Re: Intrushield vs. ISS once more...

Not true.  We have their IntruShield product and you only need to have
Ethereal installed on the box you're accessing the Alert Viewer from
(Alert Viewer is accessed via the web based java console).  Under
Tools->Preferences->General there is a field for you to specify the
path to your locally installed copy of Ethereal.  I use it all the
time.  It works great.

As for missing network packets, I've usually found that the packets
were kept, just not with the alert I'm working with.  One network
event can trigger multiple IPS alerts and _usually_ the data is with
the first alert triggered.

I do agree with their lack of reporting.  It stinks.  It's not like
they don't have the back end to work with either: MySQL or Oracle. 
The data's there.  The interface isn't.  Sure, I could dig into their
db table structure and create my own SQL statements, but I'm not about
to go there.  We have a pretty hefty support contract with McAfee and
I've talked to them alot about their sorry reporting.  If you believe
the talking heads, the version of the monitoring console that's in
beta and due to be public in February has greatly improved reporting. 
I'm looking forward to trying it - but not holding my breath until I
see it.

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------