Re: IDS Questions [7:46639]
One thing the Cisco IDS has, and why we went with it is because of the host sensors, and the ability to cooralate all the hosts data with the network data. Although we haven't purchased the hosts as of yet, we know it's viable. -TV ""Brian Zeitz"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I read that the 2600 router (or definitely higher model routers) have > IDS built in, but if you bought any Pix Firewall it wouldn't have IDS. > Am I mistaken on this? So the most people who want IDS who cannot afford > / justify (just yet) and IDS box are using Snort? I have a pix 515UR, > and if I read correctly, it has the capabilities to interface to an IDS > box, but it is not an IDS box itself. Also, if I use Snort as an IDS, > will the pix be able to recognize it? Maybe Microsoft will come out with > a tool of this nature, which is free (not really free, but included with > OS) like some of the built in components in 2000. > > > > If I have some misinformation here, I have not read my 1000 page IDS > book as of yet, but I am working on MCNS. > > > > I found a document that will allow me to install Snort on Windows 2000, > that is my current plan for implementing IDS. Can anyone give me the > pros and cons of Snort Vs. Cisco IDS system? What other alternatives > should I be looking at. My company does not really need an IDS as of > yet, but I am doing this just for fun and for learning about > security/IDS. > > > > Hope my pro-Microsoft attitude is OK in the group. I like working on > routers and security, and don't spend a lot of time tweeking around with > Operating Systems. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46693&t=46639 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IDS Questions [7:46639]
That's why you always put your own IP as well as the CSPM server on the do not shun list... That's a good point, but that scenario is exactly why they added the do not shun list. Well that and the person who puts a custom signature denying telneting and locks themselves out :) Thanks Larry -Original Message- From: Steven A. Ridder [mailto:[EMAIL PROTECTED]] Sent: Saturday, June 15, 2002 10:07 AM To: [EMAIL PROTECTED] Subject: Re: IDS Questions [7:46639] I wouldn't use shunning only because a hacker can spoof an address, and you shun it, such as a web server, or IDS console, etc.. ""Hamid"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Maybe a silly question, Can anyone tell me what shunning is? > > > ""John Kaberna"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > I don't see why you'd get flamed for that except maybe from a > > die-hard > Cisco > > employee and even then I doubt it. I prefer Snort a lot more than Cisco's > > IDS because of price and I do prefer the fact that you have nearly > > an > entire > > industry of security people that work on Snort. There are very few > seasoned > > security people that don't have a fair amount of experience with > > Snort. There are few shops out there that rely solely on Cisco IDS. > > If I had the > > choice though, I would probably run them both. It wouldn't hurt and > > it > sure > > would make you feel good to catch an alarm on one IDS that was > > missed by > the > > other. > > > > > > ""Peter Walker"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > I hope I dont get flamed for this > > > > > > ... but I would like to ask a similar but different question. > > > > > > What reason is there to choose Cisco IDS over Snort. I just dont > > > see > Cisco > > > IDS as having much in the way of advantages over Snort other than > > > a > Cisco > > > label and a high price tag (and yes both of those can be percieved > > > as > > > advantages) > > > > > > Of all of the Cisco kit I have worked with the IDS system is the > > > only > one > > I > > > cant see myself recommending to someone. > > > > > > Peter Walker > > > > > > --On Friday, June 14, 2002 7:13 PM -0400 Ken Diliberto wrote: > > > > > > > Brian, > > > > > > > > We can both justify and afford a commercial IDS but choose > > > > Snort. > What > > do > > > > see as drawbacks to Snort? > > > > > > > > > > >>> "Brian Zeitz" 06/14/02 03:02PM >>> > > > > > > > > > > So the most people who want IDS who cannot afford > > > > / justify (just yet) and IDS box are using Snort? I have a pix 515UR, > > > > and if I read correctly, it has the capabilities to interface to > > > > an > IDS > > > > box, but it is not an IDS box itself. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46688&t=46639 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: IDS Questions [7:46639]
Cisco IDS allows you to choose which signatures you shun on. Usually IP spoofing is involved with the packet signatures, where it doesn't matter that the response doesn't reach the attacker. Shunning is used on the more interactive attacks. Also, Cisco IDS allows you to exclude certain addresses from shunning, or to override certain address/signature combinations. For some attacks, a shunning IDS will stop it dead in its tracks. Bob Irides -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Steven A. Ridder Sent: Saturday, June 15, 2002 11:07 AM To: [EMAIL PROTECTED] Subject: Re: IDS Questions [7:46639] I wouldn't use shunning only because a hacker can spoof an address, and you shun it, such as a web server, or IDS console, etc.. ""Hamid"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Maybe a silly question, Can anyone tell me what shunning is? > > > ""John Kaberna"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > I don't see why you'd get flamed for that except maybe