Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

User defined signatures

from [Gary Flynn] Network Security [Permanent Link]
Subject: User defined signatures
Date: Thu, 06 Jan 2005 08:42:59 -0500 
> We have intrushield deployed here, and I am disappointed. The ability
> to create user-defined signatures is very poor. There is no way to

make a signature to look at all ports and protocols, so with a UDS,
you must specify a protocol for it to look at. There is no
command-line access to write signatures, so you must use their Java
GUI. There is no way to import sigs from other vendors, such as snort,
and the rule flexibilty is just not there. The built-in signatures is
a closed-set, so you do not know what IntruShield's signatures are
firing on. You also cannot filter out traffic. There are filters
available, but they only work on signature based detection. Anomaly
detection will still fire on the filtered traffic. I have yet to get
the logging capability to work. You can set it to log X packets, but
it won't display them when you view alerts.

I was impressed with the Juniper/Netscreen/Onesecure IDP and its strength in user defined signatures and the visibility of the vendor provided ones. It also has:

- excellent packet capture and analysis capabilities (configurable pre and post event capture per signature, highlighting of trigger packet, and ability to use built-in and/or external packet viewer)

- a wealth of actions to choose when signatures match
(log, packet capture, email, syslog, snmptrap, script execution, timed firewall entries on src or dest address, port, and/or netblock)

- good exception capabilities (active for both signatures and protocol anomalies)

- very flexible and easy to use reporting and user interface capabilities

I think its safe to say that all the products are maturing rapidly, have unique strengths and weaknesses, and will leap frog each other over time. If you're
interested in flexibility, insight into your network traffic, understanding of how vendor signatures are working, and the the ability to rapidly produce your own signatures, give the product a test drive.

Gary Flynn
Security Engineer
James Madison University







--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more.
--------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • User defined signatures, Gary Flynn <=
Previous by Date:  Re: Intrushield vs. ISS once more..., Jason
Next by Date:  RE: what is required for an engineer to become an SECURITY engineer, skander.ben.mansour
Previous by Thread:  IDS CISCO alarm, Julio Crespo
Next by Thread:  ForeScout ActiveScout, Brent Stackhouse
Indexes:  [Date] [Thread] [Top] [All Lists]