Intrusion Detection Systems mailing list archives
Re: a novice question. -reply
From: Mark.Teicher () predictive com (Mark.Teicher () predictive com)
Date: Wed, 29 Mar 2000 13:00:09 -0800
Archive: http://msgs.securepoint.com/ids FAQ: http://www.ticm.com/kb/faq/idsfaq.html IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au Jesse Nelson <yoda () xuma com> Sent by: owner-ids () uow edu au 03/29/00 06:31 AM To: cc: ids () uow edu au Subject: Re: IDS: a novice question. -reply Previously stated, it really depends on an organization's warm and fuzzies about a particular IDS system over another. Some like all the bells and whistles and want the IDS application to do all the backend work and just spit out nice and spiffy Crystal or HTML pretty reports. Some like to roll their own reports and add in additional data more than what is currently spit out through the generic reports for explanation. For example, Spoofed IP's, etc have a lot more interesting data then a half-a-port scan. Replays of certain network activity other than the typical ftp, telnet sessions would also be nice. I have personally went through a few head scratching sessions with a couple of commeric IDS apps during through product evaluation testing (i.e testing for usability, testing for monitor monkey familiarity, testing for installation/de-installation, reporting, functionality under high, medium and low network conditions,etc). I have also seen vast improvements in the IDS applications, the usability, usefullness, flexibility, etc. So stay tuned.. :) /m Archive: http://msgs.securepoint.com/ids FAQ: http://www.ticm.com/kb/faq/idsfaq.html IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
The entry level operators tend to use ISS, while the security gurus tend
to use Dragon. This is exactly why we did not go with ISS. We had been using Snort quite a bit and got really familiar with analyzing raw data. ISS left me and my partner with a feeling of not knowing what It was seeing and being able to validate what ISS was reporting. My personal feeling is that a really good GUI that does a lot of baselining and explaining is good for our engineers in the NOC, but when we see a lot of alerts we want to be able to reassemble the transaction, and have as much raw forensic data as possible. Jesse Nelson X U M A <Build-to-order e-business> -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 iQA/AwUBN91vnNhXPjK633e5EQJLGgCgmF4I0ZETgvMYulA1JzKaYkRl5SEAnjKI u0Jei6OSSWvZTIryJKbXZKyi =S62K -----END PGP SIGNATURE-----
Current thread:
- Re: a novice question. -reply, (continued)
- Re: a novice question. -reply Ron Gula (Mar 28)
- Re: a novice question. -reply Jesse Nelson (Mar 29)
- Re: a novice question. -reply Ron Gula (Mar 28)
- Re: a novice question. -reply Mark.Teicher () predictive com (Mar 27)
- Re: a novice question. -reply Mark.Teicher () predictive com (Mar 27)
- Re: a novice question. -reply Stuart Staniford-Chen (Mar 27)
- Re: a novice question. -reply Mark.Teicher () predictive com (Mar 28)
- Re: a novice question. -reply Mark.Teicher () predictive com (Mar 28)
- Re: a novice question. -reply Ron Gula (Mar 29)
- Re: a novice question. -reply JohnNicholson () AOL COM (Mar 28)
- RE: a novice question. -reply Meritt, Jim (Mar 29)
- Re: a novice question. -reply Mark.Teicher () predictive com (Mar 29)