[Dshield] IPS/IDS solutions--your opinions?
Pete Cap
peteoutside at yahoo.com
Wed Jan 23 19:59:03 GMT 2008
-----
From: Albert R. Campa <abcampa at gmail.com>
ISS doesnt have open signatures, so I cant see why an event is
triggered and how it is set to trigger.
Do most of you recommend an IDS/IPS that you can see the code behind
the alert?
-----
In my experience this has been the #1 beef with every solution:
Every customer at some point wants to write their own signatures, and the best they get is a half-assed signature builder GUI of some kind. This has been true of older products (Symantec, Cisco) as well as newer ones (Mcafee) so it seems as if none of the vendors are getting the hint.
Talking to them at trade shows, I get the impression most of them don't even support basic regex...or else they have their own weird "syntax" that is somehow proprietary.
I love Snort but in my experience it doesn't scale well. Managing 150 Intrushield sensors is easy. Managing 150 Snort boxes...not so much.
--Pete
____________________________________________________________________________________
Looking for last minute shopping deals?
Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
More information about the list
mailing list