Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Had to jump in on this debate between ISS and Snort.
Remote management of snort- I have complete management of Snort (and I
mean COMPLETE management of Snort) via SSH.
I happen to run Snort and Demarc, which gives me much more granularity
of what I can do with logging, event generation, etc. than can possibly
be done with RealSecure (of which I am also very familiar).
Also Snort and ACID on Win2K is a fantastic solution (if you like
Windows). The documentation is excellent, and full remote control is
accomplished with Terminal Services.
My question- (Not to Abe, but to others)
How did that high dollar service level agreement feel when you waited at
least a week for ISS to release a signature and rule for Nimda?
I had my Snort sensors alerting (and terminating) Nimda connections
within 30 minutes of reading about the outbreak on the east coast. I
was exactly ten minutes behind the worm on the west coast.
Ben
-----Original Message-----
From: Abe L. Getchell [mailto:abegetchell
home.com]
Sent: Monday, December 03, 2001 1:59 PM
To: 'Dr SuSE'; aplatoanitian.com
Cc: focus-idssecurityfocus.com
Subject: RE: IDS recommendations
Greetings!
The only drawback I see too using Snort in the enterprise is the lack of
remote management and log collection tools. One usually has to sit down
and produce these utilities themselves to get the perfect match for
their environment. Snort is a relatively raw tool and that usually adds
to the time it takes the system to get into production. However, once
it's there, you not only have a system that runs very smoothly but one
where the engineers responsible for building it know it inside and out;
it's not just a point-and-click IDS where you don't know exactly how it
works under the hood.
That being said, we use Snort in our enterprise. =)
Thanks,
Abe
--
Abe L. Getchell
Security Engineer
abegetchellhome.com
> -----Original Message-----
> From: Dr SuSE [mailto:drsuselizard.drsuse.org]
> Sent: Monday, December 03, 2001 1:50 AM
> To: aplatoanitian.com; focus-idssecurityfocus.com
> Subject: RE: IDS recommendations
>
>
>
> Could you elaborate a bit further and explain what Snort's
> short comings are
> the enterprise are? I'm currently running a fourteen sensor
> distributed Snort
> IDS system on my WAN and I'd like to know what issues I
> should be on the look
> out for before I bring six more sensors online this month.
>
> Let's face the facts and understand that most people are
> ignorant and havn't
> bother to learn how to use anything other than Windows.
>
> Are there any other Snort users in Houston or am I the only
> one? Drop me a
> line and let me know.
>
> What's the word? Thunderbird.
> How's it sold? Good and cold.
> What's the jive? Bird's alive.
> What's the price? Thirty twice.
>
>
> > I can appreciate your comments on the ISS product. I was simply
> > stating that I like them and have used it widely with some
> very decent
> > results. I am sure that your comment is also true
> regarding the use
> > of Snort. Let's face the facts though and understand that
> Windows is
> > still well rooted in many IT environments. Snort is not
> available on
> > that platform, atleast not to my knowledge and Snort has had a few
> > downfalls when it comes to any Enterprise wide NID implementation.
> >
> > You may want to read all of my email with a more open mind
> before you
> > suggest slapping anyone. I mentioned several other items. Why not
> > slam on Cisco because they are the market leader. Simply
> put we have
> > had better response from ISS than any other non open source
> based IDS
> > tools. Not many fortune 500 companies that I am aware of
> are an all
> > Linux or UX based shop. Until then you might want to be a
> little more
> > open minded and not hold your breath :-) Just my opinion.
> > Thanks,
> > Nate
> >
> > -----Original Message-----
> > From: Dr SuSE [mailto:drsuselizard.drsuse.org]
> > Sent: Friday, November 30, 2001 4:47 PM
> > To: Nate.DuzenberryWellsFargo.COM; aplatoanitian.com;
> > focus-idssecurityfocus.com
> > Subject: RE: IDS recommendations
> >
> >
> > Not long ago, Ernon was the market leader in their business sector
> > also. Just because your the market leader in something doesn't mean
> > your the best. I heard Enron was ISS' biggest customer so perhaps
> > after Enron falls ISS will no
> > longer be the market leader. I'm sure there are more
> Snort machines out
> > there
> > than there are ISS boxes anyway.
> >
> > We have replaced our Dragon sensors with Snort and our
> parent company
> > is
> > talking about replacing ISS with Snort. Soon there will be
> a few less ISS
> > servers in the world.
> >
> > If someone ever tried to sell me a product and all they
> could tell me
> > was that they are the market leader I would slap em with a
> hot mop and
> > show them the door.
> >
> >
> >
> >
> >
> > > I love the ISS products. They typically provide
> excellent service
> > > and provide a lot of bang for your buck. They are also
> the market
> > > leader in
> > IDS
> > > currently. Cisco follows with a close second in my book.
