[Dshield] IPS/IDS solutions--your opinions?

Albert Gonzalez albertg at cerveau.us
Sun Jan 27 21:14:26 GMT 2008 

Without external authentication (LDAP) which
 was introduced in 4.7. The users that are added via the admingui. I just dump the users table and push it across.

--
Success comes to the person who does today, what you are thinking of doing tomorrow 

-----Original Message-----
From: Joel Esler <joel.esler at sourcefire.com>
Sent: Sunday, January 27, 2008 1:10 PM
To: General DShield Discussion List <list at lists.dshield.org>
Subject: Re: [Dshield] IPS/IDS solutions--your opinions?

Albert,

You mean the ability to push user accounts from the DC to the sensor?

Joel

On Jan 27, 2008, at 1:30 PM, Albert Gonzalez wrote:

> Pete,
>
> I manage 200 snort sensors on a global deployment very easily.  
> Granted we paid for the appliances but the majority of my coverage  
> is with OSS snort sending alerts to a DC. SF backend is perl which  
> of course you can read and incorporate their modules into your  
> scripts if you need to.
>
> One of my issues with their mgmt was it didn't propagate users. Well  
> 15 lines of perl took care of that.
>
> HTH,
> Albert
> --
> Success comes to the person who does today, what you are thinking of  
> doing tomorrow
>
> -----Original Message-----
> From: Pete Cap <peteoutside at yahoo.com>
> Sent: Wednesday, January 23, 2008 1:59 PM
> To: General DShield Discussion List <list at lists.dshield.org>
> Subject: Re: [Dshield] IPS/IDS solutions--your opinions?
>
> -----
> From: Albert R. Campa <abcampa at gmail.com>
>
>
> ISS doesnt have open signatures, so I cant see why an event is
> triggered and how it is set to trigger.
>
> Do most of you recommend an IDS/IPS that you can see the code behind
> the alert?
> -----
>
> In my experience this has been the #1 beef with every solution:
> Every customer at some point wants to write their own signatures,  
> and the best they get is a half-assed signature builder GUI of some  
> kind.  This has been true of older products (Symantec, Cisco) as  
> well as newer ones (Mcafee) so it seems as if none of the vendors  
> are getting the hint.
>
> Talking to them at trade shows, I get the impression most of them  
> don't even support basic regex...or else they have their own weird  
> "syntax" that is somehow proprietary.
>
> I love Snort but in my experience it doesn't scale well.  Managing  
> 150 Intrushield sensors is easy.  Managing 150 Snort boxes...not so  
> much.
>
> --Pete
>
>
>
>
>
>
>
>       
> ____________________________________________________________________________________
> Looking for last minute shopping deals?
> Find them fast with Yahoo! Search.  http://tools.search.yahoo.com/newsearch/category.php?category=shopping
> _________________________________________
> SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze  
> up north if you can be in New Orleans.  http://www.sans.org/info/15826
>
>
>
> _________________________________________
> SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze  
> up north if you can be in New Orleans.  http://www.sans.org/info/15826
>

_________________________________________
SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up north if you can be in New Orleans.  http://www.sans.org/info/15826

More information about the list mailing list