Re: IDS Players?

From: lists (lists@var-log.com)
Date: 06/18/02 

From: "lists" <lists@var-log.com>
To: "Nicholas Bachmann" <nbachmann@mail.davison.k12.mi.us>, "Gary Halleen" <ghalleen@cisco.com>
Date: Tue, 18 Jun 2002 08:22:39 -0500

I'll through in my two cents

Cisco
Very good with a Cisco infrastructure and ver ygood with automated response.
Does a good job with many evasion tricks. Seems to be having signature bloat
lately I think to impress with the quanity rather than quality of sigs.
Before it had a rather minimalistic signature base that caught a wide range
of attacks. Does not really log well enough for some attacks. I mean it logs
well but isn't very flexible and can get out a hand when you log.

Dragon
Used it a long time ago and loved it. Very technical and flexible. Does a
good job of showing traffic streams by catching X packets on each side. Use
to be able to set some very cool global variables as well such as cushion
and stuff like that. Good people to work with. Could catch a lot of traffic.
It probably has more sigs than Cisco but sigs are probably not a general as
Cisco's. I don't hink auto response is as flexible as Cisco or at least it
wasn't a year or so ago.

Snort
Like it, but not as much as Dragon or Cisco and here is why. I like it's
rule architecture but it seems a little kludgy by comarison to both Cisco
and Dragon. Don't get me wrong the rules are very flexible but they are also
not as easy or consise. You can't really set global variable like a cushion
as easily and it soesn't neccesarily display the session as well as
Dragon.Does not have as flexible an automated response as Cisco either. In
most cases though, I would use it because of cost and support. The community
does a real good job supporting it. Plus you can deploy several for the
price of one of the others.

Kevin

----- Original Message -----
From: "Nicholas Bachmann" <nbachmann@mail.davison.k12.mi.us>
To: "Gary Halleen" <ghalleen@cisco.com>
Cc: "Bill Mote" <bill.mote@mem.com>; <focus-ids@securityfocus.com>
Sent: Monday, June 17, 2002 6:38 PM
Subject: Re: IDS Players?

> Gary Halleen wrote:
>
> >According to Network Computing magazine, the top three are:
> >
> My opinions in short:
>
> >Enterasys Dragon
> >
> If you can afford it, excellent. I previewed it, and was impressed.
> The Dragon mailing list is informative and excellent; the programmers
> and QA folks from Enterasys (even their top IDS guy) join in frequently
> and some smart people from big name places (I guess I'm jelous, all my
> employer makes is futures :-) give good advice and ask intelligent
> questions.
>
> >Cisco IDS
> >
> If you have Cisco infrastructure, excellent. If not, this probably
> isn't as valuable for you as ^ or \/. I haven't had much experiance
> with Cisco, so maybe I've just been eating paste again.
>
> >Snort
> >
> If you're want to customize your IDS, or you don't fit into the above
> two catagories (i.e. short on cash and without a Cisco(1) network),
> excellent. I'm setting up a system using Snort, and have been very
> happy with it. Snort, like Dragon, has the advantage of easy access to
> the authors and testers. :-) The database plugins + PostgreSQL + ACID
> make a decent setup for network-wide monitoring.
>
> (1) Which probably has to do with the short on cash part. :-)
>
> >-----Original Message-----
> >From: Bill Mote [mailto:bill.mote@mem.com]
> >
> [...]
>
> >I've read about signature based IDS and host based IDS. I've even read
some
> >material about the hybrid systems which incorporate features from
signature
> >and host based IDSs. In your opinion, which one is better? Why?
> >
> >
> Well, if you want close monitoring of a single machine, HIDS is better.
> If you want to protect a whole network, NIDS is better. If you want to
> protect both, a hybrid setup is better. Systems like Drangon and
> ACID+logsnorter get bonus points because you can bring HIDS, NIDS, and
> firewall monitoring into one spot.
>
> --
>
> Regards,
> Nick
>
> Nicholas Bachmann, SSCP
> Unix Administrator
> Davison Community Schools
>

Relevant Pages

  • Re: Recommending an IDS system
    ... re: Cisco IDS, I have a few things to say about Cisco's product: junk. ... into ONE inky-dinky "black box" that was maintained by a "security ... Like I said before, ISS ...
    (Security-Basics)
  • RE: Recommending an IDS system
    ... That feature is not an "Auto-Update" in Cisco. ... As for writing your own signatures, ... Subject: Recommending an IDS system ...
    (Security-Basics)
  • Re: Recommending an IDS system
    ... I'm running a smaller setup than your old employer attempted to run. ... re: Cisco IDS, I have a few things to say about Cisco's product: junk. ... but the management of the signatures and ...
    (Security-Basics)
  • RE: CISCOs new IPS
    ... There is no way we would consider using their IPS units....their IDS have enough problems. ... Christoph, ... I can tell you from real world experience that Cisco has not been the best ...
    (Focus-IDS)
  • RE: Recommending an IDS system
    ... Same here - haven't used the ISS, but I have no problem with auto updates, and Cisco is releasing signatures very quickly. ... Subject: Recommending an IDS system ... I never worked with ISS IDS appliance before so I can't really comment on ...
    (Security-Basics)