IDS mailing list archives

Re: IDS detection approaches

From: frankfrydrych () gmail com
Date: 5 Oct 2007 02:29:52 -0000

Hola,

I would completely go with a signature based IDS. Anomaly based IDS will not give you the greatest results.

For signature base I highly recommend SNORT. It is probably one of the best IDS out there. Now I'm not just saying this
as a "ooh open source is the best". I truely believe this. I actually use to be a huge Cisco buff and just dealt with
Cisco IDS. However, at my current job I am a security analyst and have to analyze events from Cisco, IIS, Juniper, etc,
and SNORT beats them all. Mainly for the fact that you are able to see the packet payload and are able to make the
decision if something is malicious based on the actual payload and not just the signature that is triggered (like some
IDS). Also, when a new threat emerges usually SNORT users will create a signature to combat the threat. The other
vendors create the signatures for you and it usually ends up to be like 3 months after the threat was actually a
realistic threat. And on top of it the vendor signatures usually give out huge amount of false positves. Then again, an
IDS is only as good as who tunes it. If you take A
NY IDS and turn it on in a production network you will have so many false positives I garuntee you will miss actual
threats. Every IDS (including SNORT) has to be tuned for the production network it is on.

Finally, make sure to place the IDS behind the firewall. If you place it in front of the firewall you will receive so
much traffic that it is just not valuable data. You have a firewall, so let the firewall do its job and block the
already known bad activity, and catch what gets through the firewall with a IDS.

-FF

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

Current thread:

IDS detection approaches snort user (Oct 04)
- RE: IDS detection approaches Srinivasa Addepalli (Oct 05)
- RE: IDS detection approaches Campa, Albert R. (Oct 05)
  - Re: IDS detection approaches Stefano Zanero (Oct 10)
- Re: IDS detection approaches p1g (Oct 15)
- <Possible follow-ups>
- Re: IDS detection approaches frankfrydrych (Oct 05)
  - Re: IDS detection approaches Gary Halleen (Oct 09)
    - Re: IDS detection approaches Randal T. Rioux (Oct 12)
    - Re: IDS detection approaches Gary Halleen (Oct 12)
  - Re: IDS detection approaches jean-philippe luiggi (Oct 09)
  - Re: IDS detection approaches Adam Powers (Oct 09)
  - RE: IDS detection approaches 'Merigoth' (Oct 09)
    - Re: IDS detection approaches Liran Cohen (Oct 15)
  - Oracle XDB FTP Kanagasingham, Prathaben (Oct 26)
- RE: IDS detection approaches Nelson Brito (Oct 09)
  - Re: IDS detection approaches Sec urity (Oct 09)

(Thread continues...)