[Dshield] IPS/IDS solutions--your opinions?

Joel Esler joel.esler at sourcefire.com
Sun Jan 27 03:48:15 GMT 2008 

Are you talking about our daisy chained 5800's?  You can stack 3 of  
them.

J

On Jan 26, 2008, at 9:33 PM, Albert Gonzalez wrote:

> Oh that's great thanks man. I know I was waiting for th IS5800X  
> (stackable) but that never came to life. This is finally going to  
> help me move away from a filtering device that spews it to varios  
> monitors.
>
> Thanks,
>
> --
> Success comes to the person who does today, what you are thinking of  
> doing tomorrow
>
> -----Original Message-----
> From: Joel Esler <eslerj at gmail.com>
> Sent: Friday, January 25, 2008 8:49 AM
> To: General DShield Discussion List <list at lists.dshield.org>
> Subject: Re: [Dshield] IPS/IDS solutions--your opinions?
>
> Actually Albert, we do 10 Gig now with our IS9800.  It's a monster  
> of a
> machine.
>
> On Jan 24, 2008 7:06 AM, Albert Gonzalez <albertg at cerveau.us> wrote:
>
>> Another thing to mention the sourcefire appliances also have the  
>> ability
>> to monitor and parse upto 8gb/sec with their beefier boxes (IS5800).
>> Although I've also seem shops tune
>> /modify OSS Snort to be able to handle gb/s.
>>
>> It is so much more than just snort with fancy GUI. You have RNA,  
>> RUA (real
>> time user awareness) and much more. The abiliy to use estreamer to  
>> send your
>> event/packet data to a correlation and/or aggregation solution is  
>> awesome
>> instead of the usual standard syslog way which does not pass payload.
>>
>> You can also get those "really fast" signatures releases with OSS  
>> Snort if
>> you pay the VRT subscription. And you always have the community  
>> rules.
>>
>> HTH,
>> Albert G.
>> --
>> Success comes to the person who does today, what you are thinking  
>> of doing
>> tomorrow
>>
>> -----Original Message-----
>> From: dxp <dxp2532 at gmail.com>
>> Sent: Wednesday, January 23, 2008 9:57 PM
>> To: General DShield Discussion List <list at lists.dshield.org>
>> Subject: Re: [Dshield] IPS/IDS solutions--your opinions?
>>
>> Snort - excellent system, highly configurable, some management
>> complexity for large deployments.
>>
>> SourceFire - removes the management complexity from open source  
>> Snort,
>> excellent support team behind the product, very fast signature
>> releases for critical vulnerabilities.
>>
>> Cisco - too many false positives, they should stick to network gear
>> and not security unless they rebuild the whole team behind their IDS
>> product.
>>
>> ISS - easy management in large deployments, closed signatures, late
>> signature releases, definitely not ahead of the threat, ability to
>> write custom signatures (snort like syntax) they call this feature
>> "OpenSignatures".
>>
>> Dragon - ability to create custom signatures, import snort  
>> signatures.
>>
>> Summary
>> --------------
>> Not too much hands on experience w/ Dragon so can't vouch for all
>> aspects.  Snort is good for  small deployments unless you're willing
>> to invest time into building a management framework for your large
>> environment.  ISS is popular but I find it to be more and more
>> ineffective in the current threat landscape.  SourceFire is not cheap
>> but it is definitely worth it, it can handle large traffic volume  
>> thus
>> a single sensor with tap aggregation can replace multiple
>> installations, plus it has many other features which are not  
>> available
>> for Snort such as anomaly detection, network environment profiling,
>> health checks, system policies....
>>
>> ---
>> dxp
>>
>> On Jan 23, 2008 12:47 PM, Hammond, Stanley <shammond at capecod.edu>  
>> wrote:
>>> I have worked with Snort, Sourcefire, ISS Proventia and Cisco.  I  
>>> agree
>>> with you that the Cisco product never really lived up to a level  
>>> that I
>>> would recommend it.  Out of all four, I still find myself building  
>>> Snort
>>> boxes.  As Matt mentioned it is very customizable for whatever you  
>>> need
>>> it to detect.  Sourcefire (commercial Snort) is good as well, but  
>>> the
>>> cost didn't make it a viable option for our organization.  We  
>>> could not
>>> justify the cost for a Snort box with a fancy GUI.
>>>
>>> Stan
>>>
>>>
>>> -----Original Message-----
>>> From: list-bounces at lists.dshield.org
>>> [mailto:list-bounces at lists.dshield.org] On Behalf Of Pete Cap
>>> Sent: Wednesday, January 23, 2008 8:38 AM
>>> To: list at lists.dshield.org
>>> Subject: [Dshield] IPS/IDS solutions--your opinions?
>>>
>>> List,
>>>
>>> Would anyone mind discussing the pros and cons of IDS/IPS solutions
>>> you've used?
>>>
>>> I've been trained on several systems, the only one of which is  
>>> current
>>> is Mcafee's.  They all had pros and cons but I liked Intrushield a  
>>> lot,
>>> but for a few things--for instance, Cisco's product never  
>>> impressed me,
>>> but you could always just run snoop when you saw something weird.   
>>> I'm
>>> also not a huge fan of their all-in-wonder router/IDS gear but I  
>>> haven't
>>> used it very much.  I want to look into Sourcefire at some point  
>>> this
>>> year as well.
>>>
>>> Any other thoughts?
>>>
>>> Best regards,
>>> Pete
>>>
>>>
>>>
>>> ________________________________________________________________________
>>> ____________
>>> Never miss a thing.  Make Yahoo your home page.
>>> http://www.yahoo.com/r/hs
>>> _________________________________________
>>> SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze  
>>> up
>>> north if you can be in New Orleans.  http://www.sans.org/info/15826
>>>
>>> _________________________________________
>>> SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze  
>>> up
>> north if you can be in New Orleans.  http://www.sans.org/info/15826
>>>
>> _________________________________________
>> SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up
>> north if you can be in New Orleans.  http://www.sans.org/info/15826
>>
>>
>>
>> _________________________________________
>> SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up
>> north if you can be in New Orleans.  http://www.sans.org/info/15826
>>
>
>
>
> -- 
> --Joel Esler
> ISC Incident Handler
> http://www.joelesler.net
> _________________________________________
> SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze  
> up north if you can be in New Orleans.  http://www.sans.org/info/15826
>
>
>
> _________________________________________
> SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze  
> up north if you can be in New Orleans.  http://www.sans.org/info/15826
>

More information about the list mailing list