|
Focus on IDS
IDS/IPS system with Foundry sFlow Apr 21 2008 07:42PM Security Group (secgro gmail com) (3 replies) Re: IDS/IPS system with Foundry sFlow Apr 22 2008 06:18PM Martin Roesch (roesch sourcefire com) (3 replies) RE: IDS/IPS system with Foundry sFlow Apr 23 2008 01:44PM Monk, Scott (MonkScott bfusa com) (1 replies) Re: IDS/IPS system with Foundry sFlow Apr 25 2008 07:09PM Martin Roesch (roesch sourcefire com) (1 replies) RE: IDS/IPS system with Foundry sFlow Apr 22 2008 07:48PM Adamo, Alfonso (Alfonso Adamo peelregion ca) |
|
 Privacy Statement |
I have seen snort sFlow integrations done a few times times with varying
degrees of success. Definitely worth exploring as it doesn't cost ya much
other than your time. Problems with sample rates and TCP state are the
biggest barriers for serious content inspection.
1 in 128 is about the lowest most vendors recommend and even at that low
sample rate your already at 99%+ packet loss from snort's perspective.
Specially tuned sigs can be crafted to deal with the sparse content but I'm
not sure how many of other exist. I'm sure Marty can comment.
BTW: Snort syslog can be fed into the StealthWatch sFlow collector for
contextual reporting and event association.
On 4/22/08 2:18 PM, "Martin Roesch" <roesch (at) sourcefire (dot) com [email concealed]> wrote:
> When you say "with sFlow" do you mean analyze the sFlow records or
> analyze the packets on the wire and correlate it with the sFlow data?
>
> --
> Sent from my iPhone
>
> On Apr 21, 2008, at 3:42 PM, "Security Group" <secgro (at) gmail (dot) com [email concealed]> wrote:
>
>> Hello,
>>
>> We have got a network with an embedded support for sFlow technology.
>> We also want to have a good IDS/IPS system. Does anyone know a good
>> setup with our foundry?
>>
>> We noticed that Foundry got their own application called "IronView
>> Network Manager", it is able to operate with snort. Does anyone know
>> of this is a good solution? Or should we use an sFlow converter (e.g.
>> InMon sFlow toolkit) that can work with snort?
>>
>> What are the other possibilities for IDS/IPS besides snort. It has to
>> operate with the sFlow technology.
>>
>> Kind regards,
>>
>> Babel Timo
>>
>> ---
>> ---------------------------------------------------------------------
>> Test Your IDS
>>
>> Is your IDS deployed correctly?
>> Find out quickly and easily by testing it
>> with real-world attacks from CORE IMPACT.
>> Go to http://www.coresecurity.com/index.php5?module=Form=impact=intro_sfw
>> <http://www.coresecurity.com/index.php5?module=Form&action=impact&campai
gn=in
>> tro_sfw>
>> to learn more.
>> ---
>> ---------------------------------------------------------------------
>>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.coresecurity.com/index.php5?module=Form=impact=intro_sfw
> <http://www.coresecurity.com/index.php5?module=Form&action=impact&campai
gn=int
> ro_sfw>
> to learn more.
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
to learn more.
------------------------------------------------------------------------
[ reply ]