[unisog] IDS Recommendations

Jordan Wiens jwiens at nersp.nerdc.ufl.edu
Tue Dec 23 22:14:35 GMT 2003

On Mon, 22 Dec 2003, Stauffacher, John wrote:

> I have been tasked with evaluating commercial IDS systems (our snort
> array is nice but does not have the "blinky" factor that management
> loves). So what are other people using and how well does it work? I am
> looking (obviously) for a system that will give me fewer false positives
> than false negatives. I also am looking for something that allows custom
> rule sets and updatable rule sets (so leave out the IDS feature of the
> CISCO Pix, I know its there, I use it - its just weak). I am also
> looking for something that is, as management says, "future proof", i.e.
> it must have interchangeable NICs, and some sort of scalability.

We've used dragon with great success for a long time now (since before
Enterasys purchased it).  It has all the features above, and we've grown
very used to it.  The openness of the product is one of its strengths.
There are some disadvantages to it (based on an older architecture,
software based so can't handle the highest of loads, relies more heavily
on signatures than anomaly -- though in many respects, I consider this a
strength), but all in all, it's an effective and powerful IDS.

Jordan Wiens, CISSP
UF Network Incident Response Team

More information about the unisog mailing list