RE: IDS vs. IPS deployment feedback

Number of rules does not equal quality of IDS/IPS technology.

Or in other words, just because a IDS/IPS has a zillion rules doesn't
mean those rules are any good. Or that implementing or using that
technology is good.

Your 500 number is wrong. When you get into the leading commercial IPSs
(TippingPoint, ISS, Juniper, McAfee) these products on average have
2000-3000 signatures. However, in some technologies, one signature
handles an entire class of vulnerabilities. Where Snort needs multiple
signatures for the same vulnerability, ISS can protect against the
vulnerability with 1 signature. TP is the same. I don't know Juniper and
McAfee as well, but I suspect they are similar.

Snort also has a lot of unique signatures that people have designed for
highly specialized purposes. That is definitely a benefit to some
organizations. But, those signatures are only useful in those unique
situations. And all the commercial products support custom signatures -
so you can do the same thing for your TP or ISS box.

Furthermore, Snort rules are developed by volunteers (or Sourcefire). As
such, SNORT is usually behind the curve on new signatures. ISS, for
example, does their own independent security research an has signatures
to protect against things that Snort people don't even know about. Other
vendors buy exploits from the hacker market - again giving them access
to vulnerabilities long before it hits the public and subsequently the
people who develop SNORT signatures.

The 90% thing you're coming up with is just false. You're assuming that
all those signatures represent a serious attack. And you're also
assuming that quantity of signatures is the measure of effectiveness.

A poorly maintained, tuned or implemented Snort sensor is just as
useless as a poorly maintained, tuned, or implemented ISS sensor.

Now, I realize I sound like a ISS or TippingPoint sales person. And yes,
I have a vested interest in such products because my company sells them.
But, I also know that I've seen more than a few organizations throw away
Snort-based protections because the administration and management of
them was too resource intensive. And merely having 5000 signatures
available does not translate to effective security.

-----------------------------------------------
Andrew Plato, CISSP, CISM
President/Principal Consultant
Anitian Enterprise Security

-----------------------------------------------




-----Original Message-----
From: Basgen, Brian [mailto:bbasgen@xxxxxxxx]
Sent: Thursday, April 06, 2006 10:44 AM
To: focus-ids@xxxxxxxxxxxxxxxxx
Subject: RE: IDS vs. IPS deployment feedback


I'm new to the list, but this flame war is a bit odd. This is an IDS
list, yet the usefulness of IDS is being dismissed?

This debate could generate some interesting data. In snort, for
example, there are around 5,759 rules (3/31/2006, non-subscription rule
base). I don't have the metrics on hand of how many rules commercial
IPS's deploy on by default (and how many total can be turned on), but
I'd guess it is around 500. I'd be interested to know those numbers, if
someone has them. A vendor comparison of rules could also be
interesting.

What I draw from this ratio is that some 90% of attacks can get through
an IPS solution. That doesn't invalidate the IPS anymore than the IPS
invalidates a firewall, but it does indicate to me that IDS plays an
essential role.

~~~~~~~~~~~~~~~~~~
Brian Basgen
IT Security Architect
Pima Community College
_________________________________________________
NOTICE:
This email may contain confidential information,
and is for the sole use of the intended recipient.
If you are not the intended recipient, please reply
to the message and inform the sender of the error
and delete the email and any attachments from
your computer.
_________________________________________________


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Relevant Pages

  • RE: How to choose an IDS/FW MSS provider
    ... but since ISS signatures are not purely "match this ... ISS MSS from our experience as an ISS reseller has been positive. ... >I guess you must be special to ISS, from my experience the support has been ... My impression about Cisco IDS for example is that they just do follow ...
    (Focus-IDS)
  • Re: IDS vs. IPS deployment feedback
    ... I personally do not care what people use to detect, even though I have been able to get snort to match performance of commercial products. ... The people we should be concerned with will not show up in an IDS however. ... signatures for the same vulnerability, ISS can protect against the ...
    (Focus-IDS)
  • RE: IDS vs. IPS deployment feedback
    ... Juniper, CISCO, McAfee have open or semi-open signatures. ... Also, AFAIK, in ISS you can use Snort syntax or similar to create your ... why Snort is called lightweight IDS on SNORT.ORG page? ...
    (Focus-IDS)
  • Re: IDS vs. IPS deployment feedback
    ... It is not accurate to state that the IPS ... Those two IPS technologies are NFR and Snort. ... signatures for the same vulnerability, ... Snort rules are developed by volunteers (or Sourcefire). ...
    (Focus-IDS)
  • RE: IDS vs. IPS deployment feedback
    ... claiming that ISS uses 1. ... asked for an example in which Snort used more signatures to provide ... agree that they handle exactly what the Snort rules are doing. ... You state that Snort uses 300 rules to cover one vulnerability while ...
    (Focus-IDS)
Quantcast