[Snort-devel] [robert_david_graham at ...83...: Rapid response]

Martin Roesch roesch at ...48...
Mon Oct 23 11:56:52 EDT 2000


Snort took a lot of heat last week on the Focus-IDS mailing list from both Rob
Graham and Elliot Turner (of Intrusion.com).  If you listen to them, we're
beating a dead horse with Snort, there's just no way you can do network
intrusion detection effectively without <your NIDS here>. :)  

I beg to differ.

I thought it showed limited understanding of both the history of Snort and the
flexibility and extensibility of Snort to say the things they did, but hey,
I'm sure there was nothing personal meant by it.  Although Elliot *did* say
the following:

"Snort is several years behind the top-tier commercial offerings.  If much
effort was put into Snort over the next year, it would still be behind.  (IDS
vendors don't simply create a product and start development; it's an on-going
process).  I personally believe that IDS is far too much of a "niche" area in
the open source
community to attract sufficient developers to truly compete.  In addition, IDS
knowledge is held by a very few individuals, and thus the available pool of
developers is quite small."

So, if I and all of you didn't suck so much, we could maybe do something as
spiffy as SecureNet Pro. ;)

Yeesh.  I guess that if they love us enough to spend this much effort to prove
how badly Snort sucks, they must be just a touch concerned...


Archives of all of this can be found at: 

http://www.securityfocus.com/frames/?content=/templates/archive.pike%3Fthreads%3D0%26list%3D96%26start%3D2000-10-15%26end%3D2000-10-21%26

    -Marty


Fyodor wrote:
> 
> :)
> ----- Forwarded message from Robert Graham <robert_david_graham at ...83...> -----
> 
> From: Robert Graham <robert_david_graham at ...83...>
> Date:         Thu, 19 Oct 2000 21:19:37 -0700
> To: FOCUS-IDS at ...84...
> Subject:      Rapid response
> X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
> Reply-To: Robert Graham <robert_david_graham at ...83...>
> 
> >-- writing new signatures
> >
> >Have a look at www.whitehats.com, there is an hourly updated
> >signature file. I think such service even commercial vendors don't supply.
> 
> Actually, a lot of vendors promote how fast they update. They even have
> names for them like "rapid response" or some such. The problem isn't whether
> you get the update rapidly, but whether the vendor actually responds in a
> rapid manner in the first place. Now, I look at www.whitehats.com and
> www.networkice.com and see that both have updates on their sites for the
> latest IIS vulnerability (which is a HUGE vulnerability, BTW). Looking at
> the other vendor's websites, I see nothing.
> 
> However, looking at the www.whitehats.com signature, I see that it only
> checks for the string "%c1%1c" sent to port 80. This is the pattern of the
> attack that was announced in the initial BUGTRAQ post, but it doesn't work
> on most systems; the far more dangerous variant that was posted with full
> exploit code uses "%c0%af". Moreover, I could list 20 more tiny variations
> that exploit this in the identical way that would require 20 more
> "signatures" to catch (which is why network-grep IDSs tend to have much
> higher "signature counts" than protocol-analysis IDSs -- they need them to
> do the same amount of work). If you test out the Network ICE update, you'll
> find that it solves all these issues.
> 
> This morning I talked to two different customers who downloaded our update
> we posted on Tuesday and who both saw the %c0%af variant attacks, but not
> the %c1%1c variant that Whitehats is looking for.
> 
> In truth, Network ICE's response time is determined by how serious we think
> the threat is, so you'll have a better average response time with Snort. On
> the other hand, the point I'm trying to get across that whether its with
> open-source or commercial, you can't trust that just because a vendor boasts
> about how fast they can update in theory, they don't always do a good job at
> it in practice.
> 
> Robert Graham
> CTO/Network ICE
> 
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
> 
> ----- End forwarded message -----
> 
> --
> Q:  How many supply-siders does it take to change a light bulb?
> A:  None.  The darkness will cause the light bulb to change by itself.
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-devel

-- 
Martin Roesch
roesch at ...48...
http://www.snort.org



More information about the Snort-devel mailing list