OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Symantec IDS Experts????????????????????
From: Gene R. Gomez (ggomezVERANCE.COM)
Date: Tue Oct 17 2000 - 16:29:43 CDT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey Elliot,
I think that below you hit on a few things that are instrumental to
explaining the original point in question: why do people not use
open-source IDS?
I've been playing with snort myself for a short while; I've found
that it IS lacking in some of the advanced technical facilities
(portscan detection, IP defrag, etc), but that, at the same time,
such functionality is under development.
You did, however, retract your own statement:
"These differences stem far beyond simple configuration/maintenance
factors"
With the shortly-following statement:
"...these solutions do not offer commercial support, integration into
management infrastructures and so on."
Why do you need commercial support if you can configure and support
the beast yourself? It feeds back into the comment "...people buy
commercial products primarily due to the lack of expertise in
configuring and maintaining open source systems."
Additionally, when you talk about management infrastructures, you
really need to explain which ones you mean. I very easily set up
automatic attack signature updates (and an hourly check for them), as
well as email reporting and alert achiving on my snort system using a
shell script and cron.
While I wouldn't put snort up against the full-fledged commercial
IDSes out there now, I may do it in a year. All things being equal,
I would also take an open-source IDS as my system instead of a
commercial one ANY day; I know how to make open source systems work,
and saving money (while being technically proficient) will ALWAYS
make me look good to management.
It really depends on what you want. If you want commecial support,
and idiot-proof integration with other systems, go commercial. Many
of us can do without that, so hand-down, an open-source IDS is always
going to be better.
Of course, the above is just my opinion. Feel free to ignore me. ;)

- -Gene

- -----Original Message-----
From: Elliot Turner [mailto:eturnerINTRUSION.COM]
Sent: Tuesday, October 17, 2000 2:06 PM
To: FOCUS-IDSSECURITYFOCUS.COM
Subject: Re: Symantec IDS Experts????????????????????

- -----Original Message-----
but then people buy commercial products primarily due to the lack of
expertise in configuring and maintaining open source systems.
<snip>

I think this statement is quite untrue. Anyone who has done
extensive
research into IDS technology
would be well aware of the differences between commercial and
open-source
systems. These differences
stem far beyond simple configuration/maintenance factors.

While the current open-source NIDS/IDS solutions are interesting,
they are
by no means industrial-grade offerings
suitable for deployment in an enterprise environment. They
consistently lag
behind their commercial counterparts
in regard to features and technology implementation. In addition,
these
solutions do not offer commercial support, integration into
management
infrastructures and so on.
Thx,

Elliot Turner

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>

iQA/AwUBOezExiMV0otagQpeEQIGBACgnkpodicmPYT618wiKH5C0Q7RJmsAn3bG
ZOfon4tmLVFja4hxp+yuXVR5
=Iunf
-----END PGP SIGNATURE-----