Andrew Plato wrote:
Furthermore, Snort rules are developed by volunteers (or Sourcefire). As
such, SNORT is usually behind the curve on new signatures.
I suppose you have actual figures for this ? Because I'd have to claim
it FUD otherwise. Compare with the response time of commercial and open
source anti viruses, and you'll see that this claim is at best unproven.
ISS, for
example, does their own independent security research an has signatures
to protect against things that Snort people don't even know about.
And I suppose people who work for Sourcefire, or people who contribute
rules to the Snort signatures base, don't do vulnerability research ?
I know that many researchers develop signatures along with their
advisory. We've seen that.
Are you implying that ISS knows about zero-day vulnerabilities it hasn't
alerted vendors to ? I think that ISS always claimed to be for
responsible disclosures of their findings. Has this changed, recently ?
vendors buy exploits from the hacker market - again giving them access
to vulnerabilities long before it hits the public
Same as above applies. Buying vulnerabilities and exploits and not
publishing them is highly unethical. I wouldn't buy anything from a
vendor who claimed to do that.
Besides, "good" zero days stay in the closet for a long time. They get
sold when they already leaked to the outer circles of the scene.
As far as the "who has the rules first", in fact, I remember Snort
implementing a way to import the so-advanced, bleeding-edge ISS rules...
oh wait, or was it the other way round ? :)
Stefano
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
