RE: Current IDS problems

From: Thompson, Jimi (JimiT_at_mail.cox.smu.edu)
Date: 10/26/05

  • Next message: Daniel Cid: "OSSEC HIDS v0.4 available - log analysis, rootkit detection and integrity checking" 
    Date: Wed, 26 Oct 2005 16:37:13 -0500
To: <focus-ids@securityfocus.com>

    We're actually working an IPS here. It's home grown, so it's a bit of a
    mess, but we've taken SNORT and the Bleeding SNORT rule set, refined it
    with a lot of custom written rules and a very custom config. We use
    that as a basis for the IPS. Based on the alerts, we have custom
    scripts that temporarily adds rules to the FW and ACL's to the core
    router. So far, we've had some false positives, but overall it works
    well. It's also written in Perl.

    GUI interface - HAH!
    Error Messages - ROFL!

    Functionality - two thumbs up!
    Flexibility - About like this -
    http://www.zenyoga.org/yoga_poses_images/contorted.jpg

    Thanks,
     
    Ms. Jimi Thompson
    Manager of Web Operations
    SMU Cox School of Business
     
    If computers get too powerful, we can organize them into a committee --
    that will do them in. -- Bradley's Bromide

    -----Original Message-----
    From: Terry Vernon [mailto:tvernon24@comcast.net]
    Sent: Saturday, October 22, 2005 4:13 AM
    To: crazy frog crazy frog
    Cc: zero; focus-ids@securityfocus.com
    Subject: Re: Current IDS problems

    False positives is one, the algorythms used to scan traffic is another,
    un-flexibility is another big one.

    Most of these problems are easily solved except for when you make a
    commercial product you have to "dumb it down" so the end users can
    handle it. I'm designing an IPS for a large customer whom we all know
    and you would figure these people should know it all. I have to put
    miles of if statements in the code with accompanying error messages to
    describe why you cant do this or that. When we can open up the throttle
    and not worry about the end user we can have some awesome stuff on the
    market. Take "vi" the text editor for example. To a newb it's terrible
    but to someone who's used to it it's a necessity. Most of the truly
    useful features in these products wind up on the cutting room floor
    because the decision makers don't want to do it for money or time
    constraints. To tell you the truth your better stuff is coming from
    smaller companies and not symantec, cisco, etc... Anyone who begs to
    differ works for one of the said companies. The executives keep tight
    leashes on the development departments.

    Terry Vernon
    CTO/Senior Developer
    Sprite Technologies

    crazy frog crazy frog wrote:

    >false positives.allthough we need to fine tune it to reduce this stuff.
    >
    >On 10/19/05, zero <zeroboy@arrakis.es> wrote:
    >
    >
    >>Hi all,
    >> I would like to know what are the problems people working with IDS
    sees in
    >> them. I mean, what are the things you hate about IDS, think simply
    you feel
    >> are plain wrong or that they should be another way to it.
    >>
    >> Al comments are greatly appreciated :)
    >>
    >> Thxs in advance.
    >>
    >>
    >>
    >>
    >>---------------------------------------------------------------------- 

    --
>>Test Your IDS
>>
>>Is your IDS deployed correctly?
>>Find out quickly and easily by testing it
>>with real-world attacks from CORE IMPACT.
>>Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
>>to learn more.
>>----------------------------------------------------------------------
--
>>
>>
>>    
>>
>
>
>--
>ting ding ting ding ting ding
>ting ding ting ding ding
>i m crazy frog :)
>
>-----------------------------------------------------------------------
-
>Test Your IDS
>
>Is your IDS deployed correctly?
>Find out quickly and easily by testing it 
>with real-world attacks from CORE IMPACT.
>Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
>to learn more.
>-----------------------------------------------------------------------
-
>
>
>  
>
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------
  • Next message: Daniel Cid: "OSSEC HIDS v0.4 available - log analysis, rootkit detection and integrity checking"

    Relevant Pages

    • Re: Wishlist for IPS Products
      ... And what about blocking fragmented packets entirely. ... This knocks out most IPS vendors like Tipping Point. ... Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. ...
      (Focus-IDS)
    • RE: IPS technology question.
      ... Subject: IPS technology question. ... >with real-world attacks from CORE IMPACT. ...
      (Focus-IDS)
    • Re: IDS Comparison
      ... We have started round 4 testing of IPS products using a much ... than waiting to collect them for a group test format) ... with real-world attacks from CORE IMPACT. ...
      (Focus-IDS)
    • Re: IPS Reliability/Availability
      ... We are testing MULTI-Gigabit IPS products right now, ... Does anybody have a list of which vendors are using ASICs ... Find out quickly and easily by testing it with real-world attacks from ... with real-world attacks from CORE IMPACT. ...
      (Focus-IDS)
    • Re: Current IDS problems
      ... crazy frog crazy frog wrote: ... >ting ding ting ding ting ding ... >with real-world attacks from CORE IMPACT. ...
      (Focus-IDS)