the cloud can be improved. As we move, we try to adopt more cloud services and integrate everything, such as on-premise solutions, to get them to work with cloud solutions. The utopia is to see everything from one dashboard, but sometimes that's not very possible.

We have been using this solution for over seven years.

The solution is stable.

The technical team takes care of it. However, the networking team has a lot of Cisco experience and has been using Cisco for a long time. So I think they are very comfortable with Cisco. I know there are newer solutions like Palo Alto Check Point, but they understand Cisco and guarantee PCIe. We have approximately 10,000 users using the solution in our organization.

Cisco only provides 2nd-level support, and 1st-level support is within the partner.

All the firewalls are the same and there's no difference. We might as well be using an open-source firewall. We block and allow, then connect your threat, sources, and intelligence. And that's it. You keep it updated, and that's all that is required. It works fine, It's Cisco, we have support, and it works.

I rate the solution an eight out of ten. The solution is good, but the cloud can be improved. I recommend it to others.

We are using Cisco Sourcefire SNORT for security as an edge firewall.

The most valuable features of Cisco Sourcefire SNORT are the dashboard for monitoring events.

The main dashboard of Cisco Sourcefire SNORT could improve.

I have been using Cisco Sourcefire SNORT for approximately four years.

We have had some issues with having high availability. For example, we have had some problems using two modules together.

I rate the stability of Cisco Sourcefire SNORT a seven out of ten.

The solution is scalable. The scalability can depend on the module that is installed.

I rate the scalability of Cisco Sourcefire SNORT an eight out of ten.

I have used the support and they have been helpful.

I rate the support from Cisco Sourcefire SNORT a nine out of ten.

Positive

We used McAfee prior to Cisco Sourcefire SNORT. We replaced all of our older solutions with Cisco Sourcefire SNORT.

The initial setup of Cisco Sourcefire SNORT took a couple of hours to complete.

We have two security specialists that do the deployment of the solution.

We use two people for the maintenance of the solution.

I would recommend this solution to others.

I rate Cisco Sourcefire SNORT an eight out of ten.

The product is primarily used for an IDS, Intrusion Detection Software, element.

You can do a lot of feasibility in terms of SSLI configuration which can be enabled.

You can encrypt and encrypt your data through Cisco Sourcefire so that your IPS solution can be effectively utilized.

Users have access to intelligent security automation as one of the features. It can easily automate your event impact assessment and your IPS policy tuning can be done as well as your network behavior analysis. They have introduced this intelligent security automation as part of that and then you can do a real-time contextual awareness. Basically, you can see a correlation of events that are created on your application, user devices, operating systems, or vulnerabilities. All of this real-time data can be captured including on your apps and port scans.

It is quite an intelligent product.

It can look into your north-south traffic in case of IPv6 attacks, DOS attacks, or buffer overflow. They say that it also supports against zero-day threats and items like that. They are up-to-date in terms of their threat protection, anti-bot, antivirus, and all kinds of signatures.

They have something called Firepower, which is advanced threat protection that they offer. It's a new subscription which we use for additional malware protection. It offers blocking capabilities and continuous analysis.

The solution is very stable.

The solution is still very new to us. Maybe if I extensively start using it on our environment I will be able to, based on the events and other things, come back with insights on features. But currently, it is quite new to us, so we are still using it and learning it.

The implementation could be a bit easier.

As long as they continue to develop security features to protect our company, they will be doing quite well.

I've been using the solution for six months at this point. It's been less than a year and hasn't been that long.

It is quite a stable product. We have not seen many issues with this product. We haven't seen crashes or glitches or bugs. Since we have just started to use this product, we need time to understand the stability for a longer period. It's only been around six months, and we are just implementing it now across a few locations.

The solution is pretty scalable. The throughput, however, depends on what kind of appliance you are buying. For example, you can have 50 Mbps to 40 Gbps of throughput. Currently, we are using 100 Mbps and, at a couple of smaller locations, we are using 50 Mbps of a throughput receiver.

We're implementing it across locations currently. We're implementing it on an enterprise level. We have close to around 15 major locations, wherein we are using it to align devices that are hosted in our data center or in our critical locations.

As we are still in the early stages, we do plan to continue to use the solution in the future.

Technical support is quite fast. Cisco is quite a big company and their support contract is there with us. We use a lot of Cisco products and therefore we have platinum support for everything. Due to our level, we get immediate support from Cisco on all of our Cisco products. We're quite satisfied with the level of service provided.

We were previously using IBM IPS. We switched due to the fact IBM wasn't really working for us. It couldn't help us solve most of our issues and the devices which we bought were also quite old. It didn't have the option of SSL encryption and other things in it. Due to all of these limitations, we decided to move away from IBM.

The initial implementation is pretty straightforward. It's just an appliance. We are using an appliance and it is predominantly for SSL encryption. We have a lot of applications on the cloud and on the web application. 

Your IPS, DLP, everything can be done on a single appliance itself. Predominantly, we are using it for SSL encryption to a larger extent. 

It doesn't take much time for installation. It depends on what you want to and what traffic you want to allow on Sourcefire. 

For example, if I have a proxy path, where my users are accessing through a proxy path, that traffic needs to be encrypted. In cases where I have a direct path, and if I have a CMD path, it depends on where exactly you want to enable your SSL encryption or which data needs to be analyzed and used. If you have too many paths from which the users are accessing the data, then it is important that you use all the paths. If you are using it on a single path and if there are no other kinds of encryption used there, then obviously it doesn't make sense. If your traffic is going from north-south traffic, then you can use its product to ensure that your encryption and other tasks are happening.

We only need maybe one or two people for maintenance. Our data center specialist can handle the device. After implementation, it is just a configuration of our traffic. One or two people are more than enough.

Cisco is currently helping us with the implementation process.

We bought the appliance, which comes with a license as well.

While I don't know the exact pricing, most of these products are through subscription. In our case, we bought the complete appliance with the software with it. It does not run with any Cisco item, as we have bought the entire appliance. The three-year warranty of the appliance is there. It does not contain any licenses except for the software license and the hardware licenses which are a part of it. It's a three-year contract which we have bought.

The solution is the latest version. We're still in the process of implementing it, and therefore are using the most recent release.

I'd recommend the solution to other organizations.

Currently, I would rate the solution at a seven out of ten. I'm not completely migrated over. I need more time with the solution to really gauge its effectiveness.

Cisco Sourcefire SNORT is a powerful intrusion detection and prevention system that covers various network security threats. It simplifies the configuration process by offering pre-defined base configurations, including security and connectivity settings. These pre-configured settings serve as a starting point for users, allowing them to customize and fine-tune their security policies based on their needs. This feature streamlines the deployment process and ensures that users can quickly establish a robust security posture without building configurations from scratch. Additionally, the intuitive interface provides users with a clear understanding of the parameters they can adjust and the impact of their changes, facilitating efficient management of network security policies.

Cisco Sourcefire SNORT is integrated into the database. They primarily use SNORT to enhance the database. Additionally, they may make some adjustments when transitioning between nodes.

The solution's approach to managing traffic blocking is confusing and impractical. It's challenging to envision how to implement it, especially considering architectural constraints.

I have been using Cisco Sourcefire SNORT for 2 years.

There are technicalities of SNORT and conducting numerous OS upgrades with challenges with new OS versions. There were frequent issues. Cisco's support provides quick response. I rate the solution's stability as six or seven out of ten.

Cisco Sourcefire SNORT has extensive coverage. 

I rate it as a nine out of ten.

The support for Cisco Sourcefire SNORT is very good. They are there to assist when needed. They don't just leave you hanging.

Positive

The setup for Cisco Sourcefire SNORT is straightforward and well-documented. Enabling SNORT on Cisco Sourcefire is straightforward. Once you have configured everything properly, you need to go to the device and click one button. After that, SNORT is activated, and deployment is required. It may not be difficult, but it's easy to set up.

A few features of Cisco Sourcefire SNORT are expensive.

It provides a centralized platform using Cisco. SNORT is integral to the database. The primary function is expanding the database. As nodes transition, adjustments are made to SNORT, further enhancing its capabilities. It plays a crucial role in managing various protocols.

Cisco Sourcefire SNORT is expected to offer improved management capabilities within the ACP. However, navigating the ACP settings can be challenging, particularly when dealing with default configurations. Additionally, upgrading devices may receive unfamiliar database updates from the FMC, such as ETB. This can lead to confusion and necessitate careful handling to ensure proper integration and functionality.