from a > > die-hard > Cisco > > employee and even then I doubt it. I prefer Snort a lot more than Cisco's > > IDS because of price and I do prefer the fact that you have nearly > > an > entire > > industry of security people that work on Snort. There are very few > seasoned > > security people that don't have a fair amount of experience with > > Snort. There are few shops out there that rely solely on Cisco IDS. > > If I had the > > choice though, I would probably run them both. It wouldn't hurt and > > it > sure > > would make you feel good to catch an alarm on one IDS that was > > missed by > the > > other. > > > > > > ""Peter Walker"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > I hope I dont get flamed for this > > > > > > ... but I would like to ask a similar but different question. > > > > > > What reason is there to choose Cisco IDS over Snort. I just dont > > > see > Cisco > > > IDS as having much in the way of advantages over Snort other than > > > a > Cisco > > > label and a high price tag (and yes both of those can be percieved > > > as > > > advantages) > > > > > > Of all of the Cisco kit I have worked with the IDS system is the > > > only > one > > I > > > cant see myself recommending to someone. > > > > > > Peter Walker > > > > > > --On Friday, June 14, 2002 7:13 PM -0400 Ken Diliberto wrote: > > > > > > > Brian, > > > > > > > > We can both justify and afford a commercial IDS but choose > > > > Snort. > What > > do > > > > see as drawbacks to Snort? > > > > > > > > > > >>> "Brian Zeitz" 06/14/02 03:02PM >>> > > > > > > > > > > So the most people who want IDS who cannot afford > > > > / justify (just yet) and IDS box are using Snort? I have a pix 515UR, > > > > and if I read correctly, it has the capabilities to interface to > > > > an > IDS > > > > box, but it is not an IDS box itself. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46687&t=46639 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IDS Questions [7:46639]
I wouldn't use shunning only because a hacker can spoof an address, and you shun it, such as a web server, or IDS console, etc.. ""Hamid"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Maybe a silly question, Can anyone tell me what shunning is? > > > ""John Kaberna"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > I don't see why you'd get flamed for that except maybe from a die-hard > Cisco > > employee and even then I doubt it. I prefer Snort a lot more than Cisco's > > IDS because of price and I do prefer the fact that you have nearly an > entire > > industry of security people that work on Snort. There are very few > seasoned > > security people that don't have a fair amount of experience with Snort. > > There are few shops out there that rely solely on Cisco IDS. If I had the > > choice though, I would probably run them both. It wouldn't hurt and it > sure > > would make you feel good to catch an alarm on one IDS that was missed by > the > > other. > > > > > > ""Peter Walker"" wrote in message > > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > > I hope I dont get flamed for this > > > > > > ... but I would like to ask a similar but different question. > > > > > > What reason is there to choose Cisco IDS over Snort. I just dont see > Cisco > > > IDS as having much in the way of advantages over Snort other than a > Cisco > > > label and a high price tag (and yes both of those can be percieved as > > > advantages) > > > > > > Of all of the Cisco kit I have worked with the IDS system is the only > one > > I > > > cant see myself recommending to someone. > > > > > > Peter Walker > > > > > > --On Friday, June 14, 2002 7:13 PM -0400 Ken Diliberto wrote: > > > > > > > Brian, > > > > > > > > We can both justify and afford a commercial IDS but choose Snort. > What > > do > > > > see as drawbacks to Snort? > > > > > > > > > > >>> "Brian Zeitz" 06/14/02 03:02PM >>> > > > > > > > > > > So the most people who want IDS who cannot afford > > > > / justify (just yet) and IDS box are using Snort? I have a pix 515UR, > > > > and if I read correctly, it has the capabilities to interface to an > IDS > > > > box, but it is not an IDS box itself. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46684&t=46639 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IDS Questions [7:46639]
Shunning refers to the functionality of the IDS sensor to dynamically create and ACL that denies the attacker access and apply it to a specific interface. For example, you would have it setup that when the sensor sees an attack from 65.65.65.65 it would create and ACL denying 65.65.65.65 access and apply it to the outside interface of a router. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46683&t=46639 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IDS Questions [7:46639]
