[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ids
Subject:    Re: NetScreen IDS  (X-post)
From:       Jordan K Wiens <jwiens () nersp ! nerdc ! ufl ! edu>
Date:       2003-01-28 16:23:57
[Download RAW message or body]

Doh!  Time for a big appology here; I just got a friendly reminder from
someone that I wasn't talking about the netscreen IDS, but an entirely
different product.  We were evaling/meeting with a number of different
vendors at the time and I got my wires crossed as to what I was responding
to.

Please disregard my previous comments.  I have never seen the netscreen IDS
product, and can't make any kind of judgement on it, my opinion below was
for a different IDS that will remain unnamed at this point since that's not
what this thread is about.  In fact, people familiar with the Netscreen ids
may very well have been confused what I was talking about, as I doubt the
particular issues below are necessarily relevant to netscreen.

Again, I'm very sorry for the mistake, hope no harm was done.

-- 
Jordan Wiens
UF Network Incident Response Team
(352)392-2061

On Mon, 27 Jan 2003, Jordan K Wiens wrote:

> We demo'ed it, and found the interface to be excellent, the features great
> and the actual detection ability abysmal.  It does integrate fairly well
> with other IDS, and has a number of very nice features such as flow
> analysis and mild work tracking.  On our couple of /16s it generated so
> many hundreds of identical events due to its use of 'anomaly detection'
> that it was functionally useless.  On a highly controlled or very small
> network it might be useful, on a large network, it was fairly ineffective.
>
> Oh yeah; they claim to have the ability to correlate different attacks
> intelligently.  On our network the correlation was worse than no
> correlation whatsoever.  Different attacks were often lumped together, and
> (what I consider) obvious attacks were not correlated.
>
> If recent versions (last I saw it was about 6 months ago) have added a more
> robust signature base (the engine wasn't capable of incorporating too many
> signatures at first; they were heavily pushing their AD), and were able to
> make their correlation more effective, it would be an excellent product.
>
>

[prev in list] [next in list] [prev in thread] [next in thread]