From: unspoken (ozan@lords.com)
Date: Fri 13 Sep 2002 - 10:33:25 EEST
Ben ayni fikirde degilim snort-ile realsecure arasinda denizin dedigi gibi
cok fark oldugunu dusunmuyorum tek farki commercial support`u gusel grafik
ara birimi vs olarak goruyorum zaten snort`da biraz ugrasirsaniz bu
arabirime yakin gusel calismalar yapabiliyorsunuz bildiginiz gibi snort,
sniffer packet logger ve IDS olmak uzere 3 farkli modda calisabiliyor belki
deniz daha farkli seyler soylecekdir ama teknolojik kullanim kolayligi gibi
ustunlukleri dusunurseniz snort bir cok acidan tercih sebebi olacakdir.
zamaninda arsivledigim focus-ids listesinde ki tartisma belki fikir
verebilir size:)
Hi,
I don't agree with you, snort offer with additionnal (Free) tools,
- Activworx IDSPolicy Manager (Very cool software)
- ACID (CERT) or even better Security Focus (I'm not a security focus
member) Deepsight Analyser
a high level NIDS solution. The only intersting altrenative is, too me,
Enterasys Dragon.
You can take a look to prelude a (young) Global IDS solution with HIDS and
NIDS and centralized management console.
Prelude is compatible with snort so you can also mix sensors or use only
management console.
Others are *commercials stuffs*, take the box, plug it and don't care if
it
realy works !
>If central management/event correlation is what you need then my list
would
be:
>1.Enterasys Dragon
>2.Cisco Secure IDS
>3.ISS
What's _realy_ important in an IDS solution ?
Answer :
- Number of signatures
- Signatures Update frequency
- protocol analysis (HTTP, TCP, IP, ...) and defragmentation (IP and TCP)
- Easy personalisation
Why don't choose ISS or Cisco :
Cisco Secure IDS only have ~230 sigs, udates 30 days !!!, painful IP
reassembly, and the GUI...
Cisco Secure IDS Policy Manager ! It's the 2.3.3i version if I remember.
It's an end of life product (not officialy) that was part of CSPM bundle
before. CSPM has gone to 3.0 version, now in VMS 2.0 (VPN management
solution).
But no update for IDS version. Now it is limited to 3 sensors and, as soon
as the new version will arrive you'll need to pay it again (no gift from
cisco).
Rem : Our custmers, CSPM 2.3 (firewall) users, must buy VMS 2.0 (very very
expensive) if they whant to keep on managing their devices in a
centralized
way; even if they pay for a maintenance. Thank You Cisco !!!
ISS ~400 sigs, updates 30 days !!!, no protocol analysis !!! -look to
fragroute or fragrouter-
Network sensor ~66000$ use Snort sigs base! no comment !
Why choose Snort :
1600 Sigs, updates from 30 mins to some days (few), protocol analysis :
powerfull IP/TCP reassembly, HTTP analysis,
Full feature NIDS with a lot of good projects around like IDS policy
manager, ACID, ...
The possibility to reconfigure Checkpoint Firewall-1, Cisco routers and
Pix,
and soon Linux Netfilters (Snort Sam)
And so many other stuff like price, performances, Open Source, ...
However, the new appliances from Cisco that promise better performance
than
Dragon (among other things) are still vaporware at this time.
Vaporware is Cisco Copyright ;-)
I'm a Snort fan but deploying 12 of them with central management needs
good
expertise and multi-tool gluying skills.
Sure but others don't do better.
> Snort'un gelecek surumleri de protokol cozumlemesini daha yogun kullaniyor
> olacak. Tespit, kurallar yerine protokolun normal davranisinin NIDS'e
> ogretilmesi ile desteklendiginde nihai performans ciddi olcude yukseliyor.
> Bugun Snort'un basit saldiri varyasyonlari ile "kandirilmasi" da bir
> miktar daha guclesmis olacak.
>
> Sozun ozu, protokol cozumleme mimarisi daha dogru bir mimari. Snort'un
> yuksek basarisi cok kapsamli ve hizli gelisen kurallarina bagli...
>
> Beklentileri farkli olanlar icin hangisinin anlamli/kiymetli oldugu
> degisebiliyor.
>
> selamlar, sevgiler,
> -bd
-----------------------------------------------------------------------
Liste üyeliğiniz ile ilgili her türlü işlem için
http://liste.linux.org.tr adresindeki web arayüzünü kullanabilirsiniz.
Listeden çıkmak için: 'linux-guvenlik-request@linux.org.tr' adresine,
"Konu" kısmında "unsubscribe" yazan bir e-posta gönderiniz.
-----------------------------------------------------------------------