User defined signatures

• Previous message: Chris Brown: "RE: Intrushield vs. ISS once more..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 06 Jan 2005 08:42:59 -0500
To: focus-ids@securityfocus.com

> We have intrushield deployed here, and I am disappointed. The ability
> to create user-defined signatures is very poor. There is no way to

> make a signature to look at all ports and protocols, so with a UDS,
> you must specify a protocol for it to look at. There is no
> command-line access to write signatures, so you must use their Java
> GUI. There is no way to import sigs from other vendors, such as snort,
> and the rule flexibilty is just not there. The built-in signatures is
> a closed-set, so you do not know what IntruShield's signatures are
> firing on. You also cannot filter out traffic. There are filters
> available, but they only work on signature based detection. Anomaly
> detection will still fire on the filtered traffic. I have yet to get
> the logging capability to work. You can set it to log X packets, but
> it won't display them when you view alerts.

I was impressed with the Juniper/Netscreen/Onesecure
IDP and its strength in user defined signatures and
the visibility of the vendor provided ones. It also
has:

- excellent packet capture and analysis capabilities
 (configurable pre and post event capture per
  signature, highlighting of trigger packet, and
  ability to use built-in and/or external
  packet viewer)

- a wealth of actions to choose when signatures match
  (log, packet capture, email, syslog, snmptrap,
   script execution, timed firewall entries on src
   or dest address, port, and/or netblock)

- good exception capabilities (active for both
  signatures and protocol anomalies)

- very flexible and easy to use reporting and user
  interface capabilities

I think its safe to say that all the products are
maturing rapidly, have unique strengths and weaknesses,
and will leap frog each other over time. If you're
interested in flexibility, insight into your network
traffic, understanding of how vendor signatures are
working, and the the ability to rapidly produce your
own signatures, give the product a test drive.

Gary Flynn
Security Engineer
James Madison University

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------

• Previous message: Chris Brown: "RE: Intrushield vs. ISS once more..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: IPS comparison ... The only *static* signatures used are the AV, Spyware, IM, and ... In fact all vendors who claim the ability to stop 0-day attacks do so ... fragmented attacks using fragroute-with and without load, ... (Pen-Test) Re: "Insert Signature" feature has been taken out of Office 2003 XP. ... > part of Outlook's email capabilities. ... Signatures are very much an ability in Outlook 2003. ... (microsoft.public.outlook.general) outlook should let me pick a signature through the insert signatu. ... Outlook used to be able to give users the ability to use the insert menu and ... pick from their signatures on the fly for each email. ... process of copying and pasting from the options menu! ... (microsoft.public.outlook.general) Put back the capability to insert "Signatures". ... The 2003 version of Outlook eliminated the ability to insert "signatures" ... I have a legal disclaimer that needs to be added, ... put it back into Outlook's functionality. ... (microsoft.public.outlook.general) Re: Inexpensive authentication ... Have you considered aggregate signatures? ... you can arrange for a set of parties to sign the packet. ... (sci.crypt)