RE: IDS ISS

PPowenski_at_oag.com
Date: 05/25/05

  • Next message: James Blake: "Re: IDS\IPS that can handle one Gig" 
    Date: Wed, 25 May 2005 08:47:03 +0100
To: <eslerj@gmail.com>, <THolman@toplayer.com>

    Wholeheartily agree....
    Have had several years experience with ISS.
    Snort has been solid here for over two years, updates to the current
    release have been performed since 1.8.7 which have been smooth, reliable
    and very flexible. Upgraded from ACID to BASE and now setting up SGUIL
    again with no difficulties.
    Sourcefire is doing some very interesting and innovative work with snort
    as its detection engine.

    If you plan on pursing ISS look very, very, carefully at the setup,
    restrictions i.e. what parts can be loaded onto a single box and what
    order they need to be installed and upgraded, architecture requirements,
    and how much work it will be to keep it running.

    Have setup Snort on every platform that it is distributed for, in every
    combination i.e. web, db, on the sensor or on another box and have not
    had any issues. You need to consider performance and the amount of
    traffic for various configurations.

    -----Original Message-----
    From: Joel Esler [mailto:eslerj@gmail.com]
    Sent: 20 May 2005 12:58
    To: THolman@toplayer.com
    Cc: anatole.berteau@turbomeca.fr; focus-ids@securityfocus.com
    Subject: Re: IDS ISS

    I concur. I would always go with Snort over ISS anyday. I've tested
    and ran both at the same time on the same network, and Snort not only
    out performs, but it would be much easier to look at the data and
    configure the IDS. (Or IPS.. Look into Snort-inline)

    Joel Esler

    On May 19, 2005, at 8:11 PM, THolman@toplayer.com wrote:

    > Hi Anatole,
    >
    > What was wrong with Snort?
    > There are plenty of implementations possible and it is highly tunable,
    > plus
    > you get to see the signatures.
    > If it's performance you're worried about, consider running on a
    > platform
    > such as SourceFire.
    > Is it purely a detection-based solution you're looking for, or do you

    > have
    > the means to prevent intrusions inline already?
    >
    > Regards,
    >
    > Tim
    >
    > -----Original Message-----
    > From: Berteau Anatole [mailto:anatole.berteau@turbomeca.fr]
    > Sent: 17 May 2005 17:03
    > To: focus-ids@securityfocus.com
    > Subject: IDS ISS
    >
    >
    >
    > Hello,
    >
    > I'm testing IDS solution. After Snort, i'm beginning to work with ISS.
    >
    > What's the minimum architecture to use ISS? Is it possible to use only
    > a
    > network sensor? If this solution is available, what's the solution to
    > consult alerts?
    >
    > Thanks
    >
    > Anatole
    >
    > ----------------------------------------------------------------------
    > -
    > ---
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from

    > CORE IMPACT. Go to
    > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    >
    -----------------------------------------------------------------------
    > ---
    >
    > ----------------------------------------------------------------------
    > -
    > ---
    > Test Your IDS
    >
    > Is your IDS deployed correctly?
    > Find out quickly and easily by testing it with real-world attacks from

    > CORE IMPACT. Go to
    > http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
    > to learn more.
    >
    -----------------------------------------------------------------------
    > ---
    >

    ------------------------------------------------------------------------ 

    --
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
--
NOTICE: This e-mail is intended for the named recipient(s). It may contain privileged and/or confidential information. If you are not one of the intended recipients, please notify the sender immediately and destroy this e-mail and attachment(s): you must not copy, distribute, retain or take any action in reliance upon the email or attachment(s). While all reasonable efforts are made to safeguard inbound and outbound e-mails, OAG Worldwide Ltd and its affiliate companies cannot guarantee that attachments are virus-free or are compatible with your systems, and does not accept liability in respect of viruses or computer problems experienced. Thank you.
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
  • Next message: James Blake: "Re: IDS\IPS that can handle one Gig"

    Relevant Pages

    • Re: IDS Project
      ... I am a user of ISS Realsecure, as well as Snort. ... Hostbased IDS: Get yourself a Red Hat Linux 7.1 system and install Server Sensor 6.5 ... be also part of the complete IDS paper. ...
      (Focus-IDS)
    • RE: IDS recommendations
      ... Ernon was the market leader in their business sector also. ... heard Enron was ISS' biggest customer so perhaps after Enron falls ISS will no ... We have replaced our Dragon sensors with Snort and our parent company is ... They are also the market leader in IDS ...
      (Focus-IDS)
    • RE: IDS recommendations
      ... Subject: IDS recommendations ... Snort is a relatively raw tool and that usually adds ... >> I can appreciate your comments on the ISS product. ...
      (Focus-IDS)
    • RE: IDS recommendations
      ... I'm currently running a fourteen sensor distributed Snort ... IDS system on my WAN and I'd like to know what issues I should be on the look ... Are there any other Snort users in Houston or am I the only one? ... > response from ISS than any other non open source based IDS tools. ...
      (Focus-IDS)
    • Re: newbie quetsions
      ... Although, keep in mind, Snort completely fails the CRI test, and does ... Do I need IDS? ... >CORE IMPACT. ... >Find out quickly and easily by testing it with real-world attacks from ...
      (Focus-IDS)