CounterSnipe APS v4.0.3
Strengths: Low-cost (if deployed on a low-end server) IDS/IPS solution that adds a nice user interface with basic reporting and alerting to Snort.
Weaknesses: Signature based and can customize classification sets, but no real rule engine.
Verdict: This is a nice option to using Linux- or Snort-based solutions. It gives one an easy-to-use management console for overseeing all those deployed sensors. It works best as a traffic analysis solution.
SummaryCounterSnipe Active Protection Software (APS) provides network-based intrusion prevention security. The APS from CounterSnipe is a combination of intrusion prevention software, host/application discovery, vulnerability detection and intelligent alert management.
The solution is delivered as software and needs to be installed on a Linux-compatible server. The process to fully load and configure the server took about 30 minutes, but it was very easy and did not require substantial Linux expertise as the product is downloadable as a Debian ISO that the admin uses to create a bootable CD. Booting to the CD starts the fully automated process of loading the operating system and application, which gives way to a menu-driven configuration interface for setup.
The software includes Snort as the IDS engine and detects and compares the network traffic with a constantly updated database of IDS/IPS, spyware and malware signatures. As with Snort, admins have various alerting and remediation options available. These actions range from dropping or rejecting traffic (close the connection) to alerting to the presence of the malicious packets. A total of nine different actions are available to provide admins with a truly flexible incident response.
A web-based user interface is used for management and configuration of the sensors. The interface provides a console dashboard and config bar for navigating between devices, classifications, alerting and signature management.
Support can be purchased for 20 or 25 percent of the purchase price and includes hourly updates. We did not find any description of what was covered under support on the website. Documentation was fairly sparse but gave us enough to run through the setup.
There is definitely a place for this technology. If one without a large budget has an environment that requires the deployment of dozens of sensors, this is a very nice alternative to going without protection.