Focus on IDS
10gb Jul 21 2010 12:53AM
scott securelabs net (2 replies)
Re: 10gb Jul 21 2010 06:32PM
Curt Purdy (infosysec gmail com) (1 replies)
RE: 10gb Jul 22 2010 12:42AM
Scott Sattler (Scott Securelabs net) (1 replies)
3Com, there is a clear winner in strategic maneuvering....so much for
tipping point.

Sourcefire leaves a lot of room for improvement in ruleset and traffic
identification. I thought the whole snort thing was the greatest until I
worked with ISS and some other vendors.

Not to mention that if you are a IDS analyst managing large diverse global
companies or agencies, or military...have fun with that fun web
interface.....(sure you send it all to a magic SIEM so who cares....right
that works REALLY well......)and I do admit, ISS can be slow pulling up
events once in a while but that sounds like a tuning problem on someones
end.... I normally find I can drill down and deal with events much quicker
and have a higher "find rate" of unwanted activitiy with ISS. I do not want
to write rules in sourcefire that should already exist. There are such gaps
in detection of unwanted traffic, in fact, I sure would love someone to post
a side by side comparison of signatures detected. I am familiar with the
signatures from sourcefire and ISS and to ME, there is a HUGE Disparity in
what is identified. I deal with traffic from 40-60 countries daily and I
have used both products and I know which ones finds a lot more (making me
book high numbers of CSIRT tickets and making me look like a rock star)

Although with Palo Alto and Checkpoint having a nice application detection
capability, who really needs an IDS/IPS anymore......Rock on Palo Alto....

Scott.

-----Original Message-----
From: Curt Purdy [mailto:infosysec (at) gmail (dot) com [email concealed]]
Sent: Wednesday, July 21, 2010 2:32 PM
To: scott (at) securelabs (dot) net [email concealed]
Cc: focus-ids (at) securityfocus (dot) com [email concealed]
Subject: Re: 10gb

Yes, Proventia & Realsecure have always been my favorite, though I have
looked longingly at Tipping Point (at least until they were acquired by 3com
then HP) of course even ISS is now pwned by IBM ;)

Proventia caught the serverRPC worm while it was still a 0-day (confirmed by
Symantec) when it had taken out 10 servers and would have taken out the
other 450 windoze servers before the day was out.
Though the 150 *NIX servers would have still be running fine of course, even
though the network would have been down with all the windoze servers
yakking...

But any IDS/IPS is going to have a lot of false-positives, which is why,
most of the time I feed it straight into a SIM for correlation and just
watch that dashboard.

Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA infosysec (at) gmail (dot) com [email concealed]
purdy (at) tecman (dot) com [email concealed]

On Tue, Jul 20, 2010 at 8:53 PM, <scott (at) securelabs (dot) net [email concealed]> wrote:
> sourcefire?
>
>
> really?
>
> in a production network.....ask them how their 9800 sensor works
> inline....*snicker*
>
>
> I was stuck using sourcefire for the last two client. I so miss ISS.....
>
> -----------------------------------------------------------------
> Securing Your Online Data Transfer with SSL.
> A guide to understanding SSL certificates, how they operate and their
application. By making use of an SSL certificate on your web server, you can
securely collect sensitive information online, and increase business by
giving your customers confidence that their transactions are safe.
> http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e
> 1a17f194
>
>
>

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a
17f194

[ reply ]
RE: 10gb Jul 29 2010 03:27AM
Paul Sutton (pjsutton urnet net)
Re: 10gb Jul 21 2010 05:08PM
Ron Gula (rgula tenable com) (1 replies)
Re: 10gb Jul 21 2010 05:37PM
Joel M Snyder (Joel Snyder Opus1 COM) (1 replies)
Re: 10gb Jul 22 2010 04:20PM
Jack Whitsitt (sintixerr gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus