Re: Dragon IDS suffering
From: Alexander Delarge (alex@nowhere.com)Date: 04/21/02
- Next message: Luke Vogel: "Re: Isn't this an oxymoron, linux & security?"
- Previous message: Harry Putnam: "Re: Is this a misconfigured DNS"
- In reply to: Tony Davis: "Re: Dragon IDS suffering"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Alexander Delarge" <alex@nowhere.com> Date: Sun, 21 Apr 2002 08:13:28 GMT
Yes, I have heard of Recourse. We demo'ed their product a while back. It
seemed pretty good. It was extremely expensive.
I questioned their "anomoly" based engine. They say its a true protocol
analysis engine, but it seems to be more like SNORT or Intrusion.com where
they just use pre-processors to reassemble packets and maintain state. For
example, ManHunt couldn't decode anything in SSL tunnels, where as the
host-based versions of RealSecure I have had no problem decoding and
locating some bad hex codes I dropped into some nasty URLs. When I asked the
sales rep about this - he was clueless.
As for Honeypots, I agree with you. They're an interesting research tool and
in some high-security environments they have limited value. But for most
businesses (such as my company, we're about 250 people) its really a waste
of time.
Alex
"Tony Davis" <tdnospam@yahoo.com> wrote in message
news:ZNXb.I0avwOjv4OJWSx1jKBUh1Gaa.aaaa.abab.ab@zeonews.com...
> Alexander,
> Have you heard of Recourse? Recourse is claiming their IDS is now anomaly
based detection. Based on what you said, it sounds like RealSecure with
BlackICE IDS has that too.
> Recourse also sells a honeypot. How many companies are really interested
in running honeypots? I can understand that researchers and security experts
with a lot of time on their hand would want to try to attract hackers to
their network and try to discover their technqiues. But do companies really
have the time and resources to make their network look MORE vulnerable than
they already are? We have enough serious issues to deal with in locking down
the real network, much less trying to setup a fake vulnerable network.
> As someone responsible for security, last thing I want to do is encourage
hackers to attack what appears to be open and vulnerable systems on my
network. I just want to shut down all my holes and have the intruder go
elsewhere. Am I missing something in Recourse and what the value is that
they are selling?
> If I did want to setup a honeypot, can't I just set up a Linux box with
monitoring and misconfigure it to get the same thing as Recourse?
>
>
> In <<uzbu8.222427$Yv2.68230@rwcrnsc54>>, "Alexander Delarge"
<alex@nowhere.com> wrote :
> >
- Next message: Luke Vogel: "Re: Isn't this an oxymoron, linux & security?"
- Previous message: Harry Putnam: "Re: Is this a misconfigured DNS"
- In reply to: Tony Davis: "Re: Dragon IDS suffering"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
