[Dshield] IPS/IDS solutions--your opinions?

Pete Cap peteoutside at yahoo.com
Mon Jan 28 19:38:59 GMT 2008 

I still don't think that Snort is "easy" to manage.  Albert is just very good at it.

Albert, for the price most would pay for a tech to manage the snort deployment, they probably couldn't afford someone like you.
Folks who can bust out perl or submit SQL queries or handle 200 sensors worldwide without the support of a large company are not all that common.

Best regards,
Pete

----- Original Message ----
From: Joel Esler <joel.esler at sourcefire.com>
To: Albert Gonzalez <albertg at cerveau.us>
Cc: General DShield Discussion List <list at lists.dshield.org>
Sent: Monday, January 28, 2008 4:18:15 PM
Subject: Re: [Dshield] IPS/IDS solutions--your opinions?


LDAP was in 4.6, but I see what you are saying.  Very nice.

J


On Sun, Jan 27, 2008 at 03:14:26PM -0600, it looks like Albert Gonzalez
 sent me:
> Without external authentication (LDAP) which
>  was introduced in 4.7. The users that are added via the admingui. I
 just dump the users table and push it across.
> 
> --
> Success comes to the person who does today, what you are thinking of
 doing tomorrow 
> 
> -----Original Message-----
> From: Joel Esler <joel.esler at sourcefire.com>
> Sent: Sunday, January 27, 2008 1:10 PM
> To: General DShield Discussion List <list at lists.dshield.org>
> Subject: Re: [Dshield] IPS/IDS solutions--your opinions?
> 
> Albert,
> 
> You mean the ability to push user accounts from the DC to the sensor?
> 
> Joel
> 
> On Jan 27, 2008, at 1:30 PM, Albert Gonzalez wrote:
> 
> > Pete,
> >
> > I manage 200 snort sensors on a global deployment very easily.  
> > Granted we paid for the appliances but the majority of my coverage
  
> > is with OSS snort sending alerts to a DC. SF backend is perl which
  
> > of course you can read and incorporate their modules into your  
> > scripts if you need to.
> >
> > One of my issues with their mgmt was it didn't propagate users.
 Well  
> > 15 lines of perl took care of that.
> >
> > HTH,
> > Albert
> > --
> > Success comes to the person who does today, what you are thinking
 of  
> > doing tomorrow
> >
> > -----Original Message-----
> > From: Pete Cap <peteoutside at yahoo.com>
> > Sent: Wednesday, January 23, 2008 1:59 PM
> > To: General DShield Discussion List <list at lists.dshield.org>
> > Subject: Re: [Dshield] IPS/IDS solutions--your opinions?
> >
> > -----
> > From: Albert R. Campa <abcampa at gmail.com>
> >
> >
> > ISS doesnt have open signatures, so I cant see why an event is
> > triggered and how it is set to trigger.
> >
> > Do most of you recommend an IDS/IPS that you can see the code
 behind
> > the alert?
> > -----
> >
> > In my experience this has been the #1 beef with every solution:
> > Every customer at some point wants to write their own signatures,  
> > and the best they get is a half-assed signature builder GUI of some
  
> > kind.  This has been true of older products (Symantec, Cisco) as  
> > well as newer ones (Mcafee) so it seems as if none of the vendors  
> > are getting the hint.
> >
> > Talking to them at trade shows, I get the impression most of them  
> > don't even support basic regex...or else they have their own weird
  
> > "syntax" that is somehow proprietary.
> >
> > I love Snort but in my experience it doesn't scale well.  Managing
  
> > 150 Intrushield sensors is easy.  Managing 150 Snort boxes...not so
  
> > much.
> >
> > --Pete
> >
> >
> >
> >
> >
> >
> >
> >       
> >
 ____________________________________________________________________________________
> > Looking for last minute shopping deals?
> > Find them fast with Yahoo! Search.
  http://tools.search.yahoo.com/newsearch/category.php?category=shopping
> > _________________________________________
> > SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze
  
> > up north if you can be in New Orleans.
  http://www.sans.org/info/15826
> >
> >
> >
> > _________________________________________
> > SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze
  
> > up north if you can be in New Orleans.
  http://www.sans.org/info/15826
> >
> 
> _________________________________________
> SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up
 north if you can be in New Orleans.  http://www.sans.org/info/15826
> 
> 
> 
> _________________________________________
> SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up
 north if you can be in New Orleans.  http://www.sans.org/info/15826
> 






-----
joel esler
828A A216 6D95 A6BB B386  54F3 ACE3 B833 5F51 4902 
_________________________________________
SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze up
 north if you can be in New Orleans.  http://www.sans.org/info/15826






      ____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs

More information about the list mailing list