RE: IDS recommendations

From: Robert Zachary (
Date: 11/02/01

Message-ID: <1C1E25D810B404489BFE32088773C18816EAEA@CHSVRNT1>
From: Robert Zachary <>
Subject: RE: IDS recommendations
Date: Fri, 2 Nov 2001 08:49:16 -0600 

Has anyone been looking at SecureNet Pro lately? Any

Robert Zachary

-----Original Message-----
From: Ken []
Sent: Thursday, November 01, 2001 4:09 PM
To:; Kevin Martin
Subject: Re: IDS recommendations

I would agree with the comments on Dragon. I have used this product
extensively for both "normal" IDS operations and investigative work. I
am a big fan of the ability to record forensics data and then tie that
data to "events" so that it can be easily viewed. I have worked with
a couple of other products that claim that forensics data is captured,
but it is not very easy to get to.

Custom sigs are a plus if you are into that, especially if you wanna tune
down to your specific environment. Can also be used to enable really

Some people find that the flexibility can be a bit of a challenge to manage.
tend to think of it (the flexibility) as a great feature, well worth
spending a little
time to learn the details.

Finally, I think Enterasys has done a pretty good job of coming up with a
cohesive host / network sensor architecture. There are several approaches to
host IDS - they have sided on the file integrity and log monitoring approach
(vs. intercepting system calls and auditing access to file). This allows you
to monitor syslogs, event logs, application logs, etc, and report the
events back
to a common network/host security monitoring station. The host sensor also
has an open signature format, so you can monitor custom app logs or
with other host monitoring systems like Tripwire.

Hope this helps... feel free to touch base with me if you have additional



At 10:45 AM 11/1/01 -0800, Jon O . wrote:

>I've had experience with all three products and can give a short quick
>overview of my experience.
>Cisco: Works well and is very stable, well designed, etc. It's Cisco
>so it doesn't crash, lockup, etc. Not very flexible, sigs built in,
>no modifications for your environment. Good on your borders.
>ISS: Made for people not fully versed in IDS. Keeps things simple at the
>cost of flexiblity and a certain amount of security. Logging is weak,
>no telling what they are using as a signature, locks up, but simple
>for a non-expert to manage and run. Simple issues like IP Protocol
>50, 51 (VPN traffic) considered "Unknown Protocol" no ability to make
>them known. I keep feeling like I can't see everything and things are
>being missed.
>Dragon: Great tool. Logging is very flexible and secure, I've used
>in high traffic enterprise environments. Custom signatures are
>quick and you know what triggers all signatures so you can really
>see under the hood. Need some a bit more understanding of IDS
>theory and implementation, but very powerful tool once you read
>the docs. Can keep up in heavy traffic zones, transit networks, etc.
>Overall, the one I'd recommend and really the only one I trust.
>On 01-Nov-2001, Kevin Martin wrote:
> > I'm currently researching NIDS and HIDS from a multitude of vendors.
> > read 2 articles from NetworkWorldFusion and Network Computing and it
> appears
> > that they rank Cisco, ISS, and Dragon as their top 3. Any practical
> > experiences with these 3 would be greatly appreciated (need to cut thru
> > vendor doubletalk).
> >
> > Thanks..
> >
> > Kevin Martin
> > Stafford Trading Inc. Chief Security Officer
> > Chicago, IL 60604 TEL +1-312.356.4849
> > 230 S. LaSalle, Ste. 688