[Dshield] IPS/IDS solutions--your opinions?

Hammond, Stanley shammond at capecod.edu
Fri Jan 25 12:48:36 GMT 2008 

I will agree and re-phrase my statement.  Sourcefire is an excellent
product which does make it easier to deploy and manage over open source
Snort.  I have used Sourcefire before and actually recommended this
solution to one of my employers.  However unless you are a large
enterprise or have an unlimited budget, Sourcefire is expensive to
implement and this implementation does not include RNA or RUA.  If I had
the budget I would implement a Sourcefire solution.  Since I don't, I
prefer to implement open source Snort, Oinkmaster and Prelude-IDS using
VRT Certified Rules and rules from Emerging Threats.

Stan

-----Original Message-----
From: list-bounces at lists.dshield.org
[mailto:list-bounces at lists.dshield.org] On Behalf Of Albert Gonzalez
Sent: Thursday, January 24, 2008 7:07 AM
To: General DShield Discussion List
Subject: Re: [Dshield] IPS/IDS solutions--your opinions?

Another thing to mention the sourcefire appliances also have the ability
to monitor and parse upto 8gb/sec with their beefier boxes (IS5800).
Although I've also seem shops tune
/modify OSS Snort to be able to handle gb/s.

It is so much more than just snort with fancy GUI. You have RNA, RUA
(real time user awareness) and much more. The abiliy to use estreamer to
send your event/packet data to a correlation and/or aggregation solution
is awesome instead of the usual standard syslog way which does not pass
payload.

You can also get those "really fast" signatures releases with OSS Snort
if you pay the VRT subscription. And you always have the community
rules.

HTH,
Albert G.
--
Success comes to the person who does today, what you are thinking of
doing tomorrow 

-----Original Message-----
From: dxp <dxp2532 at gmail.com>
Sent: Wednesday, January 23, 2008 9:57 PM
To: General DShield Discussion List <list at lists.dshield.org>
Subject: Re: [Dshield] IPS/IDS solutions--your opinions?

Snort - excellent system, highly configurable, some management
complexity for large deployments.

SourceFire - removes the management complexity from open source Snort,
excellent support team behind the product, very fast signature
releases for critical vulnerabilities.

Cisco - too many false positives, they should stick to network gear
and not security unless they rebuild the whole team behind their IDS
product.

ISS - easy management in large deployments, closed signatures, late
signature releases, definitely not ahead of the threat, ability to
write custom signatures (snort like syntax) they call this feature
"OpenSignatures".

Dragon - ability to create custom signatures, import snort signatures.

_________________________________________
SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up
north if you can be in New Orleans.  http://www.sans.org/info/15826

More information about the list mailing list