IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Best IPS system?

From: p1g <killfactory () gmail com>
Date: Mon, 9 Jun 2008 23:26:18 -0400
I am using their NIDS/NIPS and NBAD sensors.

THe power is in their SIM. Dragon Security Command Console DSCC (Q-1 Labs)

Leveraging vulnerability information with sig detection, host
events(windows, linux, web, FW) and (NBAD) makes for a very useful
tool.

I have not noticed a huge difference in sig based ids, the all seem to
matching against the name patterns.

The biggest difference I found was in the SIM. It aggregates the
alerts in a single offense per target IP address.

So if if a chain of events, say, port scan followed by a expolit
attempt (attempting to expolit a vuln the the system knows the target
is vuln to), follwed by unsuccessful login attempts, follwed by
sucessful, data transfer out bound, ssh over non ssh port, etc, etc.
All in 1 record alert. I can bring it up and see what really happened,
if anything. Maybe it was an attack against unix vuln dirrected to a
windows server? The NBAD sensors can be configured to collect a
portion of every packet on the wire. from 64k to 2048k ( i have tried
any higher). Usually about 1200k is enough to see what was in a given
payload. So when you are reviewing an offense you can pivot directly
to the packetraces or to the events that contributed to the offense.

You can also rate all your host by criticality.So?

Well if it a busy day, or you have multiple offenses, dscc will
prioritize your response based on the 'magnitude' of the offense.
Magnitude = Credibility of the reporting source(tuned or untuned snort
sensor), Relavance (host criticality rating 1-10), vulnerbility info
(known to have ir not have the vulnerability), etc.

I could say alot. I went as far as to buy the suite and go to training
and got certified (ESSE-D). I know that doesn't mean s@#$, but I was
very into it. Still am.

I know I have said it before, I don't want to know how people are
doing it without this type of technology.
Wasting alot of time i guess.

p1g

On Wed, May 21, 2008 at 1:54 AM, Randal T. Rioux <randy () procyonlabs com> wrote:

On Sun, May 18, 2008 10:53 pm, p1g wrote:

check out the dragon stuff

enterasys.com



What is it that you like about the Dragon solutions? What specific
product(s) have you used/evaluated? How does it differ from other ID/PS's?

Thanks,
Randy







-- 
-p1g
SnortCP, ESSE-D, C|HFI, TNCP, TECP, NACP, A+, whatever..
 ,,__
o" )~ oink oink
 ' ' ' '

If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity czar Richard Clarke

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: