RE: Questions about filtering
From: McCammon, Keith (Keith.McCammon@eadvancemed.com)Date: 07/15/02
- Previous message: Shripal Meghani: "RE: HIDS - new technologies ?"
- Maybe in reply to: idslist: "Questions about filtering"
- Next in thread: Aigars Grins: "RE: Questions about filtering"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 15 Jul 2002 09:34:21 -0400 From: "McCammon, Keith" <Keith.McCammon@eadvancemed.com> To: "idslist" <ids@packetstorm.org>, <focus-ids@securityfocus.com>
> Am I asking for too much?
Nope. An IDS that can't be tuned to reduce noise is useless.
> Am I going about this the wrong way? If so is there a better method?
I've never used NFR, and I hope to keep it that way, so I'm of no use if you're looking for technical direction. However, I can tell you that passing on the traffic will be ten times more useful than muddying your screen with a generic "ignore me, I'm false" message. Plus, some systems were designed such that pass rules are processed first, keeping overhead to a minimum in these types of cases.
Having said this, I would urge you to look at Snort before you make a decision. These types if things are easy to clean up using Snort's language, there are more sigs, and performance is comparable (if not superior) to any commercial system that I've used. And it's free!
Cheers
Keith
- Previous message: Shripal Meghani: "RE: HIDS - new technologies ?"
- Maybe in reply to: idslist: "Questions about filtering"
- Next in thread: Aigars Grins: "RE: Questions about filtering"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
