On Thu, Feb 18, 2010 at 11:48 AM, Laurens Vets <laur...@daemon.be> wrote:
> <interesting & spot on remarks> > > > Just don't get ISS crap. >> >> Also, snort is good, but you must know what you're doing. Our snort box, >> running on an old throw away box, and only capturing/analyzing 10 minutes >> of >> every hour, is giving us *MORE* useful data than half a mil worth of ISS >> crap. >> > > Care to elaborate? :) > > Which parts? ISS suck so much that even though IBM spent $$ to acquire them, IBM is now killing the entire product line? What kills me (and *TAKE NOTE - THOSE WHO REPORT TO PHBs*) is that just a few months ago, we read a report on how ISS's IPS took top billing in some magazine or review. On what we're doing internally, we're capturing data for 10 minutes every hour, and then having the box analyze that data using a variety of tools including snort. It then sends us information on crap such as botnet command/control traffic among other things. Things that we have full packet captures on, that ISS refuses to provide. We also drop it into a graphing tool, so we get nice maps of green/good traffic and red/bad traffic, and you can see that 3 boxes that's talking to all the botnet C&C servers, etc. We're still working on it, and I hope the new(er) servers we are putting in will be able to provide better/more info. Hopefully we'll buy some really beefy servers later in the year so that we can do full analysis. I'll send a list of the tools we used later, have to ping my guy for it :) -- http://www.glumbert.com/media/shift http://www.youtube.com/watch?v=tGvHNNOLnCk "This officer's men seem to follow him merely out of idle curiosity." -- Sandhurst officer cadet evaluation. "Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted." -- Gene Spafford learn french: http://www.youtube.com/watch?v=30v_g83VHK4