RE: IDS recommendations

From: Alfred Huger (ah@securityfocus.com)
Date: 12/04/01


Date: Tue, 4 Dec 2001 14:16:16 -0700 (MST)
From: Alfred Huger <ah@securityfocus.com>
To: <focus-ids@securityfocus.com>


In terms Snort Vrs. the commercial offerings I thought I would chime in.
Our engineering team here run quite a few IDS's in our lab in order to
support them for ARIS. I feel pretty safe saying they all have signifigant
problems, none is a panacea per se nor do many of them live up to the
marketing verbiage which attends them.

Outside of actually running these systems in our labs, we (we being the
ARIS Analyst Team) deal with gigs of IDS log data everyday. These systems
are all over the globe and range from Snort, RealSecure, Cisco Secure IDS,
Netprowler, BlackICE Defender & ICEPac and I am positive that Snort weighs
in *very* well with it's playmates in terms of detection rates.

However, it does require some hand cranking to make the signature set
perform at it's best for you and it lacks some features it's commercial
brethren lack such as sensor management, log aggregation, commercial
support etc. The caveat to this is that SourceFire which provides the
OpenSnort Sensor addresses all of this. I have a copy here and am
impressed with it, it does everything I expect in a commercial IDS (as it
is one) and has excellent support. I would not hesitate to recommend it
people for a commercial environment.

Cheers,
-al

VP Engineering
SecurityFocus
"Vae Victis"