Re: IDS/IPS Solutions

[Curt Wilson <curtw () SIU EDU>]

TippingPoint was not an option for us mostly due to price. I have used snort
for many years, and we were getting good results on EXtrusion detection with
the bleeding threats signatures (open source signatures contributed by the
community) and finally purchased the Sourcefire system. We are using it in
strictly IDS mode without it's IPS functionality. It requires a fair amount
of tuning. The Sourcefire signatures are mostly attempting to detect
INtrusions and some of them are useful, but the false positive rate can be
high, requiring ongoing tuning and expertise. Bleeding threats has morphed
into Emerging Threats and there is a robust rule-submitting community. We
have good luck detecting all sorts of activity. We have a half-time graduate
assistant doing most of the day-to-day alert checking, and I spend a portion
of my day hands-on and also providing oversight to the process. I really
like the open source signature writing community and the extensive user
base, and the fact that you can do a large amount of tweaking. We have root
on the sensor also, which is a plus (we use it to tcpdump sometimes since
it's already setup on a SPAN port). I dislike that we do not have the same
control that we would over a home-built snort solution without breaking
support. For instance, we can't just go load any old preprocessor that
someone writes, such as one that would capture PE files as they fly across
the wire, and must submit a feature request.

Sourcefire support has been good to us when we've needed them, and we are
able to use the alerts to justify further attention to security matters. But
as we are not using it's IPS functionality, we are unfortunately not
*stopping* these attacks before they come in. Since most attacks these days
seem to be attacking or tricking the client, IDS coverage seems to be
spotty. For instance, IDS seems to have trouble processing file-formats such
as Microsoft Office, which is why there are other solutions to scan for
Office-based malware, such as OfficeCat (from sourcefire) and other
utilities that can perform the processor-intensive file parsing operations.
I have not placed much attention to attempt to alert on incoming flash,
java, PDF based malware for the same reasons, although some signature could
likely be written at the potential cost of CPU cycles and false positives.

Emerging Threats (see http://doc.emergingthreats.net/) is a huge plus. In
addition to the aforementioned sigs for EXTrusion detection (such as various
botnet IRC and HTTP command and control channel detections) they offer
continually updated signatures with known malware IP and hostnames.
Leveraging those lists requires a robust update schedule, but even loading
them infrequently can still give you some insight. A firewall might be a
better blacklist, but I like that the IDS can give you packet context and
Sourcefire gives you the ability to download a pcap of every alert.

Hope this wasn't too much of a rambling message.



On Fri, Dec 4, 2009 at 4:54 PM, Shaun Gray <SGray () medford k12 nj us> wrote:

> Hello Everyone,
>
> We recently decided to implement an IDS/IPS system to complement our
> existing security mechanisms. I have used Snort for some time on the
> perimeter of our network, but found the system difficult to maintain. What
> system is everyone using, what are your likes/dislikes, and how was the
> implementation? Thanks in advance!
>
>  Shaun L. Gray
> Network Engineer
> Medford Township Board of Education
> Information Technology Department
> phone: 609.975.6159
> email:  sgray () medford k12 nj us