RE: IDS Players?

From: Bob Walder (bwalder@spamcop.net)
Date: 06/18/02 

From: "Bob Walder" <bwalder@spamcop.net>
To: "'Marnix Petrarca'" <Marnix@DaemonLabs.com>, "'Nicholas Bachmann'" <nbachmann@mail.davison.k12.mi.us>, "'Gary Halleen'" <ghalleen@cisco.com>
Date: Tue, 18 Jun 2002 18:24:48 +0100

Well, I really am sorry about this, but since the direct links to our
reports have been published I am afraid we have had to remove them from the
site.

As anyone who has been to our site knows, we do ask you to fill out a simple
registration form before downloading. This information is NEVER passed to
third parties - hell, we don't even use it ourselves to pester you in the
future. All we use it for it to monitor the types and locations of companies
and end users who are reading our reports. That data helps us attract new
participants - and that is how we can continue to provide this stuff for
free.

Yes - I know it's not difficult to bypass this stuff and link in behind it,
or provide the direct URLs as Mr Petrarca has done But by and large we opt
for the simple, common-sense approach and a modicum of trust. In fact, 96%
of the forms we receive are completed fully - some even taking the time to
thank us and provide kind comments.

To all of you, we are very grateful, and extend our thanks. And to all of
you, my apologies for having to remove this resource.

Regards,

Bob Walder
Director
The NSS Group

>> -----Original Message-----
>> From: Marnix Petrarca [mailto:Marnix@DaemonLabs.com]
>> Sent: 18 June 2002 12:01
>> To: Nicholas Bachmann; Gary Halleen
>> Cc: Bill Mote; focus-ids@securityfocus.com
>> Subject: Re: IDS Players?
>>
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>>
>> Hmm, perhaps you should have said:" According to Network
>> Computing magazine in
>> *1999*...(If I am in error here, please correct me!)
>>
>> Anyway, here's a more recent review, which has an other
>> opinion on which is
>> best... in regard to evasion techniques!
>>
>> http://www.nwfusion.com/news/2002/0415idsevad.html
>>
>> A comment on Signature vs. Protocol vs. Anomaly IDS environments:
>>
>> http://www.scmagazine.com/scmagazine/sc-online/2002/article/2
>> 3/article.html
>>
>> And the latest test from NSS (Dec. 2001)
>>
>> http://www.nss.co.uk/download.htm
>>
>> http://www.nss.co.uk/ids/ids_edition_2.htm (HTML)
>>
>> http://www.nss.co.uk/ids/IDS%20Group%20Test%20Report%20Editio
>> n%202.pdf (.PDF)
>>
>> A general index to SC Magazine tests (check it out!)
>>
>> http://www.scmagazine.com/scmagazine/sc-online/archives/index.html
>>
>> http://www.scmagazine.com/scmagazine/sc-online/archives/i_int
>> rusion.html
>>
>> http://www.westcoast.com/events/awards/ shows a different
>> winner all around
>> (NFR Security SC Magazine Award)
>>
>>
>> - - If anyone knows of more recent reviews, please let me
>> know - always
>> interested!
>>
>> Marnix
>>
>> DaemonLabs Network Security
>>
>> P.O. Box 188
>> 1600 AD Enkhuizen
>> The Netherlands.
>> Chamber of Commerce 370.961.29
>>
>> Phone: +31-228-325-005
>> Fax: +31-228-325-009
>> Mobile: +31-6-11-250-524
>>
>> http://www.DaemonLabs.com
>>
>> - ----- Original Message -----
>> From: "Nicholas Bachmann" <nbachmann@mail.davison.k12.mi.us>
>> To: "Gary Halleen" <ghalleen@cisco.com>
>> Cc: "Bill Mote" <bill.mote@mem.com>; <focus-ids@securityfocus.com>
>> Sent: Tuesday, June 18, 2002 1:38 AM
>> Subject: Re: IDS Players?
>>
>>
>> > Gary Halleen wrote:
>> >
>> > >According to Network Computing magazine, the top three are:
>> > >
>> > My opinions in short:
>> >
>> > >Enterasys Dragon
>> > >
>> > If you can afford it, excellent. I previewed it, and was
>> impressed.
>> > The Dragon mailing list is informative and excellent; the
>> programmers
>> > and QA folks from Enterasys (even their top IDS guy) join
>> in frequently
>> > and some smart people from big name places (I guess I'm
>> jelous, all my
>> > employer makes is futures :-) give good advice and ask intelligent
>> > questions.
>> >
>> > >Cisco IDS
>> > >
>> > If you have Cisco infrastructure, excellent. If not, this
>> probably
>> > isn't as valuable for you as ^ or \/. I haven't had much
>> experiance
>> > with Cisco, so maybe I've just been eating paste again.
>> >
>> > >Snort
>> > >
>> > If you're want to customize your IDS, or you don't fit
>> into the above
>> > two catagories (i.e. short on cash and without a Cisco(1)
>> network),
>> > excellent. I'm setting up a system using Snort, and have
>> been very
>> > happy with it. Snort, like Dragon, has the advantage of
>> easy access to
>> > the authors and testers. :-) The database plugins +
>> PostgreSQL + ACID
>> > make a decent setup for network-wide monitoring.
>> >
>> > (1) Which probably has to do with the short on cash part. :-)
>> >
>> > >-----Original Message-----
>> > >From: Bill Mote [mailto:bill.mote@mem.com]
>> > >
>> > [...]
>> >
>> > >I've read about signature based IDS and host based IDS.
>> I've even read some
>> > >material about the hybrid systems which incorporate
>> features from signature
>> > >and host based IDSs. In your opinion, which one is better? Why?
>> > >
>> > >
>> > Well, if you want close monitoring of a single machine,
>> HIDS is better.
>> > If you want to protect a whole network, NIDS is better.
>> If you want to
>> > protect both, a hybrid setup is better. Systems like Drangon and
>> > ACID+logsnorter get bonus points because you can bring
>> HIDS, NIDS, and
>> > firewall monitoring into one spot.
>> >
>> > --
>> >
>> > Regards,
>> > Nick
>> >
>> > Nicholas Bachmann, SSCP
>> > Unix Administrator
>> > Davison Community Schools
>> >
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: PGPfreeware 7.0.3 for non-commercial use
<http://www.pgp.com>

