Question

  Asked: Jun 1 2007   12:10 AM GMT
  Asked by: dimchik


Intrussion detection


Networking, Hardware, Routers, Switches, Hubs, Cabling, Network monitoring, Security, Network security, Firewalls, VPN, Intrusion management, Incident response, Forensics, Wireless

Does any one know of any goof Intrussion detection system boxes which are not crazy expensive and support up to 1GB lines.

Subscribe to Alerts! Get questions and answers delivered to your Inbox.


E-mail me updates on this question



   SUBSCRIBE

hidden modal window

Answer Wiki (Improve, edit or add to this answer)


 RATE THIS ANSWER
0
Click to Vote:
  •   0
  •  0



McAfee Intrushield. It depends on what you think is "Crazy Expensive".
  • AddThis Social Bookmark Button

Browse more Questions and Answers on Networking, DataCenter and Security.

Looking for relevant Networking Whitepapers? Visit the SearchNetworking.com Research Library.


Discuss This Answer


You must be logged-in to discuss a question. Log-in/Register

astronomer  |   Jun 1 2007  6:19PM GMT

You should probably check out this link on how to do it with snort. <a href="http://www.ics.forth.gr/carv/np/splitter_tr323.pdf" rel="nofollow">http://www.ics.forth.gr/carv/np/splitter_tr323.pdf</a>
There are commercial solutions, but the price is high. Here is an example: <a href="http://www.lightreading.com/document.asp?doc_id=92639&print=true" rel="nofollow">http://www.lightreading.com/document.asp?doc_id=92639&print=true</a>

This link also looks interesting: <a href="http://www.bro-ids.org/" rel="nofollow">http://www.bro-ids.org/</a> Since this is from lawrence berkeley lab, the government has already paid for development.
It seems if you are running a fast system without a GUI, and you aren’t trying to do too much, you can get away with Gbit speeds.
rt

 

bobkberg  |   Jun 2 2007  12:30AM GMT

I’m in agreement with astronomer (As I often am). Start with Snort, and learn from it. There are many free guides to learning snort, and SourceFire also offers classes (I’ve taken them) on using it. I’ve also worked on some of the expensive commercial solutions (ISS and Eeye come to mind) where upper management loved it, but we never got it to work successfully.

All of them have a learning curve to climb, but I’d consider Snort’s to be overall shorter - and there are white papers (and pay-for books) all over which will help guide you.

Bob

 

sonyfreek  |   Jun 6 2007  7:02PM GMT

I also agree that you want to start with Snort. I’m using the Sourcefire 3D products after using Snort for years. I like Sourcefire because they are based on Snort and because of Marty Roesch’s attitude of supporting Open Source software.

ISS, from my experience, was terrible, but I also admit that I wasn’t trained on them. I used someone else’s training books and still wasn’t satisfied with them because the database filled up rather quickly (2 months) using MSDE (2Gb).

SF

 

astronomer  |   Jun 7 2007  3:17PM GMT

I was trained by ISS and we still had problems with it. This was 8 years ago but we drowned in false positives.
rt