[Dshield] IPS/IDS solutions--your opinions?
Varine, Brian R SFC NG NG
brian.varine at us.army.mil
Tue Jan 29 01:37:31 GMT 2008
I love Snort but I don't have time to write Perl scripts and hack out unique fixes. Sourcefire and others are great because no one spends enough on people to really do what you need. That means I need to get something that an analyst can take care of and if it's too big for them, they can get help from dedicated enterprise IT types. It'd be great if I could find a team of 5 that knows how to fly an IDS, react to incidents, and be a whiz at Perl for the price most clients are willing to pay. Even then, with turnover being what it is, can I expect the next guy to really understand what the previous guy has done with his Perl scripts? Probably not.
----- Original Message -----
From: Joel Esler <joel.esler at sourcefire.com>
Date: Monday, January 28, 2008 18:49
Subject: Re: [Dshield] IPS/IDS solutions--your opinions?
To: General DShield Discussion List <list at lists.dshield.org>
> Pete,
>
> As I said before, that's exactly why Sourcefire was founded. Snort
>
> sensors, if you don't know what you are doing, can be a bit to
> manage. Sourcefire made the ability easy, plus integrating alot of
>
> other technology to complement Snort and to make the analysts and
> network's job easier and more secure.
>
> Sorry, but I don't want my company or what sounds like a sales
> pitch
> to dominate the list. If anyone would like to talk about
> Sourcefire,
> please feel free to contact me.
>
> Joel
>
>
> On Jan 28, 2008, at 2:38 PM, Pete Cap wrote:
>
> > I still don't think that Snort is "easy" to manage. Albert is
> just
> > very good at it.
> >
> > Albert, for the price most would pay for a tech to manage the
> snort
> > deployment, they probably couldn't afford someone like you.
> > Folks who can bust out perl or submit SQL queries or handle 200
> > sensors worldwide without the support of a large company are not
> all
> > that common.
> >
> > Best regards,
> > Pete
> >
> > ----- Original Message ----
> > From: Joel Esler <joel.esler at sourcefire.com>
> > To: Albert Gonzalez <albertg at cerveau.us>
> > Cc: General DShield Discussion List <list at lists.dshield.org>
> > Sent: Monday, January 28, 2008 4:18:15 PM
> > Subject: Re: [Dshield] IPS/IDS solutions--your opinions?
> >
> >
> > LDAP was in 4.6, but I see what you are saying. Very nice.
> >
> > J
> >
> >
> > On Sun, Jan 27, 2008 at 03:14:26PM -0600, it looks like Albert
> > Gonzalez
> > sent me:
> >> Without external authentication (LDAP) which
> >> was introduced in 4.7. The users that are added via the
> admingui. I
> > just dump the users table and push it across.
> >>
> >> --
> >> Success comes to the person who does today, what you are
> thinking of
> > doing tomorrow
> >>
> >> -----Original Message-----
> >> From: Joel Esler <joel.esler at sourcefire.com>
> >> Sent: Sunday, January 27, 2008 1:10 PM
> >> To: General DShield Discussion List <list at lists.dshield.org>
> >> Subject: Re: [Dshield] IPS/IDS solutions--your opinions?
> >>
> >> Albert,
> >>
> >> You mean the ability to push user accounts from the DC to the
> sensor?>>
> >> Joel
> >>
> >> On Jan 27, 2008, at 1:30 PM, Albert Gonzalez wrote:
> >>
> >>> Pete,
> >>>
> >>> I manage 200 snort sensors on a global deployment very easily.
> >>> Granted we paid for the appliances but the majority of my coverage
> >
> >>> is with OSS snort sending alerts to a DC. SF backend is perl which
> >
> >>> of course you can read and incorporate their modules into your
> >>> scripts if you need to.
> >>>
> >>> One of my issues with their mgmt was it didn't propagate users.
> > Well
> >>> 15 lines of perl took care of that.
> >>>
> >>> HTH,
> >>> Albert
> >>> --
> >>> Success comes to the person who does today, what you are thinking
> > of
> >>> doing tomorrow
> >>>
> >>> -----Original Message-----
> >>> From: Pete Cap <peteoutside at yahoo.com>
> >>> Sent: Wednesday, January 23, 2008 1:59 PM
> >>> To: General DShield Discussion List <list at lists.dshield.org>
> >>> Subject: Re: [Dshield] IPS/IDS solutions--your opinions?
> >>>
> >>> -----
> >>> From: Albert R. Campa <abcampa at gmail.com>
> >>>
> >>>
> >>> ISS doesnt have open signatures, so I cant see why an event is
> >>> triggered and how it is set to trigger.
> >>>
> >>> Do most of you recommend an IDS/IPS that you can see the code
> > behind
> >>> the alert?
> >>> -----
> >>>
> >>> In my experience this has been the #1 beef with every solution:
> >>> Every customer at some point wants to write their own signatures,
> >>> and the best they get is a half-assed signature builder GUI of
> some>
> >>> kind. This has been true of older products (Symantec, Cisco) as
> >>> well as newer ones (Mcafee) so it seems as if none of the vendors
> >>> are getting the hint.
> >>>
> >>> Talking to them at trade shows, I get the impression most of them
> >>> don't even support basic regex...or else they have their own weird
> >
> >>> "syntax" that is somehow proprietary.
> >>>
> >>> I love Snort but in my experience it doesn't scale well. Managing
> >
> >>> 150 Intrushield sensors is easy. Managing 150 Snort
> boxes...not so
> >
> >>> much.
> >>>
> >>> --Pete
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >>>
> >
> ____________________________________________________________________________________>>> Looking for last minute shopping deals?
> >>> Find them fast with Yahoo! Search.
> > http://tools.search.yahoo.com/newsearch/category.php?
> > category=shopping
> >>> _________________________________________
> >>> SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze
> >
> >>> up north if you can be in New Orleans.
> > http://www.sans.org/info/15826
> >>>
> >>>
> >>>
> >>> _________________________________________
> >>> SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze
> >
> >>> up north if you can be in New Orleans.
> > http://www.sans.org/info/15826
> >>>
> >>
> >> _________________________________________
> >> SANS Security 2008 in New Orleans!! January 11-19 2008. Why
> freeze up
> > north if you can be in New Orleans. http://www.sans.org/info/15826
> >>
> >>
> >>
> >> _________________________________________
> >> SANS Security 2008 in New Orleans!! January 11-19 2008. Why
> freeze up
> > north if you can be in New Orleans. http://www.sans.org/info/15826
> >>
> >
> >
> >
> >
> >
> >
> > -----
> > joel esler
> > 828A A216 6D95 A6BB B386 54F3 ACE3 B833 5F51 4902
> > _________________________________________
> > SANS Security 2008 in New Orleans!! January 11-19 2008. Why
> freeze up
> > north if you can be in New Orleans. http://www.sans.org/info/15826
> >
> >
> >
> >
> >
> >
> >
> >
> ____________________________________________________________________________________> Never miss a thing. Make Yahoo your home page.
> > http://www.yahoo.com/r/hs
> > _________________________________________
> > SANS Security 2008 in New Orleans!! January 11-19 2008. Why
> freeze
> > up north if you can be in New Orleans.
> http://www.sans.org/info/15826>
>
> _________________________________________
> SANS Security 2008 in New Orleans!! January 11-19 2008. Why freeze
> up north if you can be in New Orleans. http://www.sans.org/info/15826
>
More information about the list
mailing list