What is the best IDS you have ever used?

[qod]

What is the best IDS you have ever used? and why?

[spurious_inode]

This question strkes me as being analogous to "How long is a piece of string"? I get what you mean though,
and my vote is for snort.

-- spurious

[Tiger Shark]

The Pig, (Snort).

For Flexibility and simplicity.

[jpr*]

firestorm-nids, cause it's simply and fully configurable, and complete (u can customize it as u like best). cheers 2 all!
consoleknight.
pd: i don't know if i had 2 choose just from the list u gave. if that's the case, sorry for this post.
:-)

[Maestr0]

BlackIce doesn't really qualify as a true IDS in my opinion. I would say Snort mainly because its open source so thats what I get to work with the most.

-Maestr0

[karavay]

Snort - supports Win* and *nux
Free
Super Flexable
Updated often
etc...

[Lv4]

Hrm. I have used (and still currently use) Snort, NFR, ISS and Okena Stormwatch.

Okena is ok. I actually don't use Okena anymore, as Cisco bought them and changed the product a bit... plus at the time we were just evaluating the product and decided to not move forward on it. On the plus side, since Cisco bought them (in my opinion it was a move to limit the impact of the Nokia/ISS partnership) they provide a nice plugin for all their routers and switches so ease of use is up there and they have a pretty good CMS (Central Management System).

I like snort just because it's a fairly simple product and very straight forward... I just don't like the fact that if you have five or six of these things sitting around that there isn't a good CMS for it (at least that I have found). It runs on all the OS's that we use here (Solaris, Windows, and *BSD) so it makes life easy that way. Updates are always coming out, and there is a ton of support out there for it... plus it will run on just about any hardware you have sitting around.

NFR is ok. Their new stuff is much better than the old school interfaces they had. They used to use a hacked up version of FreeBSD but have since moved to Red Hat (still not sure why). They have a good CMS for their systems, but updates are still a pain and trying to write your own n-code stuff is not exactly what I would call fun. Part of the problem though is that you have to either get hardware to their specs, or buy the hardware from them... no taking that old pentium III 600 that you have laying around doing nothing and installing it on that

ISS is good, the only problem with them is their price. They have a fairly solid product, a good CMS, updates are fairly painless and fortunately for us they run on both Windows and Solaris... but I'm not sure about other *nix flavors. Oh and add to that the fact that they provide a plug in for the routers/switchs that we are using now and it's all good. Once again though their price is WAY out there.

[nebulus200]

Ok, not all of those are created equal, nor are they for the same situation.

NetDetector - Awesome. It is built by Niksun, who used to originally make sniffer products. They took their NetVCR system and added a snort engine. What does this mean? A couple of things: 1) Signatures can be applied RETROACTIVELY. Since all the data that it sees is stored locally (the more storage this puppy has the better), and can literally take a signature that you added, go back through the old data, and alert you to anything suspicous. 2) Since it records every packet, you can literally look through every file, every email, every command, every web page that someone went to while you are doing an investigation. See the hacker go to an FTP site and download a file aa? You can go to the NetDetector and actually look at AA and see what it was...pretty damn cool IMHO. We have been working with Niksun over the last few months to come up with a distributed sniffer/Snort implemenation and I believe that they are pretty much through implementing it. You could essentially deploy these at multiple locations and have the events come back to a central console and then the console figures out where the snort events came from and redirects you to the proper sensor. Negatives: Price. A 292Gb storage 10/100 NetDetector is like 25000 dollars....ouch.

Snort -- Good all around IDS with the price being right. If I was running a small network, this is what I would use, in one form or another. It, at the moment, does not scale well though and if you are in an environment where you would deploy say a few hundred sensors, you can pretty much forget about snort, unless you have megaworkers to keep it running.

