Re: Intrusion Detection Recommendations

[James Riden <j.riden () MASSEY AC NZ>]

Mike Radomski <Mike.Radomski () ITEC SUNY EDU> writes:

> Hello, 

> We are currently looking at different alternatives to our Snort
> implementation for and IDS.  We currently run Snort+ACID on a SPAN
> port.  It works well, but would like a more robust system that is
> capable of anomaly detection, flow analysis, etc.  I am wondering
> what everyone uses for IDS/IPS?  Do you use a combination of open
> source tools, a commercial software solution, or a commercial
> hardware solution?  What are the advantages of your implementation?
> Disadvantages?  Thanks!

We're using a couple of snort sensors and a BASE console - BASE is an
actively maintained fork of ACID. I'm guessing you know the advantages
and disadvantages of this situation - very good if properly tuned, but
rule maintenance and customisation can be a bit of an issue. Wading
through the alerts can be a bit of a chore as well.

For the future we're thinking about Juniper's ISG2000 IPS product and
we're looking at a trial of Sourcefire's RNA appliances. RNA should
enable us to prioritise alerts much better and also keep an eye on
services popping up where they shouldn't be.

cheers,
 Jamie
-- 
James Riden / j.riden () massey ac nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/