On Thu, 8 Oct 2009 11:46:09 -0400 Brad Tilley <b...@16systems.com> wrote:
> On Thu, Oct 8, 2009 at 10:57 AM, Joachim Schipper > <joac...@joachimschipper.nl> wrote: > > > There is no support for the "queue packets to userspace" required by > > Snort's IPS mode in any released OpenBSD version... > > I have never seen Snort deployed in IPS mode, only IDS mode for > monitoring purposes. IMO, too many things break in IPS mode. The old > ISS systems from IBM did "virtual patching" when in IPS mode. It > basically altered the packets before sending them to the dest. You can > imagine the stuff that broke. I have setup several IPS-systems for companies and I have nothing to complain. Those work as good as IDS-systems and you get more out of the system. Of course there are very good reasons to use IDS in some cases. The best setup is to have fail-open network-cards. <ad>If one is interested in some highend-hardware one should look at Sourcefire 3D sensors</ad>, but of course those aren't cheap, which sucks. --- Henri Salo