ISS Real Secure (Don't forget about Site Protector). I was really high on ISS for a while; however, they recently dropped support for every system except their own epliance and Windows and Linux. Which just left us screwed with a ton of Sun hardware...GRRRRRRRRR. They have a very good enterprise solution that is very scalable. Drawbacks: Proprietary signatures that can sometimes take two weeks to be ready (yes you can use TRONS to make your own, but for that kind of money, should you have to?). Lack of packet data. Alot of times the signatures alert you to an event but don't store any header information that you would need to determine if it was a false positive or not...you can tell it to store some information, but it isn't always helpful. This has been a major limitation with Realsecure/Site Protector for a while now. On the positive side, they have integrated ISS Scanner into Site Protector now and you can use it to do some discovery scans. I am kind of mixed about iSS right now, they have a pretty good solution, but there are some limitations and they are VERY expensive. If you are running an enterprise and need tons of sensors, they are a pretty good solution, provided you have the money. If you are not an enterprise, forget it...

Cisco Secure IDS. Have heard a few good things about this, but unfortunatley have not gotten to play around with it too much. We chose to go away from Cisco because we were already relying on them so heavily for our router and some firewall architecture.

BlackICE. Originally heard some pretty good things about it, although lately been hearing alot of negative things about it. Dunno, haven't gotten to play around with it.

What you need to ask yourself are the following questions:
1) How many of these sensors are you going to deploy? If the answer is less than 20, look for a snort solution, if it is more, start looking at the enterprise solutions (Niksun and ISS).
2) How much money do you have? If the answer is not alot, then you can forget about the enterprise stuff, regardless of whether you need it or not.


Anyone played around with the Symantec IDS? Intruder alert I think it was?

/nebulus

[Lv4]

ack, ISS dropped Solaris support?! They didn't inform us of this... although to be completely honest I haven't had much chance to really look at their stuff in a while *sigh* too many other things going on.

I'll go look in to this. If that is the case (and I have no reason to not believe you) then I think we are going to have to rethink our enterprise level IDS support.

I have a question for you on NetDetector... can you use customer provided hardware, or are you kind of forced in to their hardware (kind of like NFR does)?

oh and my sympathies go out for you for being on call through the holidays. My good friend over at Sun has the same issue... and he and the wife just had a baby about 5 months ago so this is their kids first Christmas. He had to go to Virginia on Christmas day because the SSE's couldn't fix a problem

[nebulus200]

Netdetector has its own proprietary rack mountable units. Nothing fancy, essentially a specially configured BSD box and yes you have to use their hardware...that is what is nasty expensive...their 1U units are a little cheaper (~7K-10K).

Interestingly, I didn't see it on their website, but this is from a letter I received from them:

Sorry, don' t know the original source:

> > Hi all,
> >
> > I have been informed by ISS that they are going to EOSL of
> network sensor
> on
> > Solaris from 1st quarter of 2004! After that, the only supported
> platforms
> > will be Windows, Linux(red hat only) and of course their appliance
> Proventia
> > (at $10,000 for entry level Proventia Series A) Currently, all our
> network
> > sensors run on Solaris which are found to be stable and
> doing their job
> > fine. Migration from the nearly brand new Solaris
> platforms to any of the
> > new platforms (W2K, Linux, Proventia) will undoubtedly incur huge
> investment
> > that cannot be justified.
> >
> > It will be interesting to hear what you (ISS users) think
> about this.

That was dated 11/13/2003.

From: XXXXXX (ISSAtlanta) [mailto:xxxxxx@iss.net]
Sent: Friday, November 14, 2003 11:22 AM
To: xxxxxxxxx
Cc: xxxxxxxxx (ISS Virginia)
Subject: RE: EOS announcement


Hi XXXXXXX,

Yes, we are going to discontinue the support of Solaris 7, 8. This is targeted to happen Mar 04. Let me know if you need to discuss. Feel free to call me.

XXXXXXXXX
XXXXXX Account Manager/XXXXXXX
(xxx) xxx-xxx4 (Direct)
(xxx) xxx-xxx0 (eFax)
xxxxxxx@iss.net
www.iss.net

Weird they have no official announcement on their site that I can find though...

/nebulus