Educause Security Discussion mailing list archives
Re: IDS/IPS Solutions
From: Curt Wilson <curtw () SIU EDU>
Date: Mon, 7 Dec 2009 09:21:39 -0600
TippingPoint was not an option for us mostly due to price. I have used snort for many years, and we were getting good results on EXtrusion detection with the bleeding threats signatures (open source signatures contributed by the community) and finally purchased the Sourcefire system. We are using it in strictly IDS mode without it's IPS functionality. It requires a fair amount of tuning. The Sourcefire signatures are mostly attempting to detect INtrusions and some of them are useful, but the false positive rate can be high, requiring ongoing tuning and expertise. Bleeding threats has morphed into Emerging Threats and there is a robust rule-submitting community. We have good luck detecting all sorts of activity. We have a half-time graduate assistant doing most of the day-to-day alert checking, and I spend a portion of my day hands-on and also providing oversight to the process. I really like the open source signature writing community and the extensive user base, and the fact that you can do a large amount of tweaking. We have root on the sensor also, which is a plus (we use it to tcpdump sometimes since it's already setup on a SPAN port). I dislike that we do not have the same control that we would over a home-built snort solution without breaking support. For instance, we can't just go load any old preprocessor that someone writes, such as one that would capture PE files as they fly across the wire, and must submit a feature request. Sourcefire support has been good to us when we've needed them, and we are able to use the alerts to justify further attention to security matters. But as we are not using it's IPS functionality, we are unfortunately not *stopping* these attacks before they come in. Since most attacks these days seem to be attacking or tricking the client, IDS coverage seems to be spotty. For instance, IDS seems to have trouble processing file-formats such as Microsoft Office, which is why there are other solutions to scan for Office-based malware, such as OfficeCat (from sourcefire) and other utilities that can perform the processor-intensive file parsing operations. I have not placed much attention to attempt to alert on incoming flash, java, PDF based malware for the same reasons, although some signature could likely be written at the potential cost of CPU cycles and false positives. Emerging Threats (see http://doc.emergingthreats.net/) is a huge plus. In addition to the aforementioned sigs for EXTrusion detection (such as various botnet IRC and HTTP command and control channel detections) they offer continually updated signatures with known malware IP and hostnames. Leveraging those lists requires a robust update schedule, but even loading them infrequently can still give you some insight. A firewall might be a better blacklist, but I like that the IDS can give you packet context and Sourcefire gives you the ability to download a pcap of every alert. Hope this wasn't too much of a rambling message. On Fri, Dec 4, 2009 at 4:54 PM, Shaun Gray <SGray () medford k12 nj us> wrote:
Hello Everyone, We recently decided to implement an IDS/IPS system to complement our existing security mechanisms. I have used Snort for some time on the perimeter of our network, but found the system difficult to maintain. What system is everyone using, what are your likes/dislikes, and how was the implementation? Thanks in advance! Shaun L. Gray Network Engineer Medford Township Board of Education Information Technology Department phone: 609.975.6159 email: sgray () medford k12 nj us
Current thread:
- IDS/IPS Solutions Shaun Gray (Dec 04)
- <Possible follow-ups>
- Re: IDS/IPS Solutions Di Fabio, Andrea (Dec 04)
- Re: IDS/IPS Solutions Azim Kassam Boblai (Dec 05)
- Re: IDS/IPS Solutions WILLIAM I ARNOLD (Dec 06)
- Re: IDS/IPS Solutions Delacruz, Jay J. (Dec 07)
- Re: IDS/IPS Solutions Curt Wilson (Dec 07)
- Re: IDS/IPS Solutions Dean Halter (Dec 07)
- Re: IDS/IPS Solutions Raymond, Jessica (Dec 07)
- IDS/IPS Solutions Gina Mieszczak (Dec 07)
- Re: IDS/IPS Solutions Crary, Greg (Dec 07)
- Re: IDS/IPS Solutions Foerst, Daniel P. (Dec 15)
- Re: IDS/IPS Solutions Christopher Jones (Dec 16)