On Wed, Feb 17, 2010 at 11:28 PM, Johan Beisser <jb@caustic.org> wrote:
quoted text
> On Wed, Feb 17, 2010 at 7:59 PM, Jason Beaudoin <jasonbeaudoin@gmail.com> wrote:
>> From a compliance perspective, I don't have much choice. From the
>> costs, infrastructure, and administrative perspectives, I am currently
>> evaluating whether or not I should be leaning towards and IDS or IPS
>> solution, and of course which system/vendor. My understanding is that
>> something like snort requires a fair bit of maintenance and
>> IT-attention, the trade-off being cost, so I am leaning away from
>> this. Between detection and prevention, preventing break-ins seems a
>> bit sillier than trying to actively monitor what's going on and to
>> then look for threats, so this pushes me more towards IDS over IPS.
>
> I agree with you. High rates of false positives, but fairly low rates
> of false negatives. Once the care and feeding is taken care of
> (turning off everything and gradually fine tuning to your current
> traffic helps), they're useful for alerting against unusual traffic
> leaving your network; not so much against automated attacks coming in
> the network. My own deployments are specifically to monitor for odd
> outbound traffic from my office. It's a rapid way to find out about
> the latest trojan, worm, or other infection my users have brought in
> on their laptops.

Indeed, this is why IDS makes more sense to me, and I am glad to see
this confirmed/validated by others here. So I guess this is now just a
question of setting up snort versus a commercial solution.


quoted text
> That said, the usefulness of an IDP is specifically preventing most
> automated and known attacks from passing in to your network. By using
> one of the commercial systems, you gain support, tuning, and the fact
> that you don't have to spend as much time with the care and feeding or
> writing/testing new rulesets against your current version.

This is the difficult place I'm in.. to me, the commercial solution
means I have someone else looking at and dealing with all of the false
positives, which is something that I won't kid myself on - I don't
know if I even have the time to be the fine tuning machine.. then
again the cost is just plain silly when compared with a snort/bsd
setup.

Are there any good open source alternatives to Snort that are worth
considering here?


quoted text
> As a compliance feature, I've found most administrators put them in
> place and promptly turn the reporting off due to the high rate of
> false positives reducing the signal from the noise.
>
> jb
>

right, which is just silly and a waste of everyone's time.

thanks for sharing..

~Jason