Jason Beaudoin wrote:
quoted text
> On Wed, Feb 17, 2010 at 11:28 PM, Johan Beisser <jb@caustic.org> wrote:
>> On Wed, Feb 17, 2010 at 7:59 PM, Jason Beaudoin <jasonbeaudoin@gmail.com> wrote:
>>> From a compliance perspective, I don't have much choice. From the
>>> costs, infrastructure, and administrative perspectives, I am currently
>>> evaluating whether or not I should be leaning towards and IDS or IPS
>>> solution, and of course which system/vendor. My understanding is that
>>> something like snort requires a fair bit of maintenance and
>>> IT-attention, the trade-off being cost, so I am leaning away from
>>> this. Between detection and prevention, preventing break-ins seems a
>>> bit sillier than trying to actively monitor what's going on and to
>>> then look for threats, so this pushes me more towards IDS over IPS.
>> I agree with you. High rates of false positives, but fairly low rates
>> of false negatives. Once the care and feeding is taken care of
>> (turning off everything and gradually fine tuning to your current
>> traffic helps), they're useful for alerting against unusual traffic
>> leaving your network; not so much against automated attacks coming in
>> the network. My own deployments are specifically to monitor for odd
>> outbound traffic from my office. It's a rapid way to find out about
>> the latest trojan, worm, or other infection my users have brought in
>> on their laptops.
> 
> Indeed, this is why IDS makes more sense to me, and I am glad to see
> this confirmed/validated by others here. So I guess this is now just a
> question of setting up snort versus a commercial solution.
> 
> 
>> That said, the usefulness of an IDP is specifically preventing most
>> automated and known attacks from passing in to your network. By using
>> one of the commercial systems, you gain support, tuning, and the fact
>> that you don't have to spend as much time with the care and feeding or
>> writing/testing new rulesets against your current version.
> 
> This is the difficult place I'm in.. to me, the commercial solution
> means I have someone else looking at and dealing with all of the false
> positives, which is something that I won't kid myself on - I don't
> know if I even have the time to be the fine tuning machine.. then
> again the cost is just plain silly when compared with a snort/bsd
> setup.
> 
> Are there any good open source alternatives to Snort that are worth
> considering here?
> 
> 
>> As a compliance feature, I've found most administrators put them in
>> place and promptly turn the reporting off due to the high rate of
>> false positives reducing the signal from the noise.
>>
>> jb
>>
> 
> right, which is just silly and a waste of everyone's time.
> 
> thanks for sharing..
> 
> ~Jason
> 

bro-ids may be an alternative for you to consider. There is a 
port/package like snort and the maintainer had asked for feedback/tests 
for the new version 1.5.1 in the lists recently. It has a number of 
features that I felt complemented Snort's list of features.

-- 
Vijay Sankar, M.Eng., P.Eng.
ForeTell Technologies Limited
59 Flamingo Avenue, Winnipeg, MB, Canada R3J 0X6
Phone: (204) 885-9535, E-Mail: vsankar@foretell.ca