[Dshield] IPS/IDS solutions--your opinions?
Matt Jonkman
jonkman at jonkmans.com
Wed Jan 23 17:54:58 GMT 2008
Albert R. Campa wrote:
> ISS doesnt have open signatures, so I cant see why an event is
> triggered and how it is set to trigger.
>
> Do most of you recommend an IDS/IPS that you can see the code behind the alert?
I'm biased in my opinion, but I don't iunderstand how you can run an IDS
response mechanism without seeing the signatures that generated the
event. I just don't see how it's possible. Plus the difficulty this
brings in trying to write your own rules for local issues...
Personally, that's an absolute no-go in the purchase process for me.
Even if they (as some do) can show you the sigs under NDA you'll be
alright. But no access at all... deal breaker in any environment I've
ever consulted in.
Your mileage may vary of course. But give me a Snort box and I can get
you better results for less money any day, any environment. :)
Matt
>
> I have had false positives where I cant tell why its a false positive
> because I cant see inside the signature.
>
> Saludos
>
> Albert
>
> On Jan 23, 2008 7:37 AM, Pete Cap <peteoutside at yahoo.com> wrote:
>> List,
>>
>> Would anyone mind discussing the pros and cons of IDS/IPS solutions you've used?
>>
>> I've been trained on several systems, the only one of which is current is Mcafee's. They all had pros and cons but I liked Intrushield a lot, but for a few things--for instance, Cisco's product never impressed me, but you could always just run snoop when you saw something weird. I'm also not a huge fan of their all-in-wonder router/IDS gear but I haven't used it very much. I want to look into Sourcefire at some point this year as well.
>>
>> Any other thoughts?
>>
>> Best regards,
>> Pete
>>
>>
>> ____________________________________________________________________________________
>> Never miss a thing. Make Yahoo your home page.
>> http://www.yahoo.com/r/hs
>> _________________________________________
>> SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up north if you can be in New Orleans. http://www.sans.org/info/15826
>>
> _________________________________________
> SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up north if you can be in New Orleans. http://www.sans.org/info/15826
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
US Phone 765-429-0398
US Fax 312-264-0205
AUS Fax 61-29-4750-026
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the list
mailing list