07-30-2013 07:08 AM
We have Palo Alto appliances and we have Sourcefire IDS appliances running side by side in various configurations at work. I can't emphasize enough how convenient it is to be able to have an IDS event fire off from our Sourcefire boxes, and when I drill into the event I can actually see the rule that was written that matched on the event.
In my experience it's to the point where weeding out legitimate traffic that was false positively identified as malicious entirely depends on my ability to read the rule that fired off.
For this reason we now essentially run two IDS/IPS solution... Palo Alto's threat and vulnerability subscription, and the Sourcefire VRT rule subscription.
What would be a "game changer" in this regard would be if Palo Alto released their rules to customers and followed essentially the Sourcefire model of "open rules, released a month late." Right now I can't do a lot with the Palo Alto threat events that fire off, because while I can open up a pcap of the network traffic involved in the event, I have absolutely no idea why the event was trigered by PA's threat engine.
