On Thu, Feb 18, 2010 at 2:59 PM, bofh <goodb...@gmail.com> wrote: > On Thu, Feb 18, 2010 at 11:48 AM, Laurens Vets <laur...@daemon.be> wrote: > >> <interesting & spot on remarks> >> >> >> Just don't get ISS crap. >>> >>> Also, snort is good, but you must know what you're doing. Our snort box, >>> running on an old throw away box, and only capturing/analyzing 10 minutes >>> of >>> every hour, is giving us *MORE* useful data than half a mil worth of ISS >>> crap. >>> >> >> Care to elaborate? :) >> >> Which parts? ISS suck so much that even though IBM spent $$ to acquire > them, IBM is now killing the entire product line? What kills me (and *TAKE > NOTE - THOSE WHO REPORT TO PHBs*) is that just a few months ago, we read a > report on how ISS's IPS took top billing in some magazine or review.
I haven't done my indepth homework on commercial solutions - we're a small company with a small budget, and have been reviewing various solutions in the <20k / yr range (trustwave, alert logic, tripwire, etc). But a good point has been brought up about overall access and the depth of information available.. I'll have to dig deeper on this. I don't know if this is a big enough issue for us to overcome the major plus (offloading the constant analysis, our team is small). > On what we're doing internally, we're capturing data for 10 minutes every > hour, and then having the box analyze that data using a variety of tools > including snort. It then sends us information on crap such as botnet > command/control traffic among other things. Things that we have full packet > captures on, that ISS refuses to provide. We also drop it into a graphing > tool, so we get nice maps of green/good traffic and red/bad traffic, and you > can see that 3 boxes that's talking to all the botnet C&C servers, etc. Sounds pretty rockin' - I'm sure it took a while to get that sorted out and up to a usable form. > We're still working on it, and I hope the new(er) servers we are putting in > will be able to provide better/more info. Hopefully we'll buy some really > beefy servers later in the year so that we can do full analysis. > > I'll send a list of the tools we used later, have to ping my guy for it :) That would be fantastic, I am surely interested in some of the details of how you have put this together. Thanks for sharing! ~Jason