Maybe a silly question, Can anyone tell me what shunning is? ""John Kaberna"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I don't see why you'd get flamed for that except maybe from a die-hard Cisco > employee and even then I doubt it. I prefer Snort a lot more than Cisco's > IDS because of price and I do prefer the fact that you have nearly an entire > industry of security people that work on Snort. There are very few seasoned > security people that don't have a fair amount of experience with Snort. > There are few shops out there that rely solely on Cisco IDS. If I had the > choice though, I would probably run them both. It wouldn't hurt and it sure > would make you feel good to catch an alarm on one IDS that was missed by the > other. > > > ""Peter Walker"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > I hope I dont get flamed for this > > > > ... but I would like to ask a similar but different question. > > > > What reason is there to choose Cisco IDS over Snort. I just dont see Cisco > > IDS as having much in the way of advantages over Snort other than a Cisco > > label and a high price tag (and yes both of those can be percieved as > > advantages) > > > > Of all of the Cisco kit I have worked with the IDS system is the only one > I > > cant see myself recommending to someone. > > > > Peter Walker > > > > --On Friday, June 14, 2002 7:13 PM -0400 Ken Diliberto wrote: > > > > > Brian, > > > > > > We can both justify and afford a commercial IDS but choose Snort. What > do > > > see as drawbacks to Snort? > > > > > > > >>> "Brian Zeitz" 06/14/02 03:02PM >>> > > > > > > > So the most people who want IDS who cannot afford > > > / justify (just yet) and IDS box are using Snort? I have a pix 515UR, > > > and if I read correctly, it has the capabilities to interface to an IDS > > > box, but it is not an IDS box itself. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46677&t=46639 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IDS Questions [7:46639]
I don't see why you'd get flamed for that except maybe from a die-hard Cisco employee and even then I doubt it. I prefer Snort a lot more than Cisco's IDS because of price and I do prefer the fact that you have nearly an entire industry of security people that work on Snort. There are very few seasoned security people that don't have a fair amount of experience with Snort. There are few shops out there that rely solely on Cisco IDS. If I had the choice though, I would probably run them both. It wouldn't hurt and it sure would make you feel good to catch an alarm on one IDS that was missed by the other. ""Peter Walker"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I hope I dont get flamed for this > > ... but I would like to ask a similar but different question. > > What reason is there to choose Cisco IDS over Snort. I just dont see Cisco > IDS as having much in the way of advantages over Snort other than a Cisco > label and a high price tag (and yes both of those can be percieved as > advantages) > > Of all of the Cisco kit I have worked with the IDS system is the only one I > cant see myself recommending to someone. > > Peter Walker > > --On Friday, June 14, 2002 7:13 PM -0400 Ken Diliberto wrote: > > > Brian, > > > > We can both justify and afford a commercial IDS but choose Snort. What do > > see as drawbacks to Snort? > > > > >>> "Brian Zeitz" 06/14/02 03:02PM >>> > > > > So the most people who want IDS who cannot afford > > / justify (just yet) and IDS box are using Snort? I have a pix 515UR, > > and if I read correctly, it has the capabilities to interface to an IDS > > box, but it is not an IDS box itself. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46660&t=46639 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IDS Questions [7:46639]
I hope I dont get flamed for this ... but I would like to ask a similar but different question. What reason is there to choose Cisco IDS over Snort. I just dont see Cisco IDS as having much in the way of advantages over Snort other than a Cisco label and a high price tag (and yes both of those can be percieved as advantages) Of all of the Cisco kit I have worked with the IDS system is the only one I cant see myself recommending to someone. Peter Walker --On Friday, June 14, 2002 7:13 PM -0400 Ken Diliberto wrote: > Brian, > > We can both justify and afford a commercial IDS but choose Snort. What do > see as drawbacks to Snort? > >>> "Brian Zeitz" 06/14/02 03:02PM >>> > So the most people who want IDS who cannot afford > / justify (just yet) and IDS box are using Snort? I have a pix 515UR, > and if I read correctly, it has the capabilities to interface to an IDS > box, but it is not an IDS box itself. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46657&t=46639 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IDS Questions [7:46639]
Brian, We can both justify and afford a commercial IDS but choose Snort. What do see as drawbacks to Snort? Do you have a connection to the Internet? If so, what makes you think you don't need an IDS? Get Snort up and running. You might be surprised. We're running Snort on a Sun 220R. I think I prefer it on Unix, not on an NT/2K box. Well, enough of my mindless rabble... Ken >>> "Brian Zeitz" 06/14/02 03:02PM >>> I read that the 2600 router (or definitely higher model routers) have IDS built in, but if you bought any Pix Firewall it wouldn't have IDS. Am I mistaken on this? So the most people who want IDS who cannot afford / justify (just yet) and IDS box are using Snort? I have a pix 515UR, and if I read correctly, it has the capabilities to interface to an IDS box, but it is not an IDS box itself. Also, if I use Snort as an IDS, will the pix be able to recognize it? Maybe Microsoft will come out with a tool of this nature, which is free (not really free, but included with OS) like some of the built in components in 2000. [snip] I found a document that will allow me to install Snort on Windows 2000, that is my current plan for implementing IDS. Can anyone give me the pros and cons of Snort Vs. Cisco IDS system? What other alternatives should I be looking at. My company does not really need an IDS as of yet, but I am doing this just for fun and for learning about security/IDS. Hope my pro-Microsoft attitude is OK in the group. I like working on routers and security, and don't spend a lot of time tweeking around with Operating Systems. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46648&t=46639 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IDS Questions [7:46639]
