RE: IDS recommendations

From: Clement-Evans, Rhys (Rhys.Clement-Evans@swisslife.co.uk)
Date: 11/02/01


Message-Id: <098982569B8AD2119A600008C75D543805B817C6@LPMS01.swisslife.org>
From: "Clement-Evans, Rhys" <Rhys.Clement-Evans@swisslife.co.uk>
To: 'Kevin Martin' <KMartin@xcaliber.com>, focus-ids@securityfocus.com
Subject: RE: IDS recommendations
Date: Fri, 2 Nov 2001 10:01:55 -0000 

My experience is with ISS RealSecure and Snort.

Let me say that my overall impression of RealSecure 6.0 is that it is a
solid product, and worthwhile investment. The signature set seems reasonably
broad (if infrequently updated). Triggered signatures may in turn trigger
email alerts, kill (reset) packets may be automatically sent, Lucent or
OPSec compliant firewalls instructed to block traffic, SNMP alerting, or
even user defined actions called (not yet played with that so can't comment
on the type of actions).

On the negative side - I have to back up the comments made by Stan
Burditzman that the user defined signatures are very limited. I'm finding
for example that if I want to ignore automated FTP logons between two of my
machines using the username 'Fred' then I must either put a global ignore
src.address dst.address in (which means no traffic to any port is logged) or
I must stop monitoring FTP Login names for all hosts. Being used to the
flexibility of snort this is one of the more frustrating points.

Another negative point that I have heard reported is that on busy segments
with many signatures being triggered, the monitor windows are a blur, making
it difficult to track current status.

Not all is doom and gloom though - I intend to circumvent both of these
issues by pulling reports from the SQL databse to which it logs rather than
using the monitoring console. The flexibility of SQL queries should allow me
to pull manageable information out of the database without having to
restrict the logging capabilities - it just seems unfortunate that I have to
take this time consuming step (teach-yourself-SQL-time).

Regards

Rhys Clement-Evans
E-Commerce Implementation & Security Engineer.

-----Original Message-----
From: Kevin Martin [mailto:KMartin@xcaliber.com]
Sent: 01 November 2001 17:16
To: focus-ids@securityfocus.com
Subject: IDS recommendations

****************************************************************************
This Message originated from the Internet.
Users are warned against trusting content of such messages.
****************************************************************************

I'm currently researching NIDS and HIDS from a multitude of vendors. I've
read 2 articles from NetworkWorldFusion and Network Computing and it appears
that they rank Cisco, ISS, and Dragon as their top 3. Any practical
experiences with these 3 would be greatly appreciated (need to cut thru the
vendor doubletalk).

Thanks..

Kevin Martin kmartin@xcaliber.com
Stafford Trading Inc. Chief Security Officer
Chicago, IL 60604 TEL +1-312.356.4849
230 S. LaSalle, Ste. 688

_____________________________________________________________________
This message has been checked for all known viruses by Star Internet
delivered through the MessageLabs Virus Scanning Service. For further
information visit http://www.star.net.uk/stats.asp or alternatively call
Star Internet for details on the Virus Scanning Service.

Swiss Life (UK) plc (Reg No 2529609), Registered Address:-Swiss Life House, 24 - 26 South Park, Sevenoaks, Kent TN13 1BG England.

Swiss Life (UK) Services Ltd (Reg No 844703) and Interact Health Management Ltd (Reg No 1009752) also have their registered office at the address above. All three companies are incorporated in England. Swiss Life (UK) plc for insurance and pension products and Swiss Life (UK) Services Ltd, marketing associate, are regulated by the Financial Services Authority and are members of the Swiss Life (UK) Marketing Group.

Please note
This e-mail and any attachments are confidential. They may contain privileged information and are intended for the named addressee(s) only. They must not be distributed without our consent. If you are not the intended recipient, please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.

Unless expressly stated, opinions in this e-mail are those of the individual sender, and not of Swiss Life (UK) plc.

Swiss Life (UK) plc intercept and monitor incoming / outgoing e-mail and you should neither expect or intend any e-mail to be private in nature. Telephone calls may be monitored and recorded.

Any attachments to this message have been checked for viruses, but please rely on your own virus checker and procedures as we do not accept responsibility for any loss or damage caused to your computer systems.

_____________________________________________________________________
This message has been checked for all known viruses by Star Internet
delivered through the MessageLabs Virus Scanning Service. For further
information visit http://www.star.net.uk/stats.asp or alternatively call
Star Internet for details on the Virus Scanning Service.