Re: Intrusion Detection

From: Alexander Delarge (alex_at_nowhere.com)
Date: 07/09/03


Date: Wed, 09 Jul 2003 16:39:29 GMT


"News" <noemail@email.net> wrote in message
news:wiAOa.22000$pK2.33657@news.indigo.ie...
> Anyone used either Security Metrics or RealSecure by ISS? If so I'd love
to
> hear your opinions regarding ease of use, effectiveness, false
positives...

I use RealSecure at our work. I have the desktop product, server sensor, and
a network sensor. Personally, I love RS. Its arguably one of the best IDS
engines on the market. Extremely accurate and capable. However, the learning
curve on RS is rather steep. The documentation is awful (full of errors and
omissions). So if you go with RS, plan to spend some ramp up time or hire a
consultant.

That much said, I have been able to do some really great things with RS. For
example, we use RS Desktop and I've tweaked it to prevent users from
accessing web sites and logging their chat usage. Although it wasn't
designed for that, when you get under the covers of RS, there are a lot of
excellent features.

The other IDS I would look at is Sourcefire. Its the commercialization of
Snort. I demo'ed it a while back. Good system. A bit limited in its reach,
but very accurate.

I've never used Security Metrics. I did look at ManHunt (crap), NFR (crap),
and Cisco IDS (complete POS) and was unimpressed with all of them. ManHunt
looks great, but the IDS engine sucks ass.

Alex