Re: [fw-wiz] IDS or Intrusion Prevention Systems

From: Ali Saifullah Khan (
Date: 11/02/02

From: "Ali Saifullah Khan" <>
To: <>
Date: Sat Nov  2 16:22:01 2002

Salutations !

If its a simple answer you want, go with SNORT.

Good references on IDS can be found by a simple google, or a look at the
articles posted at Securityfocus

Mind you ! I'm stating this only is its a SIMPLE suggestion you require.
Otherwise, going with what Paul has said would be a good idea.

Hope this helps.

Ali Saifullah Khan,

Asstt. Project Administrator,
GemSEC Information Security Division,
Gem Internet Services, (Pvt.) Ltd.
Key ID : 0xA3B7379C
Key Fingerprint : 111F D465 3FB0 C02E 4080 8DE6 D887 CA97 A3B7 379C

----- Original Message -----
From: Paul D. Robertson <>
To: Walter Ludwig <>
Cc: <>
Sent: Sunday, October 27, 2002 8:11 PM
Subject: Re: [fw-wiz] IDS or Intrusion Prevention Systems

> On Sun, 27 Oct 2002, Walter Ludwig wrote:
> > Hello to all,
> >
> > i'm looking for an IDS or Intrusion Prevention System to use in our
> > office. I have no idea which one are good an effective and which one
> > not. Additionally, I have to write an exam in our school about this
> For the record, posts just naming IDS systems won't be approved, posts
> with actually useful content may.
> IDS systems are relatively immature, so there's no blanket "good and
> effective" rubber chicken that can be waved over them. All of them have
> strengths and weaknesses. Testing IDS products is incredibly difficult to
> do well. ICSA Labs has just started to test and certify products[1],
> setting up a common testbed with the right mix of legitimate traffic,
> false, but pottentially "bad looking" traffic, and the infrastructure to
> do all that takes a lot of time.
> > topic. This exam is the last one and therefore very hard. Can you help
> > me?
> If you have to *write* the exam, I'd suggest looking at Northcutt's books
> on IDS, there's one on IDS in general, and one on writing rules.
> > Which products are good and why? Which one do you prefer and recommend
> Just like firewalls, which one you choose has more to do with what kind of
> environment you plan on putting it in, and what kind of policy you're
> attempting to enfoce with it than "which product is best" because they all
> fit different scenerios differently. You can't just "Go get the blue one"
> because, like when you buy a vehicle, there are different purposes filled
> with different ones. Ferraris aren't better than minivans when the goal
> is to take a family of six out to dinner.
> You'd probably be much better served spending some significant time
> thinking about what sorts of things might change which IDS you chose, or
> which evaluation criteria might be interesting for different IDS
> deployments, or maybe even back at "what could possibly make one
> deployement different from another?"
> > and how easy are they to administate? Pros and Cons of different
> > products? Where can I find additional information? Do you know Okena and
> > their products ("StormWatch", ...)? Are they better (Prevention System)
> > than common IDSs? When you use an IDS, what additional software are you
> > using (File Integrity,...)? What will be the most secure solution?
> People have already commented on the "intrusion prevention" buzzword and
> what it's utility has in the market, so I won't reiterate that here.
> The most secure solution is to have systems that don't have exploitable
> bugs exposed to other systems. IDS and "intrusion prevention" don't touch
> that piece of the puzzle.
> Paul
> [1] Disclaimer: I work for TruSecure, ICSA Labs is an independent
> division, and I've been slightly involved in the IDS testing program.
> --------------------------------------------------------------------------

> Paul D. Robertson      "My statements in this message are personal
>      which may have no basis whatsoever in fact."
> Director of Risk Assessment TruSecure Corporation
> _______________________________________________
> firewall-wizards mailing list