IDS Project

From: counter.spy@gmx.de
Date: 06/20/02 

Date: Thu, 20 Jun 2002 18:41:44 +0200 (MEST)
From: counter.spy@gmx.de
To: azad.mahmoud@dionach.com, focus-ids@securityfocus.com

Hello,

>Hi,
>
>I am doing a final project as part of my MSc degree. I am intending to
>evaluate three IDS systems (ISS, Snort, and NFR).
>
>I have some simple experience with snort, but never used ISS or NFR
>although I have the downloads for them. I think I can manage to deploy
>them with the help of available documentations
>
>Questions are:
>
>- Am I making a good selection for products? Bearing in
>mind that I might not be able to get evaluation version of something
>like Dragon.

Why not Dragon? You can download the software and create eval keys on
Enterasys' website.

>- What are the criteria and/or considerations that I have
>to build my conclusions or results on?
>- Any guidance or suggestions?
>
>If there is some one out there who did a similar project, I would be
>most grateful if I can review his papers or at least give me an idea
>about the steps he/she took.

Yep, I did,
but I cannot give you the diploma thesis, it's not for the public.

But I am going to publish a derived IDS paper in september, and next week or
so,
I will publish my criteria catalog for enterprise-wide scaling IDS product,
which will later
be also part of the complete IDS paper.
I will let you all know where to obtain the catalog when it's ready.

>Your help will be very much appreciated.
>
>
>Azad
>

I recommend you not to try a benchmark, but concentrate on scalability,
event correlation, ease of installation and administration and so on.
An open signature format is very important, too.

Stand by until I am ready with my paper.
Greets,
Detmar 

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net

Relevant Pages

  • Re: IDS Project
    ... I am a user of ISS Realsecure, as well as Snort. ... Hostbased IDS: Get yourself a Red Hat Linux 7.1 system and install Server Sensor 6.5 ... be also part of the complete IDS paper. ...
    (Focus-IDS)
  • Re: IDS Project
    ... I'm doing the some test on the NFR and on the SNORT systems. ... the IDS have raised the correct type of alert. ... When I've reached the blinding point (example 1% of attack lost), ...
    (Focus-IDS)
  • Re: Firewall Tester 0.6
    ... Using Snort sig files will test if an IDS will alert on, well, ... I have built a false alarm generator for RealSecure to ... NFR used to let you see the ncode, but its been a while since I ...
    (Focus-IDS)
  • Re: Value of "richer" signatures?
    ... Snort, Dragon, and NFR, and I can tell you that they ... Here's an example of how the newer IDS signatures help ... Let's say you are using a simple packet grepping IDS ... > an FTP connection). ...
    (Focus-IDS)
  • RES: R: IDS evaluation: NFR Security
    ... Working for a security company that works with some different IDS ... Well, to go straight to the point, NFR has one of the easiest IDS ... sensor on the market. ... to write over 500 signatures for us. ...
    (Focus-IDS)