IDS mailing list archives
Re: Entercept HIDS Question
From: <counterveil () yahoo com>
Date: 9 Mar 2004 00:28:52 -0000
In-Reply-To: <0C7C6E1720E8D74FB52EBEF93649730A01768C78@2k099exm01.compucom.local> I don't know why you had all these problems; our install went flawlessly. We entered into a "discovery mode" (warning mode on the agent) for 1 month to determine what normal traffic was like, wrote the appropriate exceptions and then moved into full production mode (protect mode) with absolutely zero issues. Entercept has been a dream for us and we have been hit with 0 worms / viruses / hacks since the install. Sam, I can't specifically answer your question about replacing tripwire, but we did do a CPU utilization profile across several hosts to try to fingerprint how much additional utilization our hosts would get with the agent. We saw ~2.7% increase in normal operations which is not much to speak of. Good stuff. I would highly recommend Entercept from my viewpoint. I eval'ed CSA and Entercept and found the latter to be better-suited to our environment. Plus, I don't really trust this "no signatures" thing that CSA has - Entercept has both a "signatureless" agent and signatures on their ISAPI filters, which is a nice thing when you hand a report to management saying how much of a certain type of attack was blocked :) Any questions, feel free to hit me up at my e-mail address below. - Chris counterveil () yahoo com
My company bought Entercept and then immediately removed it from production if that tells you anything. It caused blue-screen's like crazy, huge performance issues, and blocked an inordinate amount of allowed traffic. This was even in detect only mode. -----Original Message----- From: sam () neuroflux com [mailto:sam () neuroflux com]=20 Sent: Tuesday, March 02, 2004 11:31 AM To: focus-ids () securityfocus com Subject: Entercept HIDS Question Hello.. We are currently in the process of selecting a HIDS based product, and according to the Entercept sales person, they claim that the product has a feature that works very much like Tripwire. My question here, is how much overhead does it add to a server, to watch the filesystem in real time? And, if we already have Tripwire, would their File Integrity checking process be enough to replace Tripwire? And, if anyone is currently using the Entercept HIDS product, I'm wondering how easily it can be managed (not only from the HIDS piece, but from the file integrity standpoint -- excluding files, creating policies, etc.) Thanks! -Sam
--------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_focus-ids_040301 ---------------------------------------------------------------------------
Current thread:
- Entercept HIDS Question sam (Mar 02)
- <Possible follow-ups>
- RE: Entercept HIDS Question Josh.Berry (Mar 03)
- Re: Entercept HIDS Question gatekeeper (Mar 04)
- RE: Entercept HIDS Question Zach Forsyth (Mar 03)
- RE: Entercept HIDS Question dlimanov (Mar 04)
- RE: Entercept HIDS Question Josh.Berry (Mar 08)
- RE: Entercept HIDS Question Ralph H. Chapman (Mar 08)
- RE: Entercept HIDS Question dlimanov (Mar 08)
- Re: Entercept HIDS Question greg gonzalez (Mar 12)
- Re: Entercept HIDS Question counterveil (Mar 12)
- RE: Entercept HIDS Question simonis (Mar 12)
- Re: Entercept HIDS Question John Bedrick (Mar 12)
- RE: Entercept HIDS Question Ralph H. Chapman (Mar 15)
- Re: Entercept HIDS Question Johann_van_Duyn (Mar 16)