[Snort-users] E-Trust from CA - good/bad/?

Jerry Shenk jas at ...129...
Thu Mar 15 14:29:10 EST 2001


Fydor also mentioned FOCUS-IDS...I'm checking that out right now.  Obviously
we're both in the same boat on preferring Snort....now I've got to come up
with business reasons NOT to use E-Trust. I hadn't even bothered looking at
it 'cuz of the fact that CA owned it...well, now I have to look at it and
that's what I'm doing today.  I'm hearing (from the guy who has the idea to
use it) that CA has been very responsive lately....maybe a change, maybe
not.

-----Original Message-----
From: Henry Sieff [mailto:hsieff at ...519...]
Sent: Thursday, March 15, 2001 2:18 PM
To: 'Fyodor'; Jerry Shenk
Cc: snort-users at lists.sourceforge.net
Subject: RE: [Snort-users] E-Trust from CA - good/bad/?




> -----Original Message-----
> From: Fyodor [mailto:fygrave at ...121...]
> Sent: Thursday, March 15, 2001 12:38 PM
> To: Jerry Shenk
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] E-Trust from CA - good/bad/?
>
>
> On Thu, Mar 15, 2001 at 12:47:33PM -0500, Jerry Shenk wrote:
> > Does anybody know anything about E-Trust from Computer
> Associates?  They're
> > coming down for the dog-n-pony show on Monday.
> >
>
> Is it the same E-trust which has been discussed on FOCUS-IDS
> mailing list? :) Their product manager made a very bad
> imression on me :)

Computer Associates bought a company called Memco, which had bought a
company called Abirnet, who made a product called Sessionwall-3. They
took that product and turned it into E-Trust Intrusion Detection. It
does a lot more than intrusion detection, but at the expense of code
bloat, performance, and portability. It has a pretty good GUI, you can
design your own rules. Also, it uses TCP RST's to tear down
unauthorized connections. This feature is used primarily to block web
site access based upon RADIUS or NT user name, IP addresses, URL's,
RSACI categories, etc. You can also trigger Cisco router
reconfigurations, emails on events, etc, and provides decent
reporting.

The main problem is an incredibly unresponsive vendor, a proprietary
logging format, and the size of the logs generated. Every 4 days,
Sessionwall would quickly fill a 4 GB HD with log files; also,
exporting those log files to other formats is SLOW.

I abandoned etrust for SNORT because I got tired for paying for
features I wasn't using, and watching the performance of the features
I was using suffer; once SNORT incorporated FLEXRESP, the triggered
actions were no longer a draw, and web access blocking was unnecessary
for my purpose. Also, after the acquisition by CA, vendor
responsiveness went WAY down.

I may have to check out the discussions on FOCUS-IDS and see what
others are saying these days.

HEnry
Henry





More information about the Snort-users mailing list