|
|
|
|
Snort Forums Archive
Archive Home » Snort Newbies » NIDS or NIPS ??
Please note that the categories listed below represent an archived version of our forums pages. To view the current version and be able to post and reply to threads, please register and login here to go to the full forums pages.
[ Notice: Full Version of This Topic ]
NIDS or NIPS ??
Posted by ph_d on March 22, 2005 04:08:02
Hello!
I am planning to start a NIDS or NIPS system.
Snort is an idea but as i understand, snort is NIDS and nids let the packets go through, even if there is an attack and NIPS will stop the attack.
So, why should i use NIDS if the attacks go trough ?
And what NIPS system should i use in case that i should choos nips ? is there also an open source solution for this ?
regards,
Philippe. |
|
Posted by phx_cissp on March 22, 2005 04:21:20
I receive lots of false positives (I have not spent a lot of time shoring up my rules). Imagine if all the false positives were blocked. I have not read much on NIPS but it sounds like it have the potential to be labor intensive.
Does NIPS stop and hold each packet until it has been processed? Might be some lag there.
|
|
Posted by maverick on March 22, 2005 04:49:27
In my opinion, a Snort IPS should always spend a week or two as a Snort IDS first. Spend this time watching the events returned and verifying that they are legitimate issues, as opposed to false positives. Remove or fine tune rules and variables to minimize or eliminate false positives generated by common traffic on your network. After that, then I flip it over to IPS. Even then, you should monitor closely to make sure no basic operations are interrupted.
Also, during this process, make sure your ruleset for IDS mode is prepended with "alert" and not "drop". Snort should let you know this really fast though. |
|
|
|
|
|
