Dragon X

What I'm saying, or atleast trying to say, how trusting/comfortable are people with using something like OSSIM to protect and inform them about issues on their network given that it is open. Open source tools are sought after for gaining access to systems. I was trying to get people to give me some feed back on how secure they would feel using it to defend systems. Did that clear things up for you?

Please add comments guys. I'm looking for how do you guys feel about using opensource as a security tool versus a pen test tool. If you have used the product, what are your impressions? Is it ready for prime time? TIA

Let me rephrase my previous statement. The idea of an IDS is great. Actually managing one is not. I use a Cisco MARS with the latest version software on it, and with hundreds of infrastructure pieces reporting to it, we tend to get a ton of false positives. Much of this is due to the fact that prior to my arrival at this place two years ago, the idea of a tiered/structured network was something very foreign. I really think that a lot of networks are not what I would call IDS ready. Well all it takes is for a CIO to see a commercial or something on television extolling the virtues of an IDS and the next thing you know you will be stuck trying to fit it into a less than perfect environment. If I were in control I'd make sure that I had a few things in place first before attempting to setup an IDS. 1) Proper Segmentation - Make sure your users and servers/services are separated in a logical fashion. 2) Proper Perimeter - Have a well defined network perimeter. It is a lot easier to detect an intrusion if you know your exposure points (Sun Tzu as applied to networking :D). 3) Define Your Core - Plan out the layers of access control. Know what you will be blocking where and stick to best practices. ( i.e. it is never ok to have 16 switches daisy chained ) Having a good foundation is key for network/business agility. My directors were taken in by the promises of the MARS system, but they failed to realize that not all opportunities can be taken advantage of without proper preparation. So some of my "meh" attitude about it is mainly due to the fact that we should have focused on the basics first, that way we would be getting more out of the system now.

I'm using a Cisco MARS at my current job in a comparably sized environment to the original poster. It is just O.K. nothing phenominal. Has anyone here had any experience with OSSIM the open source IDS.

I'm relatively new to the Hak5 show and community, but I may have a product that some of you might like to use. I have been tracking this project for about the past 5 years or so http:\\ossim.net. It is an open source IDP/IPS. I know the show and site focuses on how to compromise systems using open source tools, but here is a set of tools geared towards ensuring that people don't get in. Its a bit of a gear shift, but conceptually I love this project. I must admit, I have yet to have tremendous success with it yet, that is why I'm hoping to find a few people here that might be familiar with this project (and possibly get it on the show :D).