IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: How to choose an IDS/FW MSS provider

From: "Dahl-Hansen, Kjetil" <kjetil.dahlhansen () dns co uk>
Date: Tue, 15 Mar 2005 09:04:22 -0000
One of the reasons why this is interesting to a 'front-line grunt' like
myself (where a large part of the job is handling triggered signatures),
is that it enables me to make a better assessment about a possible
security incident. Does it trigger if it just sees 'cmd.exe' travelling
on port 80, or is it slightly more sophisticated? What are the
throttling/summarizing settings?

It is not often that I find it necessary to look into a signature like
this, but I like having that option.

Kjetil.

(and I seem to have just pushed the discussion even further away from
topic - apologies :-)
 
-----Original Message-----
From: Andrew Plato [mailto:andrew.plato () anitian com] 
Sent: 11 March 2005 19:42
To: Stephane; rick.brady () libertymutual com
Cc: focus-ids () securityfocus com
Subject: RE: How to choose an IDS/FW MSS provider

Honestly, how many people, except security geeks like us, really care
what is inside the signatures? Sure, its fun to look inside them and see
what they are keying on, but since ISS signatures are not purely "match
this string" kind of stuff that Snort does, its not that simple. And
more importantly, who the heck has time to do that? In the zillions of
Proventias and server sensors I've deployed, I don't think anybody has
ever once asked me "gosh, can we see the signature code." They were to
busy running their systems to obsess over the code inside signatures. 

I think the "I can't see the signatures, I don't trust them" argument
isn't a viable reason to turn down an IPS/IDS vendor. If it was, then it
would put Cisco, Symantec, TippingPoint, and just about everybody else
with a high-performance IPS off the map. 

ISS MSS from our experience as an ISS reseller has been positive. But, I
am an ISS reseller so I have to say that. Another that comes to mind is
Counterpane. 

___________________________________
Andrew Plato, CISSP
President/Principal Consultant
ANITIAN  ENTERPRISE  SECURITY

3800 SW Cedar Hills Blvd, Suite 280
Beaverton, OR 97005
503-644-5656 Office
503-214-8069 Fax
503-201-0821 Mobile
www.anitian.com
___________________________________

GPG fingerprint: 16E6 C5B0 B6CB F287 776E E9A9 AF47 9914 3582 633D GPG
public key available at: http://www.anitian.com/corp/keys.htm 
 


---------------------------------------------------
This email from dns has been validated by dnsMSS Managed Email Security and is free from all known viruses.

For further information contact email-integrity () dns co uk





--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: