Just a note and a small rant to myself. I’ve been using the McAfee IntruShield IPS here at work for a few days now (been poking at it for a few weeks, really), and I must say I really dislike being so disconnected from the actual packets and wire. I really like the information on exploits and alerts that McAfee includes, and also the reporting and dashboard (they recently updated it!).
However, any time I see something new or noteworthy run across the wire, my first instinct is to look at the packets and the flow before and after the actual alert triggering event. Sadly, these capabilities are far lacking. And what really is disappointing is any false positives even when the device itself is tuned up tighter. I don’t really care if the IPS sees a UDP Port Scan all day when it is just a printer trying to reach out for some SNMP love because it lost contact with something.
Such is the price we pay these days for products trying to be the “silver bullet” of security or trying to be “all-in-one” and end up just disconnecting us from the real data and activity. Give me Snort and Wireshark and a portable tap (or the ability to put windump/tcpdump anywhere I want) anyway…
What I feel like is one of those Plato’s cave analogies, where I’m no longer really looking at the actual subjects, and instead I am seeing only the dim shadows of the events…