On Thu, Oct 8, 2009 at 10:57 AM, Joachim Schipper <joac...@joachimschipper.nl> wrote:
> There is no support for the "queue packets to userspace" required by > Snort's IPS mode in any released OpenBSD version... I have never seen Snort deployed in IPS mode, only IDS mode for monitoring purposes. IMO, too many things break in IPS mode. The old ISS systems from IBM did "virtual patching" when in IPS mode. It basically altered the packets before sending them to the dest. You can imagine the stuff that broke. > All told, though, I'm not convinced that IDSes are worth the time > investment... Me neither. However, they are required sometimes to be compliant with XYZ standards at least in monitoring mode. Brad
