IDS mailing list archives

Re: NetScreen IDS (X-post)

From: Jordan K Wiens <jwiens () nersp nerdc ufl edu>
Date: Tue, 28 Jan 2003 11:23:57 -0500 (EST)

Doh!  Time for a big appology here; I just got a friendly reminder from
someone that I wasn't talking about the netscreen IDS, but an entirely
different product.  We were evaling/meeting with a number of different
vendors at the time and I got my wires crossed as to what I was responding
to.

Please disregard my previous comments.  I have never seen the netscreen IDS
product, and can't make any kind of judgement on it, my opinion below was
for a different IDS that will remain unnamed at this point since that's not
what this thread is about.  In fact, people familiar with the Netscreen ids
may very well have been confused what I was talking about, as I doubt the
particular issues below are necessarily relevant to netscreen.

Again, I'm very sorry for the mistake, hope no harm was done.

-- 
Jordan Wiens
UF Network Incident Response Team
(352)392-2061

On Mon, 27 Jan 2003, Jordan K Wiens wrote:

We demo'ed it, and found the interface to be excellent, the features great
and the actual detection ability abysmal.  It does integrate fairly well
with other IDS, and has a number of very nice features such as flow
analysis and mild work tracking.  On our couple of /16s it generated so
many hundreds of identical events due to its use of 'anomaly detection'
that it was functionally useless.  On a highly controlled or very small
network it might be useful, on a large network, it was fairly ineffective.

Oh yeah; they claim to have the ability to correlate different attacks
intelligently.  On our network the correlation was worse than no
correlation whatsoever.  Different attacks were often lumped together, and
(what I consider) obvious attacks were not correlated.

If recent versions (last I saw it was about 6 months ago) have added a more
robust signature base (the engine wasn't capable of incorporating too many
signatures at first; they were heavily pushing their AD), and were able to
make their correlation more effective, it would be an excellent product.

Current thread:

NetScreen IDS (X-post) Ralph Los (Jan 27)
- <Possible follow-ups>
- Re: NetScreen IDS (X-post) Jordan K Wiens (Jan 28)