IDS mailing list archives
RE: Intrushield User Experiences Warts 'n' All
From: "Ed Gibbs" <ed () digitalconclave com>
Date: Wed, 27 Apr 2005 09:46:39 -0700
How easy is it to tune? IntruShield is very easy to tune. There are several approaches to take, either by creating alert filters to filter our by SRC/DST IP, or if your in-line, by in-bound, out-bound direction. You can also leverage their virtualization and create policies specifically for VLANs or CIDR blocks (I believe up to 1000 virtual policies on their highest end model I-4000). What are the false positive rates like? Very low. I've seen situations where other products (no vendor bashing) generated as much as 800,000 false positives a day in one particular environment, and with IntruShield, around 100,000. Still a lot but a big improvement. Can you write custom signatures? Yes, IntruShield supports "User Defined Signatures". You can push signatures in real-time without any disruption in service/sessions. How easy is it to update, both signatures and appliance patches? Simple. Just a couple of clicks. They can also be scheduled. How frequently do you receive signature updates? If no major outbreaks occur (med-high), then 1 or 2 weeks. Does it provide sufficient information for an analyst to resolve an event? Yes, their forensics analysis is fantastic. Captures the entire flow of packets if you want. Does it do packet capture: a. per event? Yes b. rolling? Yes c. how easy is it to recover said packets? Point-and-click. Uses Ethereal to display packets. What is the support like? Pretty good actually, compared to our former IDS product support. Value Added? Good points? Easy to manage, accurate, real-time alerts, large signature base, virtualization, ACL list, SSL decryption and inspection of encrypted traffic, in-bound/out-bound policy definitions, etc. Bad Points? Management interface - heavy on Java, but not necessarly a bad thing, just be aware. Those more important points that I can't remember right now? I realise I can get much of the above from the website, but I would like to hear it from the horses mouth, from practitioners in the field. Ed Gibbs 760-687-6768 -------------------------------------------------------------------------- Stop hurting your network! The NeVO passive vulnerability sensor continuously finds vulnerabilities, applications and new hosts without the need for network scanning. It also finds compromised systems with application-based intrusion detection. Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more. --------------------------------------------------------------------------
Current thread:
- Intrushield User Experiences Warts 'n' All Andy Cuff (Apr 27)
- RE: Intrushield User Experiences Warts 'n' All Ed Gibbs (Apr 27)
- Re: Intrushield User Experiences Warts 'n' All david kuhlman (Apr 29)
- <Possible follow-ups>
- RE: Intrushield User Experiences Warts 'n' All Brian Smith (Apr 27)