[Snort-users] E-Trust from CA - good/bad/?

Henry Sieff hsieff at ...519...
Thu Mar 15 14:18:20 EST 2001


> -----Original Message-----
> From: Fyodor [mailto:fygrave at ...121...]
> Sent: Thursday, March 15, 2001 12:38 PM
> To: Jerry Shenk
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] E-Trust from CA - good/bad/?
> 
> 
> On Thu, Mar 15, 2001 at 12:47:33PM -0500, Jerry Shenk wrote:
> > Does anybody know anything about E-Trust from Computer 
> Associates?  They're
> > coming down for the dog-n-pony show on Monday.
> > 
> 
> Is it the same E-trust which has been discussed on FOCUS-IDS 
> mailing list? :) Their product manager made a very bad 
> imression on me :)

Computer Associates bought a company called Memco, which had bought a
company called Abirnet, who made a product called Sessionwall-3. They
took that product and turned it into E-Trust Intrusion Detection. It
does a lot more than intrusion detection, but at the expense of code
bloat, performance, and portability. It has a pretty good GUI, you can
design your own rules. Also, it uses TCP RST's to tear down
unauthorized connections. This feature is used primarily to block web
site access based upon RADIUS or NT user name, IP addresses, URL's,
RSACI categories, etc. You can also trigger Cisco router
reconfigurations, emails on events, etc, and provides decent
reporting.

The main problem is an incredibly unresponsive vendor, a proprietary
logging format, and the size of the logs generated. Every 4 days,
Sessionwall would quickly fill a 4 GB HD with log files; also,
exporting those log files to other formats is SLOW.

I abandoned etrust for SNORT because I got tired for paying for
features I wasn't using, and watching the performance of the features
I was using suffer; once SNORT incorporated FLEXRESP, the triggered
actions were no longer a draw, and web access blocking was unnecessary
for my purpose. Also, after the acquisition by CA, vendor
responsiveness went WAY down.

I may have to check out the discussions on FOCUS-IDS and see what
others are saying these days.

HEnry
Henry




More information about the Snort-users mailing list