Re: NetScreen IDS (X-post)

From: Jordan K Wiens (jwiens@nersp.nerdc.ufl.edu)
Date: 01/27/03

  • Next message: Umesh Shankar: "Re: new on IDSs (Context-awareness in IDSes)" 
    Date: Mon, 27 Jan 2003 14:21:44 -0500 (EST)
From: Jordan K Wiens <jwiens@nersp.nerdc.ufl.edu>
To: Ralph Los <RLos@enteredge.com>

    We demo'ed it, and found the interface to be excellent, the features great
    and the actual detection ability abysmal. It does integrate fairly well
    with other IDS, and has a number of very nice features such as flow
    analysis and mild work tracking. On our couple of /16s it generated so
    many hundreds of identical events due to its use of 'anomaly detection'
    that it was functionally useless. On a highly controlled or very small
    network it might be useful, on a large network, it was fairly ineffective.

    Oh yeah; they claim to have the ability to correlate different attacks
    intelligently. On our network the correlation was worse than no
    correlation whatsoever. Different attacks were often lumped together, and
    (what I consider) obvious attacks were not correlated.

    If recent versions (last I saw it was about 6 months ago) have added a more
    robust signature base (the engine wasn't capable of incorporating too many
    signatures at first; they were heavily pushing their AD), and were able to
    make their correlation more effective, it would be an excellent product. 

    -- 
Jordan Wiens
UF Network Incident Response Team
(352)392-2061
On Fri, 24 Jan 2003, Ralph Los wrote:
> Greetings,
>
> 	Has anyone on this list had any experience with this product?  I've
> not heard anything of it until a client of mine brought it up.  I'd like to
> go through and investigate it to see if it's worthwhile, but would like some
> community feedback on it?
>
> Link:  http://www.netscreen.com/products/idp.html
>
> ?Ralph
>
>

    Relevant Pages

    • Re: NetScreen IDS (X-post)
      ... I have never seen the netscreen IDS ... > network it might be useful, on a large network, it was fairly ineffective. ... they claim to have the ability to correlate different attacks ... On our network the correlation was worse than no ...
      (Focus-IDS)
    • Re: Finding useful functions- part 1
      ... of the network of NNs that "indicates ... learning, which in turn assumes that learning is something other than a ... > Glen espouses entails that contingencies among such ... correlation, while a linear one is, but I'm probably just using ...
      (sci.cognitive)
    • RE: What defines an "incident"? - Part 2
      ... <Is the correlation between a place and time required? ... Subject: What defines an "incident"? ... Incident - A group of attacks that can be distinguished from other ... confirmed by letter or fax signed by a Partner of BDO. ...
      (Security-Basics)
    • Re: OT Obama opts out of public campaign finance system
      ... There were more attacks planned. ... We went into Iraq in '03. ... There's your correlation. ... if his lawn was a mess and the town ...
      (alt.autos.toyota)
    • RE: What defines an "incident"? - Part 2
      ... OK...makes sense regarding "incident" because it correlates to a place and time. ... Is the correlation between a place and time required? ... Incident - A group of attacks that can be distinguished from other ... signed by a Partner of BDO or it is subsequently confirmed by letter or fax ...
      (Security-Basics)
    • Quantcast