[Dshield] IPS/IDS solutions--your opinions?

Albert Gonzalez albertg at cerveau.us
Thu Jan 24 12:06:38 GMT 2008 

Another thing to mention the sourcefire appliances also have the ability to monitor and parse upto 8gb/sec with their beefier boxes (IS5800). Although I've also seem shops tune
/modify OSS Snort to be able to handle gb/s.

It is so much more than just snort with fancy GUI. You have RNA, RUA (real time user awareness) and much more. The abiliy to use estreamer to send your event/packet data to a correlation and/or aggregation solution is awesome instead of the usual standard syslog way which does not pass payload.

You can also get those "really fast" signatures releases with OSS Snort if you pay the VRT subscription. And you always have the community rules.

HTH,
Albert G.
--
Success comes to the person who does today, what you are thinking of doing tomorrow 

-----Original Message-----
From: dxp <dxp2532 at gmail.com>
Sent: Wednesday, January 23, 2008 9:57 PM
To: General DShield Discussion List <list at lists.dshield.org>
Subject: Re: [Dshield] IPS/IDS solutions--your opinions?

Snort - excellent system, highly configurable, some management
complexity for large deployments.

SourceFire - removes the management complexity from open source Snort,
excellent support team behind the product, very fast signature
releases for critical vulnerabilities.

Cisco - too many false positives, they should stick to network gear
and not security unless they rebuild the whole team behind their IDS
product.

ISS - easy management in large deployments, closed signatures, late
signature releases, definitely not ahead of the threat, ability to
write custom signatures (snort like syntax) they call this feature
"OpenSignatures".

Dragon - ability to create custom signatures, import snort signatures.

Summary
--------------
Not too much hands on experience w/ Dragon so can't vouch for all
aspects.  Snort is good for  small deployments unless you're willing
to invest time into building a management framework for your large
environment.  ISS is popular but I find it to be more and more
ineffective in the current threat landscape.  SourceFire is not cheap
but it is definitely worth it, it can handle large traffic volume thus
a single sensor with tap aggregation can replace multiple
installations, plus it has many other features which are not available
for Snort such as anomaly detection, network environment profiling,
health checks, system policies....

---
dxp

On Jan 23, 2008 12:47 PM, Hammond, Stanley <shammond at capecod.edu> wrote:
> I have worked with Snort, Sourcefire, ISS Proventia and Cisco.  I agree
> with you that the Cisco product never really lived up to a level that I
> would recommend it.  Out of all four, I still find myself building Snort
> boxes.  As Matt mentioned it is very customizable for whatever you need
> it to detect.  Sourcefire (commercial Snort) is good as well, but the
> cost didn't make it a viable option for our organization.  We could not
> justify the cost for a Snort box with a fancy GUI.
>
> Stan
>
>
> -----Original Message-----
> From: list-bounces at lists.dshield.org
> [mailto:list-bounces at lists.dshield.org] On Behalf Of Pete Cap
> Sent: Wednesday, January 23, 2008 8:38 AM
> To: list at lists.dshield.org
> Subject: [Dshield] IPS/IDS solutions--your opinions?
>
> List,
>
> Would anyone mind discussing the pros and cons of IDS/IPS solutions
> you've used?
>
> I've been trained on several systems, the only one of which is current
> is Mcafee's.  They all had pros and cons but I liked Intrushield a lot,
> but for a few things--for instance, Cisco's product never impressed me,
> but you could always just run snoop when you saw something weird.  I'm
> also not a huge fan of their all-in-wonder router/IDS gear but I haven't
> used it very much.  I want to look into Sourcefire at some point this
> year as well.
>
> Any other thoughts?
>
> Best regards,
> Pete
>
>
>
> ________________________________________________________________________
> ____________
> Never miss a thing.  Make Yahoo your home page.
> http://www.yahoo.com/r/hs
> _________________________________________
> SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up
> north if you can be in New Orleans.  http://www.sans.org/info/15826
>
> _________________________________________
> SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up north if you can be in New Orleans.  http://www.sans.org/info/15826
>
_________________________________________
SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up north if you can be in New Orleans.  http://www.sans.org/info/15826

More information about the list mailing list