Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: IDS/IPS system with Foundry sFlow

from [Adam Powers] Network Security [Permanent Link]
Subject: Re: IDS/IPS system with Foundry sFlow
Date: Tue, 22 Apr 2008 16:18:13 -0400 

I have seen snort sFlow integrations done a few times times with varying
degrees of success. Definitely worth exploring as it doesn't cost ya much
other than your time. Problems with sample rates and TCP state are the
biggest barriers for serious content inspection.

1 in 128 is about the lowest most vendors recommend and even at that low
sample rate your already at 99%+ packet loss from snort's perspective.
Specially tuned sigs can be crafted to deal with the sparse content but I'm
not sure how many of other exist. I'm sure Marty can comment.

BTW: Snort syslog can be fed into the StealthWatch sFlow collector for
contextual reporting and event association.



On 4/22/08 2:18 PM, "Martin Roesch" <roesch@sourcefire.com> wrote:


When you say "with sFlow" do you mean analyze the sFlow records or
analyze the packets on the wire and correlate it with the sFlow data?

--
Sent from my iPhone

On Apr 21, 2008, at 3:42 PM, "Security Group" <secgro@gmail.com> wrote:


Hello,

We have got a network with an embedded support for sFlow technology.
We also want to have a good IDS/IPS system. Does anyone know a good
setup with our foundry?

We noticed that Foundry got their own application called "IronView
Network Manager", it is able to operate with snort. Does anyone know
of this is a good solution? Or should we use an sFlow converter (e.g.
InMon sFlow toolkit) that can work with snort?

What are the other possibilities for IDS/IPS besides snort. It has to
operate with the sFlow technology.

Kind regards,

Babel Timo

---
---------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form=impact=intro_sfw
<http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw> 
to learn more.
---
---------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form=impact=intro_sfw
<http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=int
ro_sfw> 
to learn more.
------------------------------------------------------------------------







------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
 
to learn more.
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: IDS/IPS system with Foundry sFlow, Adam Powers
Next by Date:  Riorey DDOS appliance, alexpheno
Previous by Thread:  RE: IDS/IPS system with Foundry sFlow, Adamo, Alfonso
Next by Thread:  RE: IDS/IPS system with Foundry sFlow, Monk, Scott
Indexes:  [Date] [Thread] [Top] [All Lists]