Changes in Cisco Sourcefire SNORT, particularly in application settings, can have significant impacts. For instance, transitioning from one application setting to another, such as from a large-scale deployment to a maximum setting, can disrupt operations. This disruption is particularly challenging because it affects various rules and configurations for different applications. It's essential for Cisco to streamline the process of managing these changes, possibly by providing more user-friendly interfaces or tools, as relying solely on technical support can be cumbersome. Specifically, when discussing SmartOps, the complexity of managing configurations and settings becomes apparent, highlighting the need for simpler, more intuitive solutions.

When working with Cisco Sourcefire SNORT, creating your profile files and meticulously tracking your activities is essential. When starting out with SNORT and adjusting migration rules, it's crucial to exercise caution and understand the potential impact on the business.

Sometimes, you need to put your network into 'inline mode' to observe the traffic and understand what's happening on your network. Enabling this mode allows you to see what's passing through your network.

There are some tools we use to analyze specialized traffic. We recently encountered a situation in which Cisco SQL traffic was blocked because of SNORT. It provides good analysis and outputs. You can see everything if you're attached to intrusion testing in the FMC; its database is good. The strength of SNORT, coupled with its integration with the firewall, works well. The database from SNORT contains a lot of data, and it's not just a single tool requirement. Dealing with all this data can be challenging.

Firepower had some options like that that couldn't be blocked. Then, you can start to see improvement. We encountered an issue where certain features were blocked after migrating from SNORT version two to three. Despite our efforts to ensure progress, some problems arose, particularly related to the network analysis policy. This occurred even before transitioning to Sourcefire; within the engine, some traffic passing through SNORT faced issues. When migrating to version three, Cisco had to release a patch to address this problem and give you an idea.

Overall, I rate this solution an eight out of ten.

We use Cisco Sourcefire SNORT for intrusion prevention cases.

Within our organization, there are roughly 1,000 people using this solution.

Cisco Sourcefire SNORT is easy to configure and the reporting is great. It's also very user-friendly.

I did not experience any pain points that required improvement. Maybe a couple of false positives, but that's about it.

I have been using this solution for roughly four years.

Cisco Sourcefire SNORT is stable.

Cisco Sourcefire SNORT is scalable.

The technical support is very good.

The initial setup was very straightforward. Deployment took roughly two months.

We used a reseller to help us with deployment.

We did evaluate other solutions before choosing Cisco Sourcefire SNORT.

I would definitely recommend this solution to other users. Should you choose to use Cisco Sourcefire SNORT, I'd recommend that you get the help of a professional service for deployment.

Overall, on a scale from one to ten, I would give Cisco Sourcefire SNORT a rating of eight.

The solution has improved our organization in terms of management. We don't need to have too many resources when it comes to managing it, unlike previously, when we had the IPS. It was a nightmare trying to download the signatures, and uploading them, was also a nightmare. This solution makes life a lot easier. There's fewer man-hours required.

The solution is rather easy to use. 

The signatures are uploaded and there's a set of recommended ones that we are using, which makes a lot easier than having to configure individual signatures together.

While the alerts they offer are good, it could improve it in the sense that they should be more detailed to make the alerts more useful to us in general. Sometimes the solution will offer up false positives. Due to the fact that the alerts aren't detailed, we have to go dig around to see why is it being blocked. The solution would be infinitely better if there was just a bit more detail in the alert information and logging we receive.

I've been working with the solution for a long time. It's been about five to six years at this point.

There are no bugs or glitches. The solution doesn't freeze. It doesn't crash. It's reliable. It's very stable.

In terms of scalability, I've not really had to look into it due to the fact that the devices we have are accurate for our purposes. I can't really say a lot about scalability because I've not had to. I'm sure they have got configurations where you can maybe put two or three together to scale it up if you need to.

We've only reached out to technical support once when we had to do an upgrade. The team at Cisco was very helpful. They were responsive and knowledgable. We were quite happy with the level of service we were provided.

The initial setup was not complex at all. It was very straightforward. We were able to handle it easily.

Deployment, in total, took about a week.

We're just an end-user of the service. We don't have a business relationship with Cisco.

The hardware we're using is still old. We bought it when the product was not under Cisco. That said, obviously, Cisco has now updated the product with new hardware. However, we've still got the old hardware. 

I would advise other organizations to go ahead and try the solution out. It's a good product. It's very straightforward and easy to implement especially when you compare it to other systems.

I'd rate the solution eight out of ten overall. If they offered better and more detailed alerts, I would rank them higher.