RE: IDS evaluation
From: Sebastien Desse (sdesse@euresys.fr)Date: 08/22/02
- Previous message: samantha myers: "Sourcefire Network Sensor"
- In reply to: Saad Kadhi: "Re: IDS evaluation"
- Next in thread: Gary Halleen: "RE: IDS evaluation"
- Next in thread: Reverman, Peter C: "RE: IDS evaluation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Sebastien Desse <sdesse@euresys.fr> To: "Saad Kadhi" <bsdguy@docisland.org>, <focus-ids@securityfocus.com> Date: Thu, 22 Aug 2002 21:48:10 +0200
Hi,
I don't agree with you, snort offer with additionnal (Free) tools,
- Activworx IDSPolicy Manager (Very cool software)
- ACID (CERT) or even better Security Focus (I'm not a security focus
member) Deepsight Analyser
a high level NIDS solution. The only intersting altrenative is, too me,
Enterasys Dragon.
You can take a look to prelude a (young) Global IDS solution with HIDS and
NIDS and centralized management console.
Prelude is compatible with snort so you can also mix sensors or use only
management console.
Others are *commercials stuffs*, take the box, plug it and don't care if it
realy works !
>If central management/event correlation is what you need then my list would
be:
>1.Enterasys Dragon
>2.Cisco Secure IDS
>3.ISS
What's _realy_ important in an IDS solution ?
Answer :
- Number of signatures
- Signatures Update frequency
- protocol analysis (HTTP, TCP, IP, ...) and defragmentation (IP and TCP)
- Easy personalisation
Why don't choose ISS or Cisco :
Cisco Secure IDS only have ~230 sigs, udates 30 days !!!, painful IP
reassembly, and the GUI...
Cisco Secure IDS Policy Manager ! It's the 2.3.3i version if I remember.
It's an end of life product (not officialy) that was part of CSPM bundle
before. CSPM has gone to 3.0 version, now in VMS 2.0 (VPN management
solution).
But no update for IDS version. Now it is limited to 3 sensors and, as soon
as the new version will arrive you'll need to pay it again (no gift from
cisco).
Rem : Our custmers, CSPM 2.3 (firewall) users, must buy VMS 2.0 (very very
expensive) if they whant to keep on managing their devices in a centralized
way; even if they pay for a maintenance. Thank You Cisco !!!
ISS ~400 sigs, updates 30 days !!!, no protocol analysis !!! -look to
fragroute or fragrouter-
Network sensor ~66000$ use Snort sigs base! no comment !
Why choose Snort :
1600 Sigs, updates from 30 mins to some days (few), protocol analysis :
powerfull IP/TCP reassembly, HTTP analysis,
Full feature NIDS with a lot of good projects around like IDS policy
manager, ACID, ...
The possibility to reconfigure Checkpoint Firewall-1, Cisco routers and Pix,
and soon Linux Netfilters (Snort Sam)
And so many other stuff like price, performances, Open Source, ...
>However, the new appliances from Cisco that promise better performance than
>Dragon (among other things) are still vaporware at this time.
Vaporware is Cisco Copyright ;-)
>I'm a Snort fan but deploying 12 of them with central management needs good
>expertise and multi-tool gluying skills.
Sure but others don't do better.
To End :
SecurityFocus give free access to Analyser,
free console for IDS event correlation and allerting. It's a good product
and also compatible with many IDS.
extractor is Free, Open Source and send IDS data via SSL to SF database.
It's a good solution. Must try.
- Previous message: samantha myers: "Sourcefire Network Sensor"
- In reply to: Saad Kadhi: "Re: IDS evaluation"
- Next in thread: Gary Halleen: "RE: IDS evaluation"
- Next in thread: Reverman, Peter C: "RE: IDS evaluation"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
