Re: Intrushield vs. ISS once more...

[Chris Mills <securinate () gmail com>]

We have intrushield deployed here, and I am disappointed. The ability
to create user-defined signatures is very poor. There is no way to
make a signature to look at all ports and protocols, so with a UDS,
you must specify a protocol for it to look at. There is no
command-line access to write signatures, so you must use their Java
GUI. There is no way to import sigs from other vendors, such as snort,
and the rule flexibilty is just not there. The built-in signatures is
a closed-set, so you do not know what IntruShield's signatures are
firing on. You also cannot filter out traffic. There are filters
available, but they only work on signature based detection. Anomaly
detection will still fire on the filtered traffic. I have yet to get
the logging capability to work. You can set it to log X packets, but
it won't display them when you view alerts.

Hope this helps,
Chris


On 18 Dec 2004 01:49:19 -0000, Jacob Winston <jctx09 () yahoo com> wrote:
> I have been evaluating Intrushield and ISS but am still unsure on which route to take. Does anyone have compelling 
> info on why Intrushield is better or vice-versa? Any help is appreciated.
>
> Thank you in advance.
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> --------------------------------------------------------------------------

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------