IDS mailing list archives
Re: NetScreen IDS (X-post)
From: Jordan K Wiens <jwiens () nersp nerdc ufl edu>
Date: Tue, 28 Jan 2003 11:23:57 -0500 (EST)
Doh! Time for a big appology here; I just got a friendly reminder from someone that I wasn't talking about the netscreen IDS, but an entirely different product. We were evaling/meeting with a number of different vendors at the time and I got my wires crossed as to what I was responding to. Please disregard my previous comments. I have never seen the netscreen IDS product, and can't make any kind of judgement on it, my opinion below was for a different IDS that will remain unnamed at this point since that's not what this thread is about. In fact, people familiar with the Netscreen ids may very well have been confused what I was talking about, as I doubt the particular issues below are necessarily relevant to netscreen. Again, I'm very sorry for the mistake, hope no harm was done. -- Jordan Wiens UF Network Incident Response Team (352)392-2061 On Mon, 27 Jan 2003, Jordan K Wiens wrote:
We demo'ed it, and found the interface to be excellent, the features great and the actual detection ability abysmal. It does integrate fairly well with other IDS, and has a number of very nice features such as flow analysis and mild work tracking. On our couple of /16s it generated so many hundreds of identical events due to its use of 'anomaly detection' that it was functionally useless. On a highly controlled or very small network it might be useful, on a large network, it was fairly ineffective. Oh yeah; they claim to have the ability to correlate different attacks intelligently. On our network the correlation was worse than no correlation whatsoever. Different attacks were often lumped together, and (what I consider) obvious attacks were not correlated. If recent versions (last I saw it was about 6 months ago) have added a more robust signature base (the engine wasn't capable of incorporating too many signatures at first; they were heavily pushing their AD), and were able to make their correlation more effective, it would be an excellent product.
Current thread:
- NetScreen IDS (X-post) Ralph Los (Jan 27)
- <Possible follow-ups>
- Re: NetScreen IDS (X-post) Jordan K Wiens (Jan 28)