[Dshield] IPS/IDS solutions--your opinions?

Mike LeBlanc mlinfosec at comcast.net
Tue Jan 22 18:47:06 GMT 2008 

Pete,
You didn't mention whether you wanted to set the scope at network or host
based
ids/ips.  My biggest issue is false positives (for both).

For NIPS I have used ISS Preventia -- OK false positives abound
NIDS, some snort, some sourcefire, and ISS -- too many false postives -
across the board
HIPS - Determina ROCKED.  Why? Looked at running code and stopped vectors of
attack on vulnerabilites.
Con, they are end of lifing in Dec 08 - VMWare bought them and is  using the
code but will not offer the standalone
HIPS!

Wish list - HIPS, Determina replacement.
NIPS/NIDS - reduction of false postives through:
1/ baseline analysis (network heuristics)
2/ enviroment information (unix sigs againt windows)
3/ vulnerability persecution (ala Core Impact info)

I know this is a super dumb question, but why can't Microsoft build a HIPS
that exmaines code (ala
Determina) and stops *classes* of vulnerabilities (since they can't seem to
get clean "non vulnerable" code going)

I still suggest the combination of NIPS/NIDS and HIPS, to see the "chain of
attempted attack" (if the HIPS is
rock solid).. one hole in all this... an authorized user doing something
stupid... like running code he has no
authentication mechanism for.

Just my 2 nickels,
[m]

On 1/23/2008 8:37:47 AM, Pete Cap (peteoutside at yahoo.com) wrote:
> List,
>
> Would anyone mind discussing the pros and cons of IDS/IPS solutions
> you've used?
>
> I've been trained on several systems, the only one of
> which is current is
> Mcafee's.  They all had pros and cons but I liked Intrushield a lot, but
for a few things--for instance, Cisco's
> product never impressed me, but you could always just run snoop when you
> saw something weird.
> I'm also not a huge fan of their all-in-wonder router/IDS gear but I
haven't
> used it very much.  I want to look into Sourcefire at some point this year
> as well.
>
> Any other thoughts?
>
> Best regards,
> Pete
>
>
>
____________________________________________________________________________
________
> Never miss a thing.  Make Yahoo your home page.
> http://www.yahoo.com/r/hs
> _________________________________________
> SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up
> north if you can be in New Orleans.  http://www.sans.org/info/15826

More information about the list mailing list