[Dshield] IPS/IDS solutions--your opinions?

Fri Jan 25 14:51:06 GMT 2008

Disclaimer:  I work for Sourcefire

This is exactly what Sourcefire was started for.  Snort is a the standard in
IDS, but it can be cumbersome to manage.  Sourcefire was founded on the
premise of 'making Snort senors manageable'.  Now Sourcefire's Snort sensors
are applianced based, have excellent consoles (IMHO), but we have other
software as well (RNA, RUA..etc.) that really make up the difference.
Joel

On Jan 23, 2008 2:59 PM, Pete Cap <peteoutside at yahoo.com> wrote:

> -----
> From: Albert R. Campa <abcampa at gmail.com>
>
>
> ISS doesnt have open signatures, so I cant see why an event is
> triggered and how it is set to trigger.
>
> Do most of you recommend an IDS/IPS that you can see the code behind
>  the alert?
> -----
>
> In my experience this has been the #1 beef with every solution:
> Every customer at some point wants to write their own signatures, and the
> best they get is a half-assed signature builder GUI of some kind.  This has
> been true of older products (Symantec, Cisco) as well as newer ones (Mcafee)
> so it seems as if none of the vendors are getting the hint.
>
> Talking to them at trade shows, I get the impression most of them don't
> even support basic regex...or else they have their own weird "syntax" that
> is somehow proprietary.
>
> I love Snort but in my experience it doesn't scale well.  Managing 150
> Intrushield sensors is easy.  Managing 150 Snort boxes...not so much.
>
> --Pete
>
>
>
>
>
>
>
>
>  ____________________________________________________________________________________
> Looking for last minute shopping deals?
> Find them fast with Yahoo! Search.
> http://tools.search.yahoo.com/newsearch/category.php?category=shopping
> _________________________________________
> SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up
> north if you can be in New Orleans.  http://www.sans.org/info/15826
>

-- 
--Joel Esler
ISC Incident Handler
http://www.joelesler.net