I stand corrected on the shunning part (thanks Glenn). You can use shun with 6.1, but I am not sure about the details for allowing this to happen dynamically using CSPM. I hesitate to ever implement dynamic shunning as a savvy attacker can use that to shun valid sources as a form of DoS. ""John Kaberna"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > PIX's and routers capable of running IDS run a very limited version of IDS. > I believe they only catch 59 signatures which isn't very much. It's not bad > for a small company that has a PIX that would like to start down the path of > having a true IDS some day. > > I'm not sure what you mean about Snort being recognized by the PIX. I would > guess that you mean shunning which the PIX does not support regardless of > whether you use Snort or a Cisco IDS solution. Only the routers support > shunning. > > I personally use Snort for my small-medium clients since it's free, has a > large install base, and can run on multiple platforms. If I have a client > that is an all Windows shop I can put in on Win2k. If they are pro-Unix, I > can put it on Linux or even Solaris. There is a lot more flexibility than > some of the other IDS solutions for a lot less money. > > I doubt that I would desire an MS solution even if they did come out with > one. I don't trust Bill when it comes to security. > > > ""Brian Zeitz"" wrote in message > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > I read that the 2600 router (or definitely higher model routers) have > > IDS built in, but if you bought any Pix Firewall it wouldn't have IDS. > > Am I mistaken on this? So the most people who want IDS who cannot afford > > / justify (just yet) and IDS box are using Snort? I have a pix 515UR, > > and if I read correctly, it has the capabilities to interface to an IDS > > box, but it is not an IDS box itself. Also, if I use Snort as an IDS, > > will the pix be able to recognize it? Maybe Microsoft will come out with > > a tool of this nature, which is free (not really free, but included with > > OS) like some of the built in components in 2000. > > > > > > > > If I have some misinformation here, I have not read my 1000 page IDS > > book as of yet, but I am working on MCNS. > > > > > > > > I found a document that will allow me to install Snort on Windows 2000, > > that is my current plan for implementing IDS. Can anyone give me the > > pros and cons of Snort Vs. Cisco IDS system? What other alternatives > > should I be looking at. My company does not really need an IDS as of > > yet, but I am doing this just for fun and for learning about > > security/IDS. > > > > > > > > Hope my pro-Microsoft attitude is OK in the group. I like working on > > routers and security, and don't spend a lot of time tweeking around with > > Operating Systems. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46646&t=46639 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: IDS Questions [7:46639]
PIX's and routers capable of running IDS run a very limited version of IDS. I believe they only catch 59 signatures which isn't very much. It's not bad for a small company that has a PIX that would like to start down the path of having a true IDS some day. I'm not sure what you mean about Snort being recognized by the PIX. I would guess that you mean shunning which the PIX does not support regardless of whether you use Snort or a Cisco IDS solution. Only the routers support shunning. I personally use Snort for my small-medium clients since it's free, has a large install base, and can run on multiple platforms. If I have a client that is an all Windows shop I can put in on Win2k. If they are pro-Unix, I can put it on Linux or even Solaris. There is a lot more flexibility than some of the other IDS solutions for a lot less money. I doubt that I would desire an MS solution even if they did come out with one. I don't trust Bill when it comes to security. ""Brian Zeitz"" wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > I read that the 2600 router (or definitely higher model routers) have > IDS built in, but if you bought any Pix Firewall it wouldn't have IDS. > Am I mistaken on this? So the most people who want IDS who cannot afford > / justify (just yet) and IDS box are using Snort? I have a pix 515UR, > and if I read correctly, it has the capabilities to interface to an IDS > box, but it is not an IDS box itself. Also, if I use Snort as an IDS, > will the pix be able to recognize it? Maybe Microsoft will come out with > a tool of this nature, which is free (not really free, but included with > OS) like some of the built in components in 2000. > > > > If I have some misinformation here, I have not read my 1000 page IDS > book as of yet, but I am working on MCNS. > > > > I found a document that will allow me to install Snort on Windows 2000, > that is my current plan for implementing IDS. Can anyone give me the > pros and cons of Snort Vs. Cisco IDS system? What other alternatives > should I be looking at. My company does not really need an IDS as of > yet, but I am doing this just for fun and for learning about > security/IDS. > > > > Hope my pro-Microsoft attitude is OK in the group. I like working on > routers and security, and don't spend a lot of time tweeking around with > Operating Systems. Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=46641&t=46639 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]