> Between
> > > Cisco Secure ACS and IDS-(NetRanger) they provide a lot
> of options
> > > but are
> > pricey
> > > for the smaller shops. I don't really care a lot for the
> > > Cisco/Entercept Host sensor. May be in your interest to mix and
> > > match dependent on what
> > you
> > > want. It is hard to beat ISS if your working in a checkpoint
> > > firewall environment though. The integration between the two is
> > > just to simple, easy, and almost flawless.
> > >
> > > If you like Linux you may also want to give Snort a whirl from
> > > http://www.snort.org. Thanks,
> > > Nate Duzenberry
> > > Information Security Services
> > > Wells Fargo Services Company
> > > +mailto:nate.duzenberrymortgage.wellsfargo.com
> > >
> > >
> > > -----Original Message-----
> > > From: Andrew Plato [mailto:aplatoanitian.com]
> > > Sent: Thursday, November 29, 2001 11:53 AM
> > > To: focus-idssecurityfocus.com
> > > Subject: Re: IDS recommendations
> > >
> > >
> > >
> > > In-Reply-To:
> > >
> <7A4CE3D57DB82F4AAFA8BC95FCCF367303CE6Dchi-mail2.win.xcaliber.com>
> > >
> > >
> > > >I'm currently researching NIDS and HIDS from a
> > > multitude of vendors. I've
> > > >read 2 articles from NetworkWorldFusion and
> > > Network Computing and it appears
> > > >that they rank Cisco, ISS, and Dragon as their top
> > > 3. Any practical
> > > >experiences with these 3 would be greatly
> > > appreciated (need to cut thru the
> > > >vendor doubletalk).
> > >
> > > I've installed tons of IDSs at companies. Based on
> > > my experience...
> > >
> > > ISS RealSecure is very good, but somewhat complex
> > > to install and get running. Its also not cheap. Don't
> > > even bother with the Server Sensor. Incidentally,
> > > most of RealSecure will become BlackICE in the next
> > > few months. ISS is merging the two technologies. It is
> > > very customizable, which is cool.
> > >
> > > Snort is probably one of the best for overall signature
> > > base and performance, but it requires a lot of
> > > management and maintenance. If you have a lot of
> > > Linux in your shop, Snort's the way to go. Its also
> > > FREE! Which is a big plus. If somebody sits down a
> > > codes a friendly UI for Snort and a management
> > > console, and wraps it all up in a easily installable
> > > package - Snort would kick everybody's ass. (Yes, I
> > > wish I could do it - don't have the time.)
> > >
> > > BlackICE Sentry and Agent are probably the easiest
> > > to install and use. However, I wrote all the original
> > > tech docs on these products so I have a strong bias
> > > for them. BI's signature base is smaller but with the
> > > addition of the ISS RealSecure signature base, that
> > > will improve. BI also is extremely good in terms of
> > > performance and catching "day zero" exploits.
> > > Because BI is a protocol analyzer mated to an IDS, it
> > > can spot some hacks before they even have a name.
> > > BI is ideal for Windows boxes, although Linux and
> > > Solaris agents are available. Generally, BI is a good
> > > solution if ease of use is important. Also, the 3.0
> > > version is a lot more customizable - but make sure
> > > you get the BI Advanced Admin Guide before you try
> > > anything.
> > >
> > > Intrusion.com - Lame. Way more marketing fluff than
> > > performance. This thing misses more intrusions than
> > > it will ever detect. A client of ours had one of their
> > > appliances and returned it when a Snort IDS that
> > > some tech support guy installed caught about 10
> > > times more issues than the intrrusion.com IDS did.
> > >
> > > Cisco IDS: Very powerful, lots of signatures but drops
> > > packets when the network loads up. It also costs a
> > > frickin' fortune.
> > >
> > > Axent: Waste of time.
> > >
> > > Network Fligt Recorder: Waste of time.
> > >
> > > Enterasys Dragon: I don't have enough experience
> > > with this tool to make a judgement. But, from what I
> > > have read it is quite good. We just started playing
> > > with this in our office. So far, our techs like it.
> > >
> > > These are of course opinions. Good luck.
> > >
> > > Andrew Plato
> > > President / Principal Consultant
> > > Anitian Corporation
> > > www.anitian.com
> > >
> >
> >
> > "Flush twice....it's a long way to
> > afghanistan"
> >
> > ---------------------------------------------
> > Microsoft ist nicht installiert.
> > http://www.drsuse.org/
> >
>
>
> What's the word? Thunderbird.
> How's it sold? Good and cold.
> What's the jive? Bird's alive.
> What's the price? Thirty
> twice.
>
> ---------------------------------------------
> Microsoft ist nicht installiert.
> http://www.drsuse.org/
>
>
*** Paladin Security Systems scanned this email for malicious content
***
*** IMPORTANT: Do not open attachments from unrecognized senders ***
