On Thu, Feb 18, 2010 at 11:48 AM, Laurens Vets <laur...@daemon.be> wrote:

> <interesting & spot on remarks>
>
>
>  Just don't get ISS crap.
>>
>> Also, snort is good, but you must know what you're doing.  Our snort box,
>> running on an old throw away box, and only capturing/analyzing 10 minutes
>> of
>> every hour, is giving us *MORE* useful data than half a mil worth of ISS
>> crap.
>>
>
> Care to elaborate? :)
>
> Which parts?  ISS suck so much that even though IBM spent $$ to acquire
them, IBM is now killing the entire product line?  What kills me (and *TAKE
NOTE - THOSE WHO REPORT TO PHBs*) is that just a few months ago, we read a
report on how ISS's IPS took top billing in some magazine or review.

On what we're doing internally, we're capturing data for 10 minutes every
hour, and then having the box analyze that data using a variety of tools
including snort.  It then sends us information on crap such as botnet
command/control traffic among other things.  Things that we have full packet
captures on, that ISS refuses to provide.  We also drop it into a graphing
tool, so we get nice maps of green/good traffic and red/bad traffic, and you
can see that 3 boxes that's talking to all the botnet C&C servers, etc.

We're still working on it, and I hope the new(er) servers we are putting in
will be able to provide better/more info.  Hopefully we'll buy some really
beefy servers later in the year so that we can do full analysis.

I'll send a list of the tools we used later, have to ping my guy for it :)

-- 
http://www.glumbert.com/media/shift
http://www.youtube.com/watch?v=tGvHNNOLnCk
"This officer's men seem to follow him merely out of idle curiosity."  --
Sandhurst officer cadet evaluation.
"Securing an environment of Windows platforms from abuse - external or
internal - is akin to trying to install sprinklers in a fireworks factory
where smoking on the job is permitted."  -- Gene Spafford
learn french:  http://www.youtube.com/watch?v=30v_g83VHK4

Reply via email to