Intrusion Detection Systems mailing list archives
Re: a novice question. -reply
From: yoda () xuma com (Jesse Nelson)
Date: Wed, 29 Mar 2000 06:31:24 -0800
Archive: http://msgs.securepoint.com/ids FAQ: http://www.ticm.com/kb/faq/idsfaq.html IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au Ron Gula wrote:
-----------------------------------------------------------------------------Each IDS system that has been mentioned has shortcomings. Dragon is vastly different from ISS RealSecure. Dragon has other issues that far beyond some of the nuances that ISS RealSecure has. The current version of Dragon still needs drastic improvement in order to even make a dent in the IDS market segment. Dragon still requires a high level of TCP/IP expertise and other skills not commonly known by monitor monkeys. So comparing Dragon to ISS RealSecure is like apples to oranges. :)I agree. In many cases, we have been able to go into ISS shops and sell them several Dragon sensors for added forensics analysis. BTW, there are many shops out there who run more than one type of IDS.
The entry level operators tend to use ISS, while the security gurus tend to use Dragon.
This is exactly why we did not go with ISS. We had been using Snort quite a bit and got really familiar with analyzing raw data. ISS left me and my partner with a feeling of not knowing what It was seeing and being able to validate what ISS was reporting. My personal feeling is that a really good GUI that does a lot of baselining and explaining is good for our engineers in the NOC, but when we see a lot of alerts we want to be able to reassemble the transaction, and have as much raw forensic data as possible.
In many cases though, as people get more used to packet analysis and the types of traffic on their network, they use Dragon. It's still a learning curve. As for making dents in the IDS market, I'd say we've caused a few black eyes to the competition. There is nothing better than having your competition go into some of your key accounts, hook up their software to the network and watch the CPU peg to 100%. Ron Gula, CTO Network Security Wizards
-- Jesse Nelson X U M A <Build-to-order e-business> -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 iQA/AwUBN91vnNhXPjK633e5EQJLGgCgmF4I0ZETgvMYulA1JzKaYkRl5SEAnjKI u0Jei6OSSWvZTIryJKbXZKyi =S62K -----END PGP SIGNATURE-----
Current thread:
- Re: a novice question., (continued)
- Re: a novice question. Robert Graham (Mar 25)
- Re: a novice question. Keith R. Jarvis (Mar 26)
- Re: a novice question. Keith R. Jarvis (Mar 27)
- The TCP Flags Playground Ofir Arkin (Mar 26)
- Re: a novice question. Keith R. Jarvis (Mar 26)
- Re: a novice question. -reply Mark.Teicher () predictive com (Mar 26)
- Re: a novice question. -reply Jackie Chan (Mar 26)
- Re: a novice question. -reply Mark.Teicher () predictive com (Mar 26)
- Re: a novice question. -reply Stuart Staniford-Chen (Mar 27)
- Re: a novice question. -reply Mark.Teicher () predictive com (Mar 26)
- Re: a novice question. -reply Ron Gula (Mar 28)
- Re: a novice question. -reply Jesse Nelson (Mar 29)
- Re: a novice question. -reply Ron Gula (Mar 28)
- Re: a novice question. -reply Mark.Teicher () predictive com (Mar 27)
- Re: a novice question. -reply Mark.Teicher () predictive com (Mar 27)
- Re: a novice question. -reply Stuart Staniford-Chen (Mar 27)
- Re: a novice question. -reply Mark.Teicher () predictive com (Mar 28)
- Re: a novice question. -reply Mark.Teicher () predictive com (Mar 28)
- Re: a novice question. -reply Ron Gula (Mar 29)
- Re: a novice question. -reply JohnNicholson () AOL COM (Mar 28)
- RE: a novice question. -reply Meritt, Jim (Mar 29)
- Re: a novice question. -reply Mark.Teicher () predictive com (Mar 29)
- Re: a novice question. Robert Graham (Mar 25)