[Snort-sigs] Re:Did anyone else notice...?

counter.spy at ...52... counter.spy at ...52...
Mon Jun 17 03:14:05 EDT 2002


Thanks for your reply, Bob.

> We tested RealSecure 7.0 recently and played with the Trons feature. In no
> way is it intended as "competition" for Snort - the performance would suck
> if you tried to load the entire rule set and it does not support any of
> the
> preprocessors (thus can be evaded in various ways until they harmonise the
> parsing path in the RealSecure PAM)

Okay, this is just what I expected. So the statements of the TRONS FAQ
from Robert Grahams website are still valid.

> HOWEVER - as a means of adding custom sigs quickly and easily to
> RealSecure
> it does a pretty good job.
> 
> NOW - the Snort community could get all precious about this and vilify ISS
> for "stealing" the Snort rule set (a bit strong!), 

I do not think this would be a clever thing to do. The community should
actually be glad about this. The only thing I do not like is the agressive
marketing of ISS. They tell the customer how cool this new feature of
including snortrules is, but they do not tell the customer any facts, such
as the total lack of statefulness of this module and that it's actually 
not really integrating snortrules into RealSucure but utilizes a completely
separate detection engine.
However, I am currently having a discussion on the dragon mailinglist about 
wether or not statefulness is really important for an IDS. 
Some folks say it's not important at all. Maybe for them, TRONS' lack of
statefulness
therefor is a minor issue ;-)

>OR we could look on
> this
> as a huge endorsement of the Snort "language" and look forward to all the
> benefits that widespread use and adoption of the Snort rule set will bring
> in the future....
> 
> IMHO, this is A Good Thing! (As long as ISS doesn't start to try and
> introduce "non-standard" features into Trons, of course!)

100% agreed :)

> Regards,
> 
> Bob Walder
> The NSS Group
> www.nss.co.uk
> 
> PS Please note that Edition 3 of our IDS report which includes the
> RealSecure 7.0 review will not be published on our site until June 30 -
> the
> version that is up there at present is STILL VERSION 2, for those of you
> who
> have already downloaded
> 

Thanks for the info. I cannot wait to get this report into my hands. :)
BTW: What about the gigabit report?
Will it now be for free or does NSS charge for it?
Does the report include additional solutions like the TopLayer switch and 
other switches?
Thanks again.

Kind regards,
Detmar

> 
> >> -----Original Message-----
> >> From: snort-sigs-admin at lists.sourceforge.net
> >> [mailto:snort-sigs-admin at lists.sourceforge.net]On Behalf Of
> >> counter.spy at ...52...
> >> Sent: 17 June 2002 08:27
> >> To: snort-sigs at lists.sourceforge.net
> >> Subject: [Snort-sigs] Re:Did anyone else notice...?
> >>
> >>
> >> I have a completely different question regarding trons:
> >> Snort is an opensource IDS. What about the sigs?
> >> Aren't they under GPL as well? What about reusing data formats
> >> of opensource systems for commercial use.
> >> Shouldn't all derived software and all software that uses parts
> >> of an opensource software, be it sourcecode or dataformats,
> >> have to become opensource, too?
> >>
> >> I am just curious, I don't want to set the dogs on, even if I
> >> don't like the way ISS praises the TRONS feature.
> >> A SR who visited us had a grin on his face which was meant to look
> >> clever when he told us:
> >> "Not that snort is a competitor we would fear, matter-of-factly we
> >> are actually profiting on snort."
> >>
> >> Another thing is that since TRONS is officially out, the
> >> link to the TRONS
> >> FAQ on robertgrahams site has vanished. However still seems
> >> to be active, I
> >> was able to find
> >> it in google. Strange, isn't it. Even more since the FAQ was
> >> much more
> >> down-to-earth than the sales song and dance. The CTO himself
> >> told that the
> >> TRONS
> >> feature compares
> >> poorly to snort, provides by no means a full integration of
> >> snortrules into
> >> BlackICE and
> >> would be easily evaded by fragroute and other tools.
> >> Since TRONS is out officially I have read no new facts 'bout
> >> this feature.
> >> Anybody knowing facts about the current TRONS?
> >>
> >> Curious,
> >> Detmar
> >>
> >>
> >> >Message: 3
> >> >Subject: Re: [Snort-sigs] Did anyone else notice...?
> >> >To: Jim Becher <jim at ...632...>
> >> >Date: Fri, 14 Jun 2002 18:15:21 -0400 (EDT)
> >> >CC: snort-sigs at lists.sourceforge.net
> >> >From: Michael Scheidell <scheidell at ...249...>
> >> >
> >> >Interesting.. they bash snort, and a year later say 'we are
> >> better because
> >> >we can use snort sigs'..
> >> >
> >> >'http://bvlive01.iss.net/issEn/delivery/prdetail.jsp?type=&o
> id=19302'
> >
> >Standard User Defined Signatures . In addition to its advanced analysis
> >engine,... now has the ability to import most of
> >the published rules from Snort, an open-source intrusion detection
> system.
> >Users can now take advantage of Internet Security Systems. X-Press
> >Updates. and publicly posted open-source rules. This new feature also
> >enables companies to leverage their experience with unsupported
> >network-based intrusion detection systems and upgrade to a commercially
> >available, fully supported family of protection products without new
> >training for signature updates.
> >
> 
> 
> 
> 
> --
> GMX - Die Kommunikationsplattform im Internet.
> http://www.gmx.net
> 
> 
> 
> --
> GMX - Die Kommunikationsplattform im Internet.
> http://www.gmx.net
> 
> 
> 
> --
> GMX - Die Kommunikationsplattform im Internet.
> http://www.gmx.net
> 
> 
> _______________________________________________________________
> 
> Sponsored by:
> ThinkGeek at http://www.ThinkGeek.com/
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> 
> 

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net





More information about the Snort-sigs mailing list