RE: IDS vs. IPS deployment feedback

Juniper, CISCO, McAfee have open or semi-open signatures. And if you
have a big problem with a signature I think that if you call the tec
support of the other two big players (ISS and TippingPoint) they will
help you out with some confidential information about a specific
signature.

Also, AFAIK, in ISS you can use Snort syntax or similar to create your
own signatures (I guess they call it TRONS ;) ) Free to recreate all the
Snort sigs.

BTW, why Snort is called lightweight IDS on SNORT.ORG page?

Thanks,
Mike


-----Original Message-----
From: Richard Bejtlich [mailto:taosecurity@xxxxxxxxx]
Sent: April 10, 2006 4:31 PM
To: Andrew Plato
Cc: focus-ids@xxxxxxxxxxxxxxxxx
Subject: Re: IDS vs. IPS deployment feedback


On 4/10/06, Andrew Plato <andrew.plato@xxxxxxxxxxx> wrote:
Yes...SOURCEFIRE customers get those signatures early. They get handed

out to the Snort world well after the fact. SourceFire is a commercial

company and you must PAY to get their product.

In other words - Sourcefire is no different than TP, ISS or any other
commercial vendor in this regard. As such, we're all just selling what

we know.

Andrew,

You call five days "well after the fact"? Snort rules are free for
registered users, by the way.

Here's another difference between ISS and Snort -- I can read Snort
rules, even those developed by Sourcefire. Can you point me to the
place where I can download and review ISS rules, even assuming I am a
registered owner? Cisco? Other?

One of the ways to build trust in a product is to see how it works. I
trust Snort more than similar products because I can understand its
decision-making process.

Richard

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Relevant Pages

  • RE: IDS vs. IPS deployment feedback
    ... claiming that ISS uses 1. ... asked for an example in which Snort used more signatures to provide ... agree that they handle exactly what the Snort rules are doing. ... You state that Snort uses 300 rules to cover one vulnerability while ...
    (Focus-IDS)
  • Re: Value of "richer" signatures?
    ... Snort, Dragon, and NFR, and I can tell you that they ... Here's an example of how the newer IDS signatures help ... Let's say you are using a simple packet grepping IDS ... > an FTP connection). ...
    (Focus-IDS)
  • RE: IDS ISS
    ... Have had several years experience with ISS. ... Sourcefire is doing some very interesting and innovative work with snort ... Subject: IDS ISS ... > Find out quickly and easily by testing it with real-world attacks from ...
    (Focus-IDS)
  • Re: IDS Project
    ... I am a user of ISS Realsecure, as well as Snort. ... Hostbased IDS: Get yourself a Red Hat Linux 7.1 system and install Server Sensor 6.5 ... be also part of the complete IDS paper. ...
    (Focus-IDS)
  • RE: IDS recommendations
    ... Ernon was the market leader in their business sector also. ... heard Enron was ISS' biggest customer so perhaps after Enron falls ISS will no ... We have replaced our Dragon sensors with Snort and our parent company is ... They are also the market leader in IDS ...
    (Focus-IDS)