Re: Intrushield vs. ISS once more...

From: Chris Brown (chris_at_get-tuf.com)
Date: 01/04/05

  • Next message: Ron Gula: "RE: IDS event filtering (NeVO comments)"
    Date: Tue, 4 Jan 2005 13:54:36 -0000 (GMT)
    To: focus-ids@securityfocus.com
    
    

    I have been trialling Intrushield and it logs and displays packet info
    just fine, have you installed Ethereal and pointed Intrushield to it's
    location? Also Intrushield tells you what sig it has fired on in the
    alert viewer.......

    Regards

    Tuffer

    "I could soar like an Eagle but weasels don't get sucked into jet engines"

    We have intrushield deployed here, and I am disappointed. The ability
    to create user-defined signatures is very poor. There is no way to
    make a signature to look at all ports and protocols, so with a UDS,
    you must specify a protocol for it to look at. There is no
    command-line access to write signatures, so you must use their Java
    GUI. There is no way to import sigs from other vendors, such as snort,
    and the rule flexibilty is just not there. The built-in signatures is
    a closed-set, so you do not know what IntruShield's signatures are
    firing on. You also cannot filter out traffic. There are filters
    available, but they only work on signature based detection. Anomaly
    detection will still fire on the filtered traffic. I have yet to get
    the logging capability to work. You can set it to log X packets, but
    it won't display them when you view alerts.

    Hope this helps,
    Chris

    On 18 Dec 2004 01:49:19 -0000, Jacob Winston <jctx09_at_yahoo.com> wrote:
    >
    >
    > I have been evaluating Intrushield and ISS but am still unsure on which
    route to take. Does anyone have compelling info on why Intrushield is
    better or vice-versa? Any help is appreciated.
    >
    > Thank you in advance.

    --------------------------------------------------------------------------
    Test Your IDS

    Is your IDS deployed correctly?
    Find out quickly and easily by testing it with real-world attacks from
    CORE IMPACT.
    Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    to learn more.
    --------------------------------------------------------------------------


  • Next message: Ron Gula: "RE: IDS event filtering (NeVO comments)"

    Relevant Pages