Are programs like snort like an anti-virus, or is it something a security professional would use [closed]
My friend told me that NIDS like Snort are an important part of a security configuration, but to me it seems like an anti-virus program. Should security be had via correctness (such as auditing software for buffer overflows, and using static analyzers), isolation (including everything from capabilities to guard pages), and randomization (ASLR, ASLP like selfrando)? Or should these measures be augmented with NIDS such as snort?
I'm only concerned with zero day attacks. I specifically am not concerned with scanning for exploits like an anti-virus does. I don't want "day after" security, where some people need to be compromised by the threat before a signature can be made for it.
https://ieeexplore.ieee.org/stampPDF/getPDF.jsp?tp=&arnumber=6759203
states that snort can detect zero day attacks.
I saw one example of a rule that detected long sequences of As, and see that attackers following tutorials on how to exploit buffer overflows can be caught by that. However, the source said not to use rules like this, as it targets the exploit instead of the vulnerability. I don't understand what targeting the vulnerability would look like, and to me it seems like snort is just acting like an anti-virus on the network.
