[Dshield] IPS/IDS solutions--your opinions?
CunningPike
cunningpike at gmail.com
Wed Jan 23 17:26:54 GMT 2008
I recommend snort in conjunction with sguil, on the basis that alerts
without the underlying pcaps aren't much use. sguil allows the viewing
of alerts in real time in a console, and makes it easy to view the
corresponding pcap either as a transcript or via wireshark. If you would
like summary reports like BASE provides, squert runs on your sguil db,
and is about 100 times faster.
For more info, go to
http://www.vorant.com/nsmwiki/Sguil_Installation_and_HOWTO_Guides, or
join us in #snort-gui on freenode.
For a dynamic blocking addition, I recommend snortsam.
CP
Pete Cap wrote:
> List,
>
> Would anyone mind discussing the pros and cons of IDS/IPS solutions you've used?
>
> I've been trained on several systems, the only one of which is current is Mcafee's. They all had pros and cons but I liked Intrushield a lot, but for a few things--for instance, Cisco's product never impressed me, but you could always just run snoop when you saw something weird. I'm also not a huge fan of their all-in-wonder router/IDS gear but I haven't used it very much. I want to look into Sourcefire at some point this year as well.
>
> Any other thoughts?
>
> Best regards,
> Pete
>
>
> ____________________________________________________________________________________
> Never miss a thing. Make Yahoo your home page.
> http://www.yahoo.com/r/hs
> _________________________________________
> SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up north if you can be in New Orleans. http://www.sans.org/info/15826
More information about the list
mailing list