Snort VRT Rules Question - Anyone Using them in SMB setting?



  • Hello,

    I'm looking at setting up a UTM device with pfsense and came across snort for IDS/IPS. The FW is going to be used in a SMB setting that has to be PCI compliant. However, after some research, it seems that Snort is $499/$399 per device/year, depending on configuration - this seems a bit high when compared to our current SonicWALL/Watchguard setup.

    So my question is, are people really using VRT ruleset for their SMB locations? I'm all for Open-Source and supporting the community but Snort is owned by Cisco and this seems a bit extreme.



  • Snort cost that much before the acquisition. If you don't pay you can still use it, you just get rules a few weeks later than anyone else. You could always use the free rules and emerging threats.


  • Moderator

    I have Snort VRT and ET Pro rulesets. If I had to choose between them, I would subscribe to the ET Pro ruleset and use the Snort open ruleset.



  • Thanks for the input.

    Jason - I was actually eluding that you could justify, before Cisco, with "Support the Community" logic but with the acquisition, it becomes a dollars and cents decision.

    BBCan - I'll look into those, appreciate the suggestion.



  • @abard:

    Thanks for the input.

    Jason - I was actually eluding that you could justify, before Cisco, with "Support the Community" logic but with the acquisition, it becomes a dollars and cents decision.

    BBCan - I'll look into those, appreciate the suggestion.

    That doesn't make any sense.  You were willing to spend $500 before but not now simply because Snort was bought by a larger company.  Sourcefire was never a not-for-profit and they got paid something fierce when they were purchased (it was almost $3B if memory serves).

    Anyway, this price is way cheaper than the IDS options on Cisco's ASAs.