OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Symantec IDS Experts????????????????????
From: Mark Teicher (mark.teicherNETWORKICE.COM)
Date: Tue Oct 17 2000 - 21:59:51 CDT

Snort has some advantages over the commercial players out there, but it
still requires a person with some knowledge of TCP/IP beyond knowing the
difference between what is TCP versus UDP. Snort is a minute to use but a
life time to master, unless one enrolls in the Intro to Snort and Advanced
Snort currently being offered by the SANS Institute.

At 02:29 PM 10/17/00 -0700, Gene R. Gomez wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hey Elliot,
>I think that below you hit on a few things that are instrumental to
>explaining the original point in question: why do people not use
>open-source IDS?
>I've been playing with snort myself for a short while; I've found
>that it IS lacking in some of the advanced technical facilities
>(portscan detection, IP defrag, etc), but that, at the same time,
>such functionality is under development.
>You did, however, retract your own statement:
>"These differences stem far beyond simple configuration/maintenance
>factors"
>With the shortly-following statement:
>"...these solutions do not offer commercial support, integration into
>management infrastructures and so on."
>Why do you need commercial support if you can configure and support
>the beast yourself? It feeds back into the comment "...people buy
>commercial products primarily due to the lack of expertise in
>configuring and maintaining open source systems."
>Additionally, when you talk about management infrastructures, you
>really need to explain which ones you mean. I very easily set up
>automatic attack signature updates (and an hourly check for them), as
>well as email reporting and alert achiving on my snort system using a
>shell script and cron.
>While I wouldn't put snort up against the full-fledged commercial
>IDSes out there now, I may do it in a year. All things being equal,
>I would also take an open-source IDS as my system instead of a
>commercial one ANY day; I know how to make open source systems work,
>and saving money (while being technically proficient) will ALWAYS
>make me look good to management.
>It really depends on what you want. If you want commecial support,
>and idiot-proof integration with other systems, go commercial. Many
>of us can do without that, so hand-down, an open-source IDS is always
>going to be better.
>Of course, the above is just my opinion. Feel free to ignore me. ;)
>
>- -Gene
>
>- -----Original Message-----
>From: Elliot Turner [mailto:eturnerINTRUSION.COM]
>Sent: Tuesday, October 17, 2000 2:06 PM
>To: FOCUS-IDSSECURITYFOCUS.COM
>Subject: Re: Symantec IDS Experts????????????????????
>
>
>- -----Original Message-----
>but then people buy commercial products primarily due to the lack of
>expertise in configuring and maintaining open source systems.
><snip>
>
>I think this statement is quite untrue. Anyone who has done
>extensive
>research into IDS technology
>would be well aware of the differences between commercial and
>open-source
>systems. These differences
>stem far beyond simple configuration/maintenance factors.
>
>While the current open-source NIDS/IDS solutions are interesting,
>they are
>by no means industrial-grade offerings
>suitable for deployment in an enterprise environment. They
>consistently lag
>behind their commercial counterparts
>in regard to features and technology implementation. In addition,
>these
>solutions do not offer commercial support, integration into
>management
>infrastructures and so on.
>Thx,
>
>Elliot Turner
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
>
>iQA/AwUBOezExiMV0otagQpeEQIGBACgnkpodicmPYT618wiKH5C0Q7RJmsAn3bG
>ZOfon4tmLVFja4hxp+yuXVR5
>=Iunf
>-----END PGP SIGNATURE-----