Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Vulnerability & Exploit Signatures

from [Kyle Quest] Network Security [Permanent Link]
Subject: RE: Vulnerability & Exploit Signatures
Date: Thu, 16 Jun 2005 12:35:29 -0400 


Do all these vendors license the same set of "base" filters from, say,
Sourcefire / Snort derived rule source in the back?


Not exactly (especially in the past... before Sourcefire pulled 
the "bait and switch" trick; just to be clear, I'm not saying
they are bad for doing it... it's business and they are trying
to make money... there's nothing wrong with that). 

There's a small number of companies (besides Sourcefire)
that put Snort on an appliance. In these cases it is
true that they use snort rules, but, I guess, it doesn't
make sense to do otherwise :-)

There's a number of IDS and IPS solutions that are
capable of converting snort rules into their native
format. I will not name any commercial companies,
but I'd like to mention Bro IDS as an open source example
( www.bro-ids.org ), which is being developed
by Vern Paxson (who's name should be familiar
to anybody who's serious about networking) 
and a number of contributors. In Bro, there's
a script that takes snort signatures into Bro
signatures.

Let's not forget security hardware acceleration
vendors. It's very popular for them to use snort
to demonstrate their hardware acceleration technology,
but it's upto OEMs that those cards to use Snort
or to put their own IDS or IPS technology on top.

Just like Dodge said, most IDS and IPS
vendors do use Snort as a resource. It would be
crazy to do otherwise; however, they use it
only as a reference (for a number of reasons).
One of those reasons is that the architecture
is very different and it's impossible to directly
map snort signatures to what they have. Another
good reason IDS/IPS vendors wouldn't want to use
snort signatures "as is" is because snort is far
from perfect when it comes to its detection
capabilities. Snort has a lot of limitations
that an IDS/IPS vendor wouldn't want to inherit
(I am not putting down snort here. I think it's
a great IDS that can do a lot. I'm simply pointing
out that it still has a lot to improve).
And if we talk about top IDS/IPS vendors, they
usually develop their signatures or code updates
before snort has something. When snort signatures
or preprocessors come out, they simply use it
as a validation mechanism or as a marketing research
to identify snort signature's weaknesses.

Kyle



--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: NIPS/NIDS performance evaluation query, ADT
Next by Date:  RE: Vulnerability & Exploit Signatures, Marc Maiffret
Previous by Thread:  Re: Vulnerability & Exploit Signatures, M. Dodge Mumford
Next by Thread:  RE: Vulnerability & Exploit Signatures, Marc Maiffret
Indexes:  [Date] [Thread] [Top] [All Lists]