RE: IDS

shankarnarayan.d_at_netsol.co.in
Date: 05/26/04

  • Next message: Brian Dunbar: "Re: Removing Local Admin Rights..."
    To: Endre.Szekely-Bencedi@hu-tcs.com, security-basics@securityfocus.com
    Date: Wed, 26 May 2004 09:55:54 +0530
    
    

    Hi,

    Snort definitely is a good IDS, but given that Snort is free, it is going to
    be difficult to get signatures as quickly and as easily as you would on a
    commercial IDS. Given snort is free, it takes time before people detect and
    then write signatures for the attacks. Snort does give you the capability to
    add and modify signatures as you please - but this is also available in
    commercial signatures.
    Additionally, there are many types of IDS - what are you looking at - there
    is the adaptive/ anomaly detection IDS which understands and gets a baseline
    of the activities that go on your network and then flag anything that is
    unusual as an attack - ofcourse this could lead to a lot of false alarms -
    but this is the new way that the industry is going to - how effectively you
    can fine tune this is dependent on your efficiency
    The other side is the signature based IDS where the attacks are detected
    based on signatures only and the third category is a combination of the two
    -

    So pick what you want based on what data you want to protect and you level
    of confidence - what is the level of criticality of the data, what type of
    users you have on the network - if they are more of the networking software
    development kind OR if they are the protocol stack writers, are they the
    extremely nosy bunch that regularly plays on the production network, do they
    frequently download off the web and try these tools on the network
    etc...............

    IDS' are aplently - but it is necessary what type of IDS you wan to test
    before you jump into it - examples also include the Dragon IDS (there were
    eval copies available till sometime back - dunno if they are still there),
    there are the Cisco IDS, Black ICE, Real Secure, Net Prowler etc

    So long..............

    shankar

    -----Original Message-----
    From: Endre Szekely-Bencedi [mailto:Endre.Szekely-Bencedi@hu-tcs.com]
    Sent: Monday, May 24, 2004 3:47 PM
    To: security-basics@securityfocus.com
    Subject: IDS

    Hi List,

    I'd like to ask you to recommend some IDS I could test. Our company is
    about 100-120 PCs large at the
    moment, that could increase to up to 400 in the near future. I am
    currently trying eTrust IDS v1.5 but it reports
    many false alarms, also it just reports the half of the traffic as 'other
    protocols' so I really can't get much useful
    information from that.
    Is Snort's software any good? It is free, and that's just nice. I was
    thinking to try it one of these days when I'll
    have a bit of spare time. Should I bother with the Windows version or I
    should just put it on a Unix machine?

    Any other tips, software that can do traffic logging/analysis/intrusion
    detection?

    Thanks.

    PS: Please, CC me the answers as I don't have much time to read mails
    usually so I might delete it along with
            the many other mailing list mails if I'm hurrying.

    Greetings,
    Endre Szekely-Bencedi
    _____________________________________
    Tata Consultancy Services
    H-1054 Budapest, Kalman Imre u. 1.
    Tel.: +36 1 4751214
    FAX: +36 1 475 1111
    Email: Endre.Szekely-Bencedi@hu-tcs.com
    _____________________________________

    "THIS E-MAIL MESSAGE ALONG WITH ANY ATTACHMENTS IS INTENDED ONLY FOR THE
    ADDRESSEE and may contain confidential and privileged information. If the
    reader of this message is not the intended recipient, you are notified
    that any dissemination, distribution or copy of this communication is
    strictly prohibited. If you have received this message by error, please
    notify us immediately, return the original mail to the sender and delete
    the message from your system."

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the
    skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------


  • Next message: Brian Dunbar: "Re: Removing Local Admin Rights..."