HIDS/HIPS Selection Process

[astalavista.box.sk () gmail com]

Our company is about to embark on a search for a HIDS/HIPS solution.
We would like something that can be deployed to servers but our primary interest is being able to roll it out to all 
user laptops and possibly even all desktops as well.

I am most aware of (I wouldnt say I am familiar with them) Cisco's CSA and Eeye's Blink offering and am trying to build 
some sort of methodology for testing various HIDS/HIPS options and comparing them against one another.
My initial thought is to have a number of workstations, each installed with its own HIDS but an identical image other 
than that.  I will use our standard desktop image which is missing a couple MS Patches and anticipate testing the 
results across all the workstations of working metasploit against known vulnerabilities and maybe installing a worm 
onto a separate machine in this isolated environment to see how each deals with it.  Probably also subject each host to 
a nessus or retina scan to see not only what it reveals but also how it handles a scan.

Does anyone know if such a document/framework/plan exists (like in the SANS reading room or somewhere)?
Do you have any suggestions as to what I should include in my process?  I have a basic idea as outlined above which I 
will begin to refine but the more input you can offer me as to what specific measurable constructs I should apply in 
each facet of testing would be appreciated.
Any other products that you would reccomend we include in the product survey?

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------