[Dshield] IPS/IDS solutions--your opinions?

Albert Gonzalez albertg at cerveau.us
Sun Jan 27 02:33:36 GMT 2008 

Oh that's great thanks man. I know I was waiting for th IS5800X (stackable) but that never came to life. This is finally going to help me move away from a filtering device that spews it to varios monitors.

Thanks,

--
Success comes to the person who does today, what you are thinking of doing tomorrow 

-----Original Message-----
From: Joel Esler <eslerj at gmail.com>
Sent: Friday, January 25, 2008 8:49 AM
To: General DShield Discussion List <list at lists.dshield.org>
Subject: Re: [Dshield] IPS/IDS solutions--your opinions?

Actually Albert, we do 10 Gig now with our IS9800.  It's a monster of a
machine.

On Jan 24, 2008 7:06 AM, Albert Gonzalez <albertg at cerveau.us> wrote:

> Another thing to mention the sourcefire appliances also have the ability
> to monitor and parse upto 8gb/sec with their beefier boxes (IS5800).
> Although I've also seem shops tune
> /modify OSS Snort to be able to handle gb/s.
>
> It is so much more than just snort with fancy GUI. You have RNA, RUA (real
> time user awareness) and much more. The abiliy to use estreamer to send your
> event/packet data to a correlation and/or aggregation solution is awesome
> instead of the usual standard syslog way which does not pass payload.
>
> You can also get those "really fast" signatures releases with OSS Snort if
> you pay the VRT subscription. And you always have the community rules.
>
> HTH,
> Albert G.
> --
> Success comes to the person who does today, what you are thinking of doing
> tomorrow
>
> -----Original Message-----
> From: dxp <dxp2532 at gmail.com>
> Sent: Wednesday, January 23, 2008 9:57 PM
> To: General DShield Discussion List <list at lists.dshield.org>
> Subject: Re: [Dshield] IPS/IDS solutions--your opinions?
>
> Snort - excellent system, highly configurable, some management
> complexity for large deployments.
>
> SourceFire - removes the management complexity from open source Snort,
> excellent support team behind the product, very fast signature
> releases for critical vulnerabilities.
>
> Cisco - too many false positives, they should stick to network gear
> and not security unless they rebuild the whole team behind their IDS
> product.
>
> ISS - easy management in large deployments, closed signatures, late
> signature releases, definitely not ahead of the threat, ability to
> write custom signatures (snort like syntax) they call this feature
> "OpenSignatures".
>
> Dragon - ability to create custom signatures, import snort signatures.
>
> Summary
> --------------
> Not too much hands on experience w/ Dragon so can't vouch for all
> aspects.  Snort is good for  small deployments unless you're willing
> to invest time into building a management framework for your large
> environment.  ISS is popular but I find it to be more and more
> ineffective in the current threat landscape.  SourceFire is not cheap
> but it is definitely worth it, it can handle large traffic volume thus
> a single sensor with tap aggregation can replace multiple
> installations, plus it has many other features which are not available
> for Snort such as anomaly detection, network environment profiling,
> health checks, system policies....
>
> ---
> dxp
>
> On Jan 23, 2008 12:47 PM, Hammond, Stanley <shammond at capecod.edu> wrote:
> > I have worked with Snort, Sourcefire, ISS Proventia and Cisco.  I agree
> > with you that the Cisco product never really lived up to a level that I
> > would recommend it.  Out of all four, I still find myself building Snort
> > boxes.  As Matt mentioned it is very customizable for whatever you need
> > it to detect.  Sourcefire (commercial Snort) is good as well, but the
> > cost didn't make it a viable option for our organization.  We could not
> > justify the cost for a Snort box with a fancy GUI.
> >
> > Stan
> >
> >
> > -----Original Message-----
> > From: list-bounces at lists.dshield.org
> > [mailto:list-bounces at lists.dshield.org] On Behalf Of Pete Cap
> > Sent: Wednesday, January 23, 2008 8:38 AM
> > To: list at lists.dshield.org
> > Subject: [Dshield] IPS/IDS solutions--your opinions?
> >
> > List,
> >
> > Would anyone mind discussing the pros and cons of IDS/IPS solutions
> > you've used?
> >
> > I've been trained on several systems, the only one of which is current
> > is Mcafee's.  They all had pros and cons but I liked Intrushield a lot,
> > but for a few things--for instance, Cisco's product never impressed me,
> > but you could always just run snoop when you saw something weird.  I'm
> > also not a huge fan of their all-in-wonder router/IDS gear but I haven't
> > used it very much.  I want to look into Sourcefire at some point this
> > year as well.
> >
> > Any other thoughts?
> >
> > Best regards,
> > Pete
> >
> >
> >
> > ________________________________________________________________________
> > ____________
> > Never miss a thing.  Make Yahoo your home page.
> > http://www.yahoo.com/r/hs
> > _________________________________________
> > SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up
> > north if you can be in New Orleans.  http://www.sans.org/info/15826
> >
> > _________________________________________
> > SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up
> north if you can be in New Orleans.  http://www.sans.org/info/15826
> >
> _________________________________________
> SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up
> north if you can be in New Orleans.  http://www.sans.org/info/15826
>
>
>
> _________________________________________
> SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up
> north if you can be in New Orleans.  http://www.sans.org/info/15826
>



-- 
--Joel Esler
ISC Incident Handler
http://www.joelesler.net
_________________________________________
SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up north if you can be in New Orleans.  http://www.sans.org/info/15826

More information about the list mailing list