On 2/18/2010 8:59 PM, bofh wrote:
On Thu, Feb 18, 2010 at 11:48 AM, Laurens Vets<laur...@daemon.be> wrote:
<interesting& spot on remarks>
Just don't get ISS crap.
Also, snort is good, but you must know what you're doing. Our snort box,
running on an old throw away box, and only capturing/analyzing 10 minutes
of
every hour, is giving us *MORE* useful data than half a mil worth of ISS
crap.
Care to elaborate? :)
Which parts? ISS suck so much that even though IBM spent $$ to acquire
them, IBM is now killing the entire product line? What kills me (and *TAKE
NOTE - THOSE WHO REPORT TO PHBs*) is that just a few months ago, we read a
report on how ISS's IPS took top billing in some magazine or review.
IBM is not killing the ISS product line. They are removing some older
IPSses from their portfolio and adding additional products.
On what we're doing internally, we're capturing data for 10 minutes every
hour, and then having the box analyze that data using a variety of tools
including snort. It then sends us information on crap such as botnet
command/control traffic among other things. Things that we have full packet
captures on, that ISS refuses to provide. We also drop it into a graphing
tool, so we get nice maps of green/good traffic and red/bad traffic, and you
can see that 3 boxes that's talking to all the botnet C&C servers, etc.
We're still working on it, and I hope the new(er) servers we are putting in
will be able to provide better/more info. Hopefully we'll buy some really
beefy servers later in the year so that we can do full analysis.
I'll send a list of the tools we used later, have to ping my guy for it :)
Thanks! This sounds very interesting tbh.
