IDS mailing list archives
RE: IDS vs. IPS deployment feedback
From: "Andrew Plato" <andrew.plato () anitian com>
Date: Fri, 7 Apr 2006 08:54:49 -0700
Number of rules does not equal quality of IDS/IPS technology. Or in other words, just because a IDS/IPS has a zillion rules doesn't mean those rules are any good. Or that implementing or using that technology is good. Your 500 number is wrong. When you get into the leading commercial IPSs (TippingPoint, ISS, Juniper, McAfee) these products on average have 2000-3000 signatures. However, in some technologies, one signature handles an entire class of vulnerabilities. Where Snort needs multiple signatures for the same vulnerability, ISS can protect against the vulnerability with 1 signature. TP is the same. I don't know Juniper and McAfee as well, but I suspect they are similar. Snort also has a lot of unique signatures that people have designed for highly specialized purposes. That is definitely a benefit to some organizations. But, those signatures are only useful in those unique situations. And all the commercial products support custom signatures - so you can do the same thing for your TP or ISS box. Furthermore, Snort rules are developed by volunteers (or Sourcefire). As such, SNORT is usually behind the curve on new signatures. ISS, for example, does their own independent security research an has signatures to protect against things that Snort people don't even know about. Other vendors buy exploits from the hacker market - again giving them access to vulnerabilities long before it hits the public and subsequently the people who develop SNORT signatures. The 90% thing you're coming up with is just false. You're assuming that all those signatures represent a serious attack. And you're also assuming that quantity of signatures is the measure of effectiveness. A poorly maintained, tuned or implemented Snort sensor is just as useless as a poorly maintained, tuned, or implemented ISS sensor. Now, I realize I sound like a ISS or TippingPoint sales person. And yes, I have a vested interest in such products because my company sells them. But, I also know that I've seen more than a few organizations throw away Snort-based protections because the administration and management of them was too resource intensive. And merely having 5000 signatures available does not translate to effective security. ----------------------------------------------- Andrew Plato, CISSP, CISM President/Principal Consultant Anitian Enterprise Security ----------------------------------------------- -----Original Message----- From: Basgen, Brian [mailto:bbasgen () pima edu] Sent: Thursday, April 06, 2006 10:44 AM To: focus-ids () securityfocus com Subject: RE: IDS vs. IPS deployment feedback I'm new to the list, but this flame war is a bit odd. This is an IDS list, yet the usefulness of IDS is being dismissed? This debate could generate some interesting data. In snort, for example, there are around 5,759 rules (3/31/2006, non-subscription rule base). I don't have the metrics on hand of how many rules commercial IPS's deploy on by default (and how many total can be turned on), but I'd guess it is around 500. I'd be interested to know those numbers, if someone has them. A vendor comparison of rules could also be interesting. What I draw from this ratio is that some 90% of attacks can get through an IPS solution. That doesn't invalidate the IPS anymore than the IPS invalidates a firewall, but it does indicate to me that IDS plays an essential role. ~~~~~~~~~~~~~~~~~~ Brian Basgen IT Security Architect Pima Community College _________________________________________________ NOTICE: This email may contain confidential information, and is for the sole use of the intended recipient. If you are not the intended recipient, please reply to the message and inform the sender of the error and delete the email and any attachments from your computer. _________________________________________________ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- RE: IDS vs. IPS deployment feedback Devdas Bhagat (Apr 03)
- <Possible follow-ups>
- Re: IDS vs. IPS deployment feedback Will Metcalf (Apr 05)
- Re: IDS vs. IPS deployment feedback Jean-Philippe Luiggi (Apr 10)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 06)
- Re: IDS vs. IPS deployment feedback Will Metcalf (Apr 06)
- Re: IDS vs. IPS deployment feedback Stefano Zanero (Apr 15)
- RE: IDS vs. IPS deployment feedback Basgen, Brian (Apr 07)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 10)
- RE: IDS vs. IPS deployment feedback Alan Shimel (Apr 10)
- Re: IDS vs. IPS deployment feedback Eric Hines (Apr 13)
- RE: IDS vs. IPS deployment feedback Alan Shimel (Apr 10)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 10)
- Re: IDS vs. IPS deployment feedback Richard Bejtlich (Apr 10)
- Re: IDS vs. IPS deployment feedback Paul Schmehl (Apr 11)
- Re: IDS vs. IPS deployment feedback Aaron (Apr 15)
- Re: IDS vs. IPS deployment feedback Stefano Zanero (Apr 17)
- Re: IDS vs. IPS deployment feedback Thomas Choi (Apr 18)
- Re: IDS vs. IPS deployment feedback Aaron (Apr 18)
- Re: IDS vs. IPS deployment feedback Stefano Zanero (Apr 15)
- RE: IDS vs. IPS deployment feedback Basgen, Brian (Apr 10)
- RE: IDS vs. IPS deployment feedback Andrew Plato (Apr 10)
- Re: IDS vs. IPS deployment feedback Richard Bejtlich (Apr 11)