Random quotes from a discussion on the Daily Dave pen testing list regarding the IPO of Sourcefire, the security company founded by Marty Roesch, the inventor of the Snort open source intrusion detection system (IDS). Priceless stuff, seeing comments on IDS from those who avoid it.

“Making IDS part of a defense in depth strategy is giving it some credit for actually providing defense, which it doesn’t do. The people who win the IDS game are the people who spend the least money on it. This is why security outsourcing makes money - it’s just as worthless as maintaining the IDS yourself, but it costs less. Likewise, Snort is a great IDS solution because it does nothing but it does it cheaper.”
– Dave Aitel

“…Defense in depth. It’s an extra barrier. You don’t not run an AV just because someone can write a custom virus it won’t detect. You run simple and automated systems that can deal with the 90% of threats that are easily managed in order to free up valuable human resource to look into the 10% that really do need to be understood. It does work; it’s just that, when working, it only has a limited role to fill and is not a one-stop-shop-one-size-fits-all-be-all-and-end-all-turnkey-security-solution. But then again, nothing is. Or at any rate, no automated system is. The only thing that really works for security is people. Lots and lots of people, looking at what’s going on and thinking about it and worrying about whether something’s wrong or not.
– Dave Korn

Enough people here know about how IDS’s don’t live up to nearly any expectations, or how they.. do? I personally don’t believe in them in any way, I would implement them once I am done with a lot of other security measures. Now, if I am to look at what they give me vs. another box for compromising which sits in a critical location… I am not sure what choice I’d make. For some reason, people equate Intrusion Detection to IDS devices. IDS devices are signature based and try to detect bad behaviour using, erm, a sniffer or equivalent. Intrusion detection is everything which will help detect an intrusion. IDS won’t unless it’s too late, and keep you busy while you’re at it.
– Gadi Evron

I think that you are throwing away a technology because of the fact it doesn’t live up to the hype the sales monkeys have spewed. While I will agree that IDS’ are not the end all be all, they do provide a very important layer within the defense in depth strategy. Yes you can evade them, and yes most companies want to just plug them in and forget about them, but that doesn’t make the idea wrong. I am a little biased,
– Kevin (BASE Project Lead)

Nobody says it needs to be a one-size-fits-all solution - it’s just that there is a difference between something which is capable of detecting/preventing only a bunch of known exploits vs. something which is capable of preventing a known class of attacks…
–Joanna Rutkowska