IDS mailing list archives

RE: IDS vs. IPS deployment feedback

From: "Cojocea, Mike (IST)" <Mike.Cojocea () watsonwyatt com>
Date: Wed, 12 Apr 2006 14:14:53 -0400

Juniper, CISCO, McAfee have open or semi-open signatures. And if you
have a big problem with a signature I think that if you call the tec
support of the other two big players (ISS and TippingPoint) they will
help you out with some confidential information about a specific
signature. 

Also, AFAIK, in ISS you can use Snort syntax or similar to create your
own signatures (I guess they call it TRONS ;) ) Free to recreate all the
Snort sigs. 

BTW, why Snort is called lightweight IDS on SNORT.ORG page? 

Thanks,
Mike 


-----Original Message-----
From: Richard Bejtlich [mailto:taosecurity () gmail com] 
Sent: April 10, 2006 4:31 PM
To: Andrew Plato
Cc: focus-ids () securityfocus com
Subject: Re: IDS vs. IPS deployment feedback


On 4/10/06, Andrew Plato <andrew.plato () anitian com> wrote:

Yes...SOURCEFIRE customers get those signatures early. They get handed

out to the Snort world well after the fact. SourceFire is a commercial

company and you must PAY to get their product.

In other words - Sourcefire is no different than TP, ISS or any other 
commercial vendor in this regard. As such, we're all just selling what

we know.


Andrew,

You call five days "well after the fact"?  Snort rules are free for
registered users, by the way.

Here's another difference between ISS and Snort -- I can read Snort
rules, even those developed by Sourcefire.  Can you point me to the
place where I can download and review ISS rules, even assuming I am a
registered owner?  Cisco?  Other?

One of the ways to build trust in a product is to see how it works.  I
trust Snort more than similar products because I can understand its
decision-making process.

Richard

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Current thread:

RE: IDS vs. IPS deployment feedback, (continued)
- RE: IDS vs. IPS deployment feedback Basgen, Brian (Apr 10)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 10)
  - Re: IDS vs. IPS deployment feedback Richard Bejtlich (Apr 11)
    - RE: IDS vs. IPS deployment feedback Mike Barkett (Apr 13)
  - Re: IDS vs. IPS deployment feedback Jason (Apr 13)
- RE: IDS vs. IPS deployment feedback Palmer, Paul (ISSAtlanta) (Apr 11)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 13)
- RE: IDS vs. IPS deployment feedback Kyle Quest (Apr 13)
- RE: IDS vs. IPS deployment feedback Palmer, Paul (ISSAtlanta) (Apr 13)
  - Re: IDS vs. IPS deployment feedback Paul Schmehl (Apr 15)
- RE: IDS vs. IPS deployment feedback Cojocea, Mike (IST) (Apr 13)
- RE: IDS vs. IPS deployment feedback Gary Halleen (ghalleen) (Apr 13)
  - Re: IDS vs. IPS deployment feedback Randal T. Rioux (Apr 18)
- Re: IDS vs. IPS deployment feedback Frank Knobbe (Apr 13)
- RE: IDS vs. IPS deployment feedback Basgen, Brian (Apr 13)
- RE: IDS vs. IPS deployment feedback Palmer, Paul (ISSAtlanta) (Apr 15)
- RE: IDS vs. IPS deployment feedback Biswas, Proneet (Apr 15)
- RE: IDS vs. IPS deployment feedback Palmer, Paul (ISSAtlanta) (Apr 15)
- RE: IDS vs. IPS deployment feedback Mark Teicher (Apr 15)
- RE: IDS vs. IPS deployment feedback PPowenski (Apr 19)
- Re: IDS vs. IPS deployment feedback virtuale (Apr 21)