GroupStudy.com GroupStudy.com - A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: IDS Questions [7:46639] posted 06/17/2002
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]


For IDSs there are what 4 big players?

Cisco, ISS, Dragon, and Snort.

Personally, I like Snort.  I always use it whenever I can on Red Hat 7.2. 
Apparently, John Kaberna has installed Snort on a Y2K platform.  John, if 
you have the links please tell because I didn't know this was possible and 
I would love to run this on Windows for Windows only companies. 

Cisco IDS is good but not like groundbreaking.  It really comes down to 
pricing.  For the price, $0, Snort can not be beat.  CBAC IDS is cute, but 
only cute.

Theo







"Roberts, Larry" 
Sent by: nobody@xxxxxxxxxxxxxx
06/16/2002 01:02 AM
Please respond to "Roberts, Larry"

 
        To:     cisco@xxxxxxxxxxxxxx
        cc: 
        Subject:        RE: IDS Questions [7:46639]


That's why you always put your own IP as well as the CSPM server on the do
not shun list...

That's a good point, but that scenario is exactly why they added the do 
not
shun list.
Well that and the person who puts a custom signature denying telneting and
locks themselves out :)


Thanks

Larry


-----Original Message-----
From: Steven A. Ridder [mailto:saridder@xxxxxxxxxxx]
Sent: Saturday, June 15, 2002 10:07 AM
To: cisco@xxxxxxxxxxxxxx
Subject: Re: IDS Questions [7:46639]


I wouldn't use shunning only because a hacker can spoof an address, and 
you
shun it, such as a web server, or IDS console, etc..


""Hamid""  wrote in message news:200206150732.DAA27556@xxxxxxxxxxxxxxxxx
> Maybe a silly question, Can anyone tell me what shunning is?
>
>
> ""John Kaberna""  wrote in message
> news:200206150006.UAA24713@xxxxxxxxxxxxxxxxx
> > I don't see why you'd get flamed for that except maybe from a
> > die-hard
> Cisco
> > employee and even then I doubt it.  I prefer Snort a lot more than
Cisco's
> > IDS because of price and I do prefer the fact that you have nearly
> > an
> entire
> > industry of security people that work on Snort.  There are very few
> seasoned
> > security people that don't have a fair amount of experience with
> > Snort. There are few shops out there that rely solely on Cisco IDS.
> > If I had
the
> > choice though, I would probably run them both.  It wouldn't hurt and
> > it
> sure
> > would make you feel good to catch an alarm on one IDS that was
> > missed by
> the
> > other.
> >
> >
> > ""Peter Walker""  wrote in message
> > news:200206150001.UAA22893@xxxxxxxxxxxxxxxxx
> > > I hope I dont get flamed for this....
> > >
> > >  ... but I would like to ask a similar but different question.
> > >
> > > What reason is there to choose Cisco IDS over Snort. I just dont
> > > see
> Cisco
> > > IDS as having much in the way of advantages over Snort other than
> > > a
> Cisco
> > > label and a high price tag (and yes both of those can be percieved
> > > as
> > > advantages)
> > >
> > > Of all of the Cisco kit I have worked with the IDS system is the
> > > only
> one
> > I
> > > cant see myself recommending to someone.
> > >
> > > Peter Walker
> > >
> > > --On Friday, June 14, 2002 7:13 PM -0400 Ken Diliberto  wrote:
> > >
> > > > Brian,
> > > >
> > > > We can both justify and afford a commercial IDS but choose
> > > > Snort.
> What
> > do
> > > > see as drawbacks to Snort?
> > > >
> > >
> > > >>> "Brian Zeitz"  06/14/02 03:02PM >>>
> > >
> > >
> > > > So the most people who want IDS who cannot afford
> > > > / justify (just yet) and IDS box are using Snort?  I have a pix
515UR,
> > > > and if I read correctly, it has the capabilities to interface to
> > > > an
> IDS
> > > > box, but it is not an IDS box itself.




Message Posted at:
http://www.groupstudy.com/form/read.php?f=7&i=46737&t=46639
--------------------------------------------------
FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html
Report misconduct and Nondisclosure violations to abuse@xxxxxxxxxxxxxx