Well, I use them both and they both serve different purposes. PortSentry is a
port scan detector. It monitors the ports on your system for scans and then
depending on how you configure it, blocks the host that scanned you by either
route black-holing, firewall rules, hosts.deny entries, and/or an external
script. Snort, on the other hand, is more of a true IDS where it scans the
entire network by placing the NIC in promiscuous mode. It then has different
rules it compares network traffic to looking for various intrusion attempts.

I've done some development on PortSentry and have a patch for their latest beta
version (2.0b1) available that adds a lot of additional functionality to the
code. Download it here:

http://www.westrope.com/files/portsentry-2.0b1-JRF.patch.gz

> -----Original Message-----
> From: owner-kclug@marauder.illiana.net
> [mailto:owner-kclug@marauder.illiana.net]On Behalf Of jose sanchez
> Sent: Monday, August 05, 2002 12:56 AM
> To: KC Linux
> Subject: IDS
>
>
> Hello:
>
> Between PortSentry and Snort, installed on a firewall,
> which one would be:
>
> a. Easier to configure/use/run
> b. Safer to have (more secure, w/o vulnerabilities)
> c. Convenient
> d. Performs best
>
> Thanks.
>
>
> =====
> "An ounce of gold cannot buy an ounce of time."
> - Anonymous
>
>
> www.whmicro.com
>
> __________________________________________________
> Do You Yahoo!?
> Yahoo! Health - Feel better, live better
> http://health.yahoo.com
>
>