Re: Intrusion Detection

From: Alexander Delarge (alex_at_nowhere.com)
Date: 07/09/03


Date: Wed, 09 Jul 2003 16:39:29 GMT


"News" <noemail@email.net> wrote in message
news:wiAOa.22000$pK2.33657@news.indigo.ie...
> Anyone used either Security Metrics or RealSecure by ISS? If so I'd love
to
> hear your opinions regarding ease of use, effectiveness, false
positives...

I use RealSecure at our work. I have the desktop product, server sensor, and
a network sensor. Personally, I love RS. Its arguably one of the best IDS
engines on the market. Extremely accurate and capable. However, the learning
curve on RS is rather steep. The documentation is awful (full of errors and
omissions). So if you go with RS, plan to spend some ramp up time or hire a
consultant.

That much said, I have been able to do some really great things with RS. For
example, we use RS Desktop and I've tweaked it to prevent users from
accessing web sites and logging their chat usage. Although it wasn't
designed for that, when you get under the covers of RS, there are a lot of
excellent features.

The other IDS I would look at is Sourcefire. Its the commercialization of
Snort. I demo'ed it a while back. Good system. A bit limited in its reach,
but very accurate.

I've never used Security Metrics. I did look at ManHunt (crap), NFR (crap),
and Cisco IDS (complete POS) and was unimpressed with all of them. ManHunt
looks great, but the IDS engine sucks ass.

Alex



Relevant Pages

  • RE: ids inquisition
    ... I've done two night sessions on BlackICE at SANS. ... >guess they have a better understanding of IDS than most potential clients. ... I ask the RealSecure team odd questions. ... I been running a business for the past several years. ...
    (Focus-IDS)
  • Re: Regarding NNIDSs - RealSecure overview
    ... > The RealSecure network sensor is rapidly being integrated. ... PAM will be plugged into all our IDS agents. ... > Network ICE launched Guard last year in December. ...
    (Focus-IDS)
  • Performance Testing was RE: Realsecure
    ... Or maybe I'm trying to drive it in a rain storm or blizzard. ... Many folks aren't trying to do gigabit IDS but have other issues. ... RealSecure compare on a Nokia 650 and a Sun Netra T1. ... Testing performance is also different from testing attack identification ...
    (Focus-IDS)
  • RE: Realsecure
    ... Subject: Realsecure ... I am sure most vendors would - but then we would not be in business for very ... we may well extend coverage to managed/outsourced IDS services. ... Compare IDS products based on Signature Coverage and Accuracy. ...
    (Focus-IDS)
  • Re: Ossim
    ... We have a 100 IDS network working with ossim and It's ... vulnerability metrics, security metrics, security ... reports and trouble-ticket tool. ...
    (Focus-IDS)