RE: 10gb



3Com, there is a clear winner in strategic maneuvering....so much for
tipping point.

Sourcefire leaves a lot of room for improvement in ruleset and traffic
identification. I thought the whole snort thing was the greatest until I
worked with ISS and some other vendors.

Not to mention that if you are a IDS analyst managing large diverse global
companies or agencies, or military...have fun with that fun web
interface.....(sure you send it all to a magic SIEM so who cares....right
that works REALLY well......)and I do admit, ISS can be slow pulling up
events once in a while but that sounds like a tuning problem on someones
end.... I normally find I can drill down and deal with events much quicker
and have a higher "find rate" of unwanted activitiy with ISS. I do not want
to write rules in sourcefire that should already exist. There are such gaps
in detection of unwanted traffic, in fact, I sure would love someone to post
a side by side comparison of signatures detected. I am familiar with the
signatures from sourcefire and ISS and to ME, there is a HUGE Disparity in
what is identified. I deal with traffic from 40-60 countries daily and I
have used both products and I know which ones finds a lot more (making me
book high numbers of CSIRT tickets and making me look like a rock star)

Although with Palo Alto and Checkpoint having a nice application detection
capability, who really needs an IDS/IPS anymore......Rock on Palo Alto....


Scott.











-----Original Message-----
From: Curt Purdy [mailto:infosysec@xxxxxxxxx]
Sent: Wednesday, July 21, 2010 2:32 PM
To: scott@xxxxxxxxxxxxxx
Cc: focus-ids@xxxxxxxxxxxxxxxxx
Subject: Re: 10gb

Yes, Proventia & Realsecure have always been my favorite, though I have
looked longingly at Tipping Point (at least until they were acquired by 3com
then HP) of course even ISS is now pwned by IBM ;)

Proventia caught the serverRPC worm while it was still a 0-day (confirmed by
Symantec) when it had taken out 10 servers and would have taken out the
other 450 windoze servers before the day was out.
Though the 150 *NIX servers would have still be running fine of course, even
though the network would have been down with all the windoze servers
yakking...

But any IDS/IPS is going to have a lot of false-positives, which is why,
most of the time I feed it straight into a SIM for correlation and just
watch that dashboard.

Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA infosysec@xxxxxxxxx
purdy@xxxxxxxxxx



On Tue, Jul 20, 2010 at 8:53 PM, <scott@xxxxxxxxxxxxxx> wrote:
sourcefire?


really?

in a production network.....ask them how their 9800 sensor works
inline....*snicker*


I was stuck using sourcefire for the last two client. I so miss ISS.....

-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their
application. By making use of an SSL certificate on your web server, you can
securely collect sensitive information online, and increase business by
giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e
1a17f194





-----------------------------------------------------------------
Securing Your Online Data Transfer with SSL.
A guide to understanding SSL certificates, how they operate and their application. By making use of an SSL certificate on your web server, you can securely collect sensitive information online, and increase business by giving your customers confidence that their transactions are safe.
http://www.dinclinx.com/Redirect.aspx?36;5001;25;1371;0;1;946;9a80e04e1a17f194



Relevant Pages

  • RE: 10gb
    ... Sourcefire leaves a lot of room for improvement in ruleset and traffic ... Symantec) when it had taken out 10 servers and would have taken out the ... Securing Your Online Data Transfer with SSL. ... A guide to understanding SSL certificates, ...
    (Focus-IDS)
  • Re: Who actually has HIDS/HIPS deployed?
    ... The second we tested was directed toward servers, ISS Proventia, but they ... our deployment will be limited to DMZ servers and high-value LAN targets. ... We'll be using ISS. ... prefer to not put more and more agents on my critical servers, ...
    (Focus-IDS)
  • RE: Host-Based Intrusion Detection/Prevention. Which will you select? (Requirements within)
    ... You're perfect for an ISS deployment. ... Proventia Desktops on servers. ... well worn ISS reseller. ...
    (Focus-IDS)
  • Re: Any personal Intrusion Detection Systems
    ... IIS servers. ... ISS bought Network ICE for two reasons. ... >> for home use (I use it on our Web Servers and Email Servers and Proxy ...
    (comp.security.firewalls)
  • RE: Best IPS system?
    ... If you are going wireless as well I'd also look at AirMagnet ... : My two cents: ISS is atrocious. ... TippingPoint and Sourcefire have the best IPSs with the smartest team ... We just had a demo from Sourcefire and AirTight ...
    (Focus-IDS)