Jason Beaudoin wrote:
On Wed, Feb 17, 2010 at 11:28 PM, Johan Beisser <j...@caustic.org> wrote:
On Wed, Feb 17, 2010 at 7:59 PM, Jason Beaudoin <jasonbeaud...@gmail.com> wrote:
From a compliance perspective, I don't have much choice. From the
costs, infrastructure, and administrative perspectives, I am currently
evaluating whether or not I should be leaning towards and IDS or IPS
solution, and of course which system/vendor. My understanding is that
something like snort requires a fair bit of maintenance and
IT-attention, the trade-off being cost, so I am leaning away from
this. Between detection and prevention, preventing break-ins seems a
bit sillier than trying to actively monitor what's going on and to
then look for threats, so this pushes me more towards IDS over IPS.
I agree with you. High rates of false positives, but fairly low rates
of false negatives. Once the care and feeding is taken care of
(turning off everything and gradually fine tuning to your current
traffic helps), they're useful for alerting against unusual traffic
leaving your network; not so much against automated attacks coming in
the network. My own deployments are specifically to monitor for odd
outbound traffic from my office. It's a rapid way to find out about
the latest trojan, worm, or other infection my users have brought in
on their laptops.
Indeed, this is why IDS makes more sense to me, and I am glad to see
this confirmed/validated by others here. So I guess this is now just a
question of setting up snort versus a commercial solution.
That said, the usefulness of an IDP is specifically preventing most
automated and known attacks from passing in to your network. By using
one of the commercial systems, you gain support, tuning, and the fact
that you don't have to spend as much time with the care and feeding or
writing/testing new rulesets against your current version.
This is the difficult place I'm in.. to me, the commercial solution
means I have someone else looking at and dealing with all of the false
positives, which is something that I won't kid myself on - I don't
know if I even have the time to be the fine tuning machine.. then
again the cost is just plain silly when compared with a snort/bsd
setup.
Are there any good open source alternatives to Snort that are worth
considering here?
As a compliance feature, I've found most administrators put them in
place and promptly turn the reporting off due to the high rate of
false positives reducing the signal from the noise.
jb
right, which is just silly and a waste of everyone's time.
thanks for sharing..
~Jason
bro-ids may be an alternative for you to consider. There is a
port/package like snort and the maintainer had asked for feedback/tests
for the new version 1.5.1 in the lists recently. It has a number of
features that I felt complemented Snort's list of features.
--
Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6
Phone: (204) 885-9535, E-Mail: vsan...@foretell.ca