IDS mailing list archives
Re: Intrushield
From: "Terry N." <cibert () gmail com>
Date: Thu, 6 Jan 2005 20:17:07 -0500
I've worked with Intrushield for a while now and I am not impressed that you must use their java GUI. In regards to filtering traffic, what I do is use NetForensics and add the sensors to a filter on its event console in the SIM. Within NF you can filter whatever you wish out of the Intrushield alerts and it also helps with your logging issue, should you have the luxury of using a correlation engine such as NF or something else like ArcSight. Unfortunately, these products are all java based as well. Security Operations Center (Terry N.)
We have intrushield deployed here, and I am disappointed. The
ability > to create user-defined signatures is very poor. There is no way to
make a signature to look at all ports and protocols, so with a UDS, you must specify a protocol for it to look at. There is no command-line access to write signatures, so you must use their Java GUI. There is no way to import sigs from other vendors, such as snort, and the rule flexibilty is just not there. The built-in signatures is a closed-set, so you do not know what IntruShield's signatures are firing on. You also cannot filter out traffic. There are filters available, but they only work on signature based detection. Anomaly detection will still fire on the filtered traffic. I have yet to get the logging capability to work. You can set it to log X packets, but it won't display them when you view alerts.
-------------------------------------------------------------------------- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. --------------------------------------------------------------------------
Current thread:
- Re: Intrushield Terry N. (Jan 10)
- <Possible follow-ups>
- Re: Intrushield Chris Brown (Jan 24)