July 17th, 2002, 04:07 AM
wow. thanks bombay. i have 6509 and recently heard about those ids blades for them. i wasn't so sure about them myself, i would rather have a dedicated ids solution. i was thinking of the cisco ids solution as i am already using cisco routers, firewalls and switches. course, i know the beancounters would be happy for me to save some bucks on a cheap, reliable ids solution
so..i've also been playing with snort, on a win box first, next i'll try it on a red hat box.
the fun NEVER ends.....
just making some minor adjustments to your system....
July 17th, 2002, 04:22 AM
Nebulus: I did the testing on version 6. Although it wasn't amazing, it seemed to catch what it needed to at the time. The upgraded version is definitely better.
Bombay: You're right. The IDS is only as good as the last update. Truth is, there's no substitute for having someone who understands the system monitor it regularly. Protocol anomaly is a good idea, but much like profiling and content filtering, it's going to generate a lot of false positives.
IDS systems require a lot of tweaking and monitoring to work properly, even with only signatures in place. Protocol anomaly might just put it into the unusable category. I'd love to hear from someone whose actually set it up and used it for a while...
July 21st, 2002, 01:24 PM
Cisco's NIDS was never intended to be anything major and it couldn't be at any time. PIX was built without extensions in mind wich is plain stupid. They're attempt to fix it today is also plain stupid, it wont achive half what the OPSEC alliance has. They don't even have a protocol for intruder blocking to integrate with available NIDS as in the OPSEC's SAMP.
Cisco stinks, their routers, switches and HA solutions are overcommed by Foundry and F5's kick-ass ****..