Don't bypass Snort because PFSense package makes it so easy to install and configure. A a one-click install of Snort and the only thing left to do was register and select what you want it to do.
Mehma === On Wed, Feb 17, 2010 at 8:28 PM, Johan Beisser <j...@caustic.org> wrote: > On Wed, Feb 17, 2010 at 7:59 PM, Jason Beaudoin <jasonbeaud...@gmail.com> > wrote: > > From a compliance perspective, I don't have much choice. From the > > costs, infrastructure, and administrative perspectives, I am currently > > evaluating whether or not I should be leaning towards and IDS or IPS > > solution, and of course which system/vendor. My understanding is that > > something like snort requires a fair bit of maintenance and > > IT-attention, the trade-off being cost, so I am leaning away from > > this. Between detection and prevention, preventing break-ins seems a > > bit sillier than trying to actively monitor what's going on and to > > then look for threats, so this pushes me more towards IDS over IPS. > > I agree with you. High rates of false positives, but fairly low rates > of false negatives. Once the care and feeding is taken care of > (turning off everything and gradually fine tuning to your current > traffic helps), they're useful for alerting against unusual traffic > leaving your network; not so much against automated attacks coming in > the network. My own deployments are specifically to monitor for odd > outbound traffic from my office. It's a rapid way to find out about > the latest trojan, worm, or other infection my users have brought in > on their laptops. > > That said, the usefulness of an IDP is specifically preventing most > automated and known attacks from passing in to your network. By using > one of the commercial systems, you gain support, tuning, and the fact > that you don't have to spend as much time with the care and feeding or > writing/testing new rulesets against your current version. > > As a compliance feature, I've found most administrators put them in > place and promptly turn the reporting off due to the high rate of > false positives reducing the signal from the noise. > > jb
