Re: IDS Players?

From: Marnix Petrarca (Marnix@DaemonLabs.com)
Date: 06/18/02 

From: "Marnix Petrarca" <Marnix@DaemonLabs.com>
To: "Nicholas Bachmann" <nbachmann@mail.davison.k12.mi.us>, "Gary Halleen" <ghalleen@cisco.com>
Date: Tue, 18 Jun 2002 13:00:40 +0200

-----BEGIN PGP SIGNED MESSAGE-----

Hmm, perhaps you should have said:" According to Network Computing magazine in
*1999*...(If I am in error here, please correct me!)

Anyway, here's a more recent review, which has an other opinion on which is
best... in regard to evasion techniques!

http://www.nwfusion.com/news/2002/0415idsevad.html

A comment on Signature vs. Protocol vs. Anomaly IDS environments:

http://www.scmagazine.com/scmagazine/sc-online/2002/article/23/article.html

And the latest test from NSS (Dec. 2001)

http://www.nss.co.uk/download.htm

http://www.nss.co.uk/ids/ids_edition_2.htm (HTML)

http://www.nss.co.uk/ids/IDS%20Group%20Test%20Report%20Edition%202.pdf (.PDF)

A general index to SC Magazine tests (check it out!)

http://www.scmagazine.com/scmagazine/sc-online/archives/index.html

http://www.scmagazine.com/scmagazine/sc-online/archives/i_intrusion.html

http://www.westcoast.com/events/awards/ shows a different winner all around
(NFR Security SC Magazine Award)

- - If anyone knows of more recent reviews, please let me know - always
interested!

Marnix

DaemonLabs Network Security

P.O. Box 188
1600 AD Enkhuizen
The Netherlands.
Chamber of Commerce 370.961.29

Phone: +31-228-325-005
Fax: +31-228-325-009
Mobile: +31-6-11-250-524

http://www.DaemonLabs.com

- ----- Original Message -----
From: "Nicholas Bachmann" <nbachmann@mail.davison.k12.mi.us>
To: "Gary Halleen" <ghalleen@cisco.com>
Cc: "Bill Mote" <bill.mote@mem.com>; <focus-ids@securityfocus.com>
Sent: Tuesday, June 18, 2002 1:38 AM
Subject: Re: IDS Players?

> Gary Halleen wrote:
>
> >According to Network Computing magazine, the top three are:
> >
> My opinions in short:
>
> >Enterasys Dragon
> >
> If you can afford it, excellent. I previewed it, and was impressed.
> The Dragon mailing list is informative and excellent; the programmers
> and QA folks from Enterasys (even their top IDS guy) join in frequently
> and some smart people from big name places (I guess I'm jelous, all my
> employer makes is futures :-) give good advice and ask intelligent
> questions.
>
> >Cisco IDS
> >
> If you have Cisco infrastructure, excellent. If not, this probably
> isn't as valuable for you as ^ or \/. I haven't had much experiance
> with Cisco, so maybe I've just been eating paste again.
>
> >Snort
> >
> If you're want to customize your IDS, or you don't fit into the above
> two catagories (i.e. short on cash and without a Cisco(1) network),
> excellent. I'm setting up a system using Snort, and have been very
> happy with it. Snort, like Dragon, has the advantage of easy access to
> the authors and testers. :-) The database plugins + PostgreSQL + ACID
> make a decent setup for network-wide monitoring.
>
> (1) Which probably has to do with the short on cash part. :-)
>
> >-----Original Message-----
> >From: Bill Mote [mailto:bill.mote@mem.com]
> >
> [...]
>
> >I've read about signature based IDS and host based IDS. I've even read some
> >material about the hybrid systems which incorporate features from signature
> >and host based IDSs. In your opinion, which one is better? Why?
> >
> >
> Well, if you want close monitoring of a single machine, HIDS is better.
> If you want to protect a whole network, NIDS is better. If you want to
> protect both, a hybrid setup is better. Systems like Drangon and
> ACID+logsnorter get bonus points because you can bring HIDS, NIDS, and
> firewall monitoring into one spot.
>
> --
>
> Regards,
> Nick
>
> Nicholas Bachmann, SSCP
> Unix Administrator
> Davison Community Schools
>

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQIVAwUBPQ8S1E/E9ZhK7OS8AQEMUxAArV5uaTZRQuOYUKaoeCQlQWf9aiMQelsI
He8PKZxwXb4JBjxOt2xDLDBBwvkkI9JOnQjsZLHOfhe82XrEUW17hCukAkCJBipc
EcAhZoTL4Hvy2nTEbxeefJ706xs6maUhyJq+OISZ2cLSmmzBonIuntae0yJe3cUp
8lPJX7wUJP2h7WQxti6YwMZsydfdDBr3uOcYZAwXDQiGscgNiPNQNfXOd63BqtQq
IEkcgv9Jh0Ps3S03dh+4AUt8ve1aWm1/xFFOt841cQ3vreRhaADu/GPJPkXBBYUO
asPoWRm7Cr/s12U4vrXZA5rnKEbzDzVWsM2Fcq9oHBbbOhGYCNlPi+7b41DiYIbE
NrmPNe5y/hGYMIWSX9WdijKMSN5X67WDK2ce4tlnqZKaHs32Oln0dzIHob4Uk213
vnUpL8Z00XOG5XxWo787ejr+PFaMhx3UZMq3rcipTBi9TgYgP2yQ5cl0a82aDtWN
dZa9H89ZnwOtLSwtzGv1RwHrgxyWu/ZCBTzwqWn0ZEYJ0RbA9iMn14dK4Cti68FD
SfsvNBX/7lgY9fUGy/hZcHfokoaRKUXG8AOTp1RXgjZUEPtm47LnNe+aM8EFTNz0
OiklGsbBSfAWA/MpbrI1vKkTvmUsSS6ZYBg/9aWzCaCW9zl9sGKzftsh5qSjEujX
4oFchN0TNro=
=9ERp
-----END PGP SIGNATURE-----

Relevant Pages

  • Re: IDS deployment outside FW?
    ... your IDS sensors should never be active on the ... network that they are monitoring (unless you're doing some sort of ... able to craft the monitoring rules to focus on those devices. ...
    (Focus-IDS)
  • Re: Any IDS Recommendations?
    ... popular location, as well as in DMZs and near valuable infrastructure ... Your network architecture may ... define where you can and should place IDS, because if you only have one IDS, ... >> effective to do that same network monitoring with a NIDS. ...
    (microsoft.public.security)
  • Re: Any IDS Recommendations?
    ... popular location, as well as in DMZs and near valuable infrastructure ... Your network architecture may ... define where you can and should place IDS, because if you only have one IDS, ... >> effective to do that same network monitoring with a NIDS. ...
    (microsoft.public.security.virus)
  • Re: Any IDS Recommendations?
    ... popular location, as well as in DMZs and near valuable infrastructure ... Your network architecture may ... define where you can and should place IDS, because if you only have one IDS, ... >> effective to do that same network monitoring with a NIDS. ...
    (microsoft.public.win2000.security)
  • RE: IDS Players?
    ... Subject: IDS Players? ... perhaps you should have said:" According to Network Computing magazine ... DaemonLabs Network Security ...
    (Focus-IDS)