• United States
Neal Weinberg
Contributing writer, Foundry


Dec 18, 20032 mins
Intrusion Detection SoftwareNetwork SecuritySecurity

* The Reviewmeister takes a look at an intrusion detection systems from a company called Intrusion

Another interesting intrustion detection system tool came from a company called Intrusion.

In our first scenario, we asked the tool on a Monday to give us information about an attack that occurred the previous Friday. Intrusion’s team had tuned our system to dump alerts after three days, so there was nothing to be seen. We adjusted the thresholds and discovered a nice feature: High-priority alerts can age differently than low-priority alerts. Not a massive competitive advantage, but a good sign that product developers thought about this.

Next we turned to the problem of how to tune the software to avoid too many false alarms.  Intrusion’s tuning facilities vary depending on where you want to filter. In our case, trimming at the sensor was efficient, so we used that method. Intrusion’s Policy Editor runs on the central management console and lets you build a policy that drops IP addresses from events as appropriate. From there, after a bit of technical support, we pushed changes to the sensors and trimmed the alert load considerably.

Intrusion also supports pure IP filtering, but this requires direct access to the sensor via its Web interface and is not managed centrally. It sounds like an obscure feature, but the ability to block entire ranges would be important in a large enterprise deployment where multiple sensors saw intersecting traffic loads.

Intrusion’s forensics tool opens with a set of canned views into the forensics database: by attacker, by target, by priority and by signature group. We started with signature groups and clicked on the first level of the tree. Each major signature group was shown, along with a count of events. The group we were looking for stood out like a sore thumb, with hundreds of thousands of events. One more click (on “firewall services”) and ICMP Ping Sweep and SMB Scan both stood out again.

At this point, Intrusion doesn’t further sort items, which means that if we went with the out-of-the-box product, we’d have to sort through long lists of events. But building a new tree was the quick solution to that. A few clicks let us add a new summarization level underneath signature and source IP address, and now we had the information we wanted.