iQIVAwUBPQ8S1E/E9ZhK7OS8AQEMUxAArV5uaTZRQuOYUKaoeCQlQWf9aiMQelsI
He8PKZxwXb4JBjxOt2xDLDBBwvkkI9JOnQjsZLHOfhe82XrEUW17hCukAkCJBipc
EcAhZoTL4Hvy2nTEbxeefJ706xs6maUhyJq+OISZ2cLSmmzBonIuntae0yJe3cUp
8lPJX7wUJP2h7WQxti6YwMZsydfdDBr3uOcYZAwXDQiGscgNiPNQNfXOd63BqtQq
IEkcgv9Jh0Ps3S03dh+4AUt8ve1aWm1/xFFOt841cQ3vreRhaADu/GPJPkXBBYUO
asPoWRm7Cr/s12U4vrXZA5rnKEbzDzVWsM2Fcq9oHBbbOhGYCNlPi+7b41DiYIbE
NrmPNe5y/hGYMIWSX9WdijKMSN5X67WDK2ce4tlnqZKaHs32Oln0dzIHob4Uk213
vnUpL8Z00XOG5XxWo787ejr+PFaMhx3UZMq3rcipTBi9TgYgP2yQ5cl0a82aDtWN
dZa9H89ZnwOtLSwtzGv1RwHrgxyWu/ZCBTzwqWn0ZEYJ0RbA9iMn14dK4Cti68FD
SfsvNBX/7lgY9fUGy/hZcHfokoaRKUXG8AOTp1RXgjZUEPtm47LnNe+aM8EFTNz0
OiklGsbBSfAWA/MpbrI1vKkTvmUsSS6ZYBg/9aWzCaCW9zl9sGKzftsh5qSjEujX
4oFchN0TNro=
=9ERp
-----END PGP SIGNATURE-----

Relevant Pages

  • RE: Reports from Cisco IDS
    ... Cisco IDS reporting features. ... Subject: Reports from Cisco IDS ... The Ciscoworks VMS plugin is very new. ...
    (Focus-IDS)
  • Running the network stack without Giant -- what to try and when
    ... As many of you have seen from status reports, e-mails, bug reports, etc, ... the FreeBSD Project has been working for some time on getting the network ... without the Giant lock, and we're ready for more people to start running ... - While we've been doing pretty heavy testing in MPSAFE configurations, ...
    (freebsd-current)
  • RE: Vulnerability scanners
    ... Qualys was that all you had to do is plug the appliance into your network ... It breaks it down into reports for techies and reports for ... >> to include some equipment costs in there. ...
    (Pen-Test)
  • Re: Boot time extremely long
    ... 1003 reports relate to a Stop errors and would ... Here are the error and warning events. ... Your computer was not able to renew its address from the network ... I had previously checked the event viewer and found that the ati ...
    (microsoft.public.windowsxp.perform_maintain)
  • Re: "Dont panic"?
    ... > I'm not sure what you mean by "public access through ssh". ... But I don't think reporting port scans is a clear win for anyone. ... >> port scan reports back to an ISP a lot of people time and network bandwidth ...
    (comp.security.ssh)