We use it in a very large scale implementation.
How easy is it to tune?
I have to say this is by far the best IDS/IPS solution we have implemented.
What are the false positive rates like?
False positives are low because of their large but specific signature
sets. Be prepared for a fairly arduous tuning time to begin with.
Can you write custom signatures?
You can write custom signatures, but last time I tried it was so
difficult I gave up. (I don't know if this was against the product's
flexibility or against my lack of talent.) We worked with a few
Intrushield engineers to get a few custom signatures we needed made so
that we could use them in our environment.
How easy is it to update, both signatures and appliance patches?
The updates are very simple. Although moving between version 1 and 2
on the sensor takes a nuance. Update to 1.9.2.24 before updating to
the 2 series.
How frequently do you receive signature updates?
As frequently is necessary really. They usually stick with two weeks
I think. But if a high priority comes out they update immediately.
Does it provide sufficient information for an analyst to resolve an event?
Hell yes.
Does it do packet capture:
a. per event?
b. rolling?
c. how easy is it to recover said packets?
It rolls them up and saves the pertinent data from each event. You
simply going into the alert viewer and it will launch Ethereal with
the packet capture data so you can view it.
What is the support like?
We have a contract so we have a personal contact 24/7/365
David Kuhlman
--------------------------------------------------------------------------
Stop hurting your network!
The NeVO passive vulnerability sensor continuously finds vulnerabilities,
applications and new hosts without the need for network scanning.
It also finds compromised systems with application-based intrusion detection.
Go to http://www.tenablesecurity.com/products/nevo.shtml to learn more.
--------------------------------------------------------------------------
