RE: IDS vs. IPS deployment feedback



Juniper, CISCO, McAfee have open or semi-open signatures. And if you
have a big problem with a signature I think that if you call the tec
support of the other two big players (ISS and TippingPoint) they will
help you out with some confidential information about a specific
signature.

Also, AFAIK, in ISS you can use Snort syntax or similar to create your
own signatures (I guess they call it TRONS ;) ) Free to recreate all the
Snort sigs.

BTW, why Snort is called lightweight IDS on SNORT.ORG page?

Thanks,
Mike


-----Original Message-----
From: Richard Bejtlich [mailto:taosecurity@xxxxxxxxx]
Sent: April 10, 2006 4:31 PM
To: Andrew Plato
Cc: focus-ids@xxxxxxxxxxxxxxxxx
Subject: Re: IDS vs. IPS deployment feedback


On 4/10/06, Andrew Plato <andrew.plato@xxxxxxxxxxx> wrote:
Yes...SOURCEFIRE customers get those signatures early. They get handed

out to the Snort world well after the fact. SourceFire is a commercial

company and you must PAY to get their product.

In other words - Sourcefire is no different than TP, ISS or any other
commercial vendor in this regard. As such, we're all just selling what

we know.

Andrew,

You call five days "well after the fact"? Snort rules are free for
registered users, by the way.

Here's another difference between ISS and Snort -- I can read Snort
rules, even those developed by Sourcefire. Can you point me to the
place where I can download and review ISS rules, even assuming I am a
registered owner? Cisco? Other?

One of the ways to build trust in a product is to see how it works. I
trust Snort more than similar products because I can understand its
decision-making process.

Richard

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------