Snort mailing list archives
Re: Fallacies and lies.
From: "Marc Quibell" <mquibell () fbfs com>
Date: Thu, 6 Nov 2003 08:56:19 -0600
The problem is that Gartner and many others don't quite know how to use IDS. They think we use it to somehow PROTECT OUR SYSTEMS! Does anyone use it in that fashion? OH! So let's throw away our firewalls then....How do YOU use Snort, for example? -To see how many PCs are infected with the Blaster worm? -To make sure your firewalls are doing the job? -To audit the malicious traffic? -To make sure your company policies concerning IM usage or Kazaa are being followed? -To make sure your servers are not affected by malicious traffic? -To gather historical reports and baselines of the attacks directed at your network? -To report attacks directed at your network to your company Execs so that they will see the need for your existence? To name a few... ANd now what does, "Most network-based IDS products don't detect attacks in real time" have to do with this? I don't want it to react to anything! (Even though I'm sure we could make it do that, in real-time.) And the wire-speed statement is a bunch of bull. IDS is not an IPS, and IDS is a very good tool, much like MRTG no? Cheese Marc ------------------------------------------------------------------------------- Message: 2 Date: Thu, 6 Nov 2003 12:10:22 +1300 From: Jason Haar <Jason.Haar () trimble co nz> To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Fallacies and lies. Organization: Trimble Navigation New Zealand Ltd. I don't want to be seen to be standing up for Gartner - but one thing is correct. They say: "They don't work at wire speeds. Most network-based IDS products don't detect attacks in real time, and they can't handle the high speeds of internal networks" The last piece is correct - in a different context. If you want to start pushing IDS "features" into your core INTERNAL network - then you really are looking at IDS functionality within routers and switches - not extra boxes. If you have 40 switches on your LAN - what would you prefer? 40 new IDS in front of each, or switches that "do" IDS? What about the extra 70 Wireless APs you have? You can't have them all sitting next to one IDS now can you... Either switches add IDS functionality, or IDS needs to add switch functionality ;-) ...or we all go to migrating to HIDS [that's where I think the future lies - even IDS in switches can't handle IPSec] -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 --------------------------------------------------------------------------------- ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Fallacies and lies. Mark Penny (Nov 05)
- Re: Fallacies and lies. Edin Dizdarevic (Nov 05)
- <Possible follow-ups>
- RE: Fallacies and lies. Bob Walder (Nov 05)
- RE: Fallacies and lies. Rich Adamson (Nov 05)
- RE: Fallacies and lies. Bob Walder (Nov 05)
- Re: Fallacies and lies. Jason Haar (Nov 05)
- RE: Fallacies and lies. Bob Walder (Nov 06)
- Re: Fallacies and lies. Marc Quibell (Nov 06)