RE: IDS

["Nick Duda" <nduda () VistaPrint com>]

I disagree 100%. Snort IDS signatures are written much faster then
commercial. Jump onto the snort sig mail list. After all once the
payload is established you write your own sig. No need to wait on the
commercial.I've seen sigs written within an half hour of a worm release.

- Nick

-----Original Message-----
From: shankarnarayan.d () netsol co in
[mailto:shankarnarayan.d () netsol co in] 
Sent: Wednesday, May 26, 2004 12:26 AM
To: Endre.Szekely-Bencedi () hu-tcs com; security-basics () securityfocus com
Subject: RE: IDS

Hi,

Snort definitely is a good IDS, but given that Snort is free, it is
going to be difficult to get signatures as quickly and as easily as you
would on a commercial IDS. Given snort is free, it takes time before
people detect and then write signatures for the attacks. Snort does give
you the capability to add and modify signatures as you please - but this
is also available in commercial signatures. 
Additionally, there are many types of IDS - what are you looking at -
there is the adaptive/ anomaly detection IDS which understands and gets
a baseline of the activities that go on your network and then flag
anything that is unusual as an attack - ofcourse this could lead to a
lot of false alarms - but this is the new way that the industry is going
to - how effectively you can fine tune this is dependent on your
efficiency The other side is the signature based IDS where the attacks
are detected based on signatures only and the third category is a
combination of the two
- 

So pick what you want based on what data you want to protect and you
level of confidence - what is the level of criticality of the data, what
type of users you have on the network - if they are more of the
networking software development kind OR if they are the protocol stack
writers, are they the extremely nosy bunch that regularly plays on the
production network, do they frequently download off the web and try
these tools on the network etc...............

IDS' are aplently - but it is necessary what type of IDS you wan to test
before you jump into it - examples also include the Dragon IDS (there
were eval copies available till sometime back - dunno if they are still
there), there are the Cisco IDS, Black ICE, Real Secure, Net Prowler etc

So long..............

shankar

-----Original Message-----
From: Endre Szekely-Bencedi [mailto:Endre.Szekely-Bencedi () hu-tcs com]
Sent: Monday, May 24, 2004 3:47 PM
To: security-basics () securityfocus com
Subject: IDS

Hi List,

I'd like to ask you to recommend some IDS I could test. Our company is
about 100-120 PCs large at the moment, that could increase to up to 400
in the near future. I am currently trying eTrust IDS v1.5 but it reports
many false alarms, also it just reports the half of the traffic as
'other protocols' so I really can't get much useful information from
that.
Is Snort's software any good? It is free, and that's just nice. I was
thinking to try it one of these days when I'll have a bit of spare time.
Should I bother with the Windows version or I should just put it on a
Unix machine?

Any other tips, software that can do traffic logging/analysis/intrusion
detection?

Thanks.

PS: Please, CC me the answers as I don't have much time to read mails
usually so I might delete it along with
        the many other mailing list mails if I'm hurrying.

Greetings,
Endre Szekely-Bencedi
_____________________________________
Tata Consultancy Services
H-1054 Budapest, Kalman Imre u. 1.
Tel.: +36 1 4751214
FAX: +36 1 475 1111
Email: Endre.Szekely-Bencedi () hu-tcs com
_____________________________________

"THIS E-MAIL MESSAGE ALONG WITH ANY ATTACHMENTS IS INTENDED ONLY FOR THE
ADDRESSEE and may contain confidential and privileged information. If
the reader of this message is not the intended recipient, you are
notified that any dissemination, distribution or copy of this
communication is strictly prohibited. If you have received this message
by error, please notify us immediately, return the original mail to the
sender and delete the message from your system."


------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off any course! All of our class sizes are guaranteed to be 10 students
or less to facilitate one-on-one interaction with one of our expert
instructors. 
Attend a course taught by an expert instructor with years of
in-the-field pen testing experience in our state of the art hacking lab.
Master the skills of an Ethical Hacker to better assess the security of
your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----

------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off any course! All of our class sizes are guaranteed to be 10 students
or less to facilitate one-on-one interaction with one of our expert
instructors. 
Attend a course taught by an expert instructor with years of
in-the-field pen testing experience in our state of the art hacking lab.
Master the skills of an Ethical Hacker to better assess the security of
your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----




---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------