[unisog] IDS Recommendations
gpoer at arizona.edu
Mon Dec 22 20:39:21 GMT 2003
We are running Cisco Secure IDS on the edge and Sourcefire
(commercial Snort) on the inside.
The Sourcefire product is making leaps and bounds as to what
they can do and are really focusing on correlation. They also have a
product called RNA which does passive OS detection, passive VA, topology
discovery and they plan on tying it all into their management console.
All and all it is very cool. We have had some problems with filling up
the disk on the Management Console however they now have a larger
Console that we think will tow the line.
The Cisco product ties into VMS (Cisco works) however we have
not done much with VMS. We built our own database to hold the
information and we are trying to build our own correlation reports out
of freeware tools like P0F and Netflow.
Both products work great however (IMHO) Sourcefire is pushing
correlation further and faster than the other IDS venders. Correlation
may not reduce false positives put it will produce more meaningful
reporting. In the university environment (as we all know) traffic
protocols and patterns are diverse and even a little scary :). Getting
past false positives can come from a great deal of tunning and constant
adjustment where correlated reporting gives us the ability to spot the
problems (false positives included). Just cause it is a false positives
doesn't mean it is useless information!
If you want more info on what we are doing here feel free to email me.
From: Stauffacher, John [mailto:stauffacher at chapman.edu]
Sent: Monday, December 22, 2003 11:42 AM
To: unisog at sans.org
Subject: [unisog] IDS Recommendations
I have been tasked with evaluating commercial IDS systems (our snort
array is nice but does not have the "blinky" factor that management
loves). So what are other people using and how well does it work? I am
looking (obviously) for a system that will give me fewer false positives
than false negatives. I also am looking for something that allows custom
rule sets and updatable rule sets (so leave out the IDS feature of the
CISCO Pix, I know its there, I use it - its just weak). I am also
looking for something that is, as management says, "future proof", i.e.
it must have interchangeable NICs, and some sort of scalability.
stauffacher at nospam.chapman.edu
More information about the unisog