[Dshield] DShield vs. Symantec

Chris Brenton cbrenton at chrisbrenton.org
Wed Jan 7 16:53:07 GMT 2004


On Wed, 2004-01-07 at 10:52, Pete Cap wrote:
> So, I've got this salesman from Symantec attempting to sell me (or, rather, the organization for which I work) a subscription to their DeepSight Threat Management System.

LOL! Yup, because its always better to pay for something rather than get
it free. ;-)

> For those of you who are not familar with DeepSight, basically Symantec's analysts take data from about 20k contributors in 180 countries (IDS logs, traffic data, etc.) and perform trend analysis (sound familiar?).  I suppose this question is directed mostly towards Johannes...as far as being a data source...how does dShield stack up against those numbers?

I can't speak to the "quantity", but I can tell you my experience with
the "quality" has not been that great. I've received a number of
"Warning your host has been compromised" messages from DS, and every one
of them has been a false positive. Some are *obviously* flat out wrong
and would have been caught if a human reviewed the data, and yet the
alerts go out anyway. 

Good example, I got one alert telling me I had an infected system
performing Code Red attacks against upper port numbers on their client's
systems. Hey wait a minute, I thought Code Red only attacks port 80? ;-)

And oh ya, they not only sent it to abuse@, they also sent it to my
upstream as well, without even giving me a chance to respond. Great, so
now I have to explain Code Red 101 basics to a help desk person at my
upstream so they know its a false positive and don't kill my access. :(

At least when Johannes sends out an alert he's reviewed the data first. 
;-)

HTH,
C





More information about the list mailing list