[Snort-sigs] Re:Did anyone else notice...?

Bob Walder bwalder at ...636...
Mon Jun 17 07:40:02 EDT 2002


They kept that well hidden.....




-----Original Message-----
From: Stephen Schwing [mailto:stephen.schwing at ...435...]
Sent: 17 June 2002 15:10
To: counter.spy at ...52...
Cc: bwalder at ...636...; snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Re:Did anyone else notice...?

BY the way trons is SNORT spelled backwards.

counter.spy at ...52... wrote:

Thanks for your reply, Bob.

We tested RealSecure 7.0 recently and played with the Trons feature. In no
way is it intended as "competition" for Snort - the performance would suck
if you tried to load the entire rule set and it does not support any of
preprocessors (thus can be evaded in various ways until they harmonise the
parsing path in the RealSecure PAM)

Okay, this is just what I expected. So the statements of the TRONS FAQ
from Robert Grahams website are still valid.

HOWEVER - as a means of adding custom sigs quickly and easily to
it does a pretty good job.

NOW - the Snort community could get all precious about this and vilify ISS
for "stealing" the Snort rule set (a bit strong!),

I do not think this would be a clever thing to do. The community should
actually be glad about this. The only thing I do not like is the agressive
marketing of ISS. They tell the customer how cool this new feature of
including snortrules is, but they do not tell the customer any facts, such
as the total lack of statefulness of this module and that it's actually
not really integrating snortrules into RealSucure but utilizes a completely
separate detection engine.
However, I am currently having a discussion on the dragon mailinglist about
wether or not statefulness is really important for an IDS.
Some folks say it's not important at all. Maybe for them, TRONS' lack of
therefor is a minor issue ;-)

OR we could look on
as a huge endorsement of the Snort "language" and look forward to all the
benefits that widespread use and adoption of the Snort rule set will bring
in the future....

IMHO, this is A Good Thing! (As long as ISS doesn't start to try and
introduce "non-standard" features into Trons, of course!)

100% agreed :)


Bob Walder
The NSS Group

PS Please note that Edition 3 of our IDS report which includes the
RealSecure 7.0 review will not be published on our site until June 30 -
version that is up there at present is STILL VERSION 2, for those of you
have already downloaded

Thanks for the info. I cannot wait to get this report into my hands. :)
BTW: What about the gigabit report?
Will it now be for free or does NSS charge for it?
Does the report include additional solutions like the TopLayer switch and
other switches?
Thanks again.

Kind regards,

-----Original Message-----
From:  snort-sigs-admin at lists.sourceforge.net
[ mailto:snort-sigs-admin at lists.sourceforge.net]On Behalf Of
counter.spy at ...52...
Sent: 17 June 2002 08:27
To:  snort-sigs at lists.sourceforge.net
Subject: [Snort-sigs]  Re:Did anyone else notice...?

I have a completely different question regarding trons:
Snort is an opensource IDS. What about the sigs?
Aren't they under GPL as well? What about reusing data formats
of opensource systems for commercial use.
Shouldn't all derived software and all software th
at uses parts
of an opensource software, be it sourcecode or dataformats,
have to become opensource, too?

I am just curious, I don't want to set the dogs on, even if I
don't like the way ISS praises the TRONS feature.
A SR who visited us had a grin on his face which was meant to look
clever when he told us:
"Not that snort is a competitor we would fear, matter-of-factly we
are actually profiting on snort."

Another thing is that since TRONS is officially out, the
link to the TRONS
FAQ on robertgrahams site has vanished. However still seems
to be active, I
was able to find
it in google. Strange, isn't it. Even more since the FAQ was
much more
down-to-earth than the sales song and dance. The CTO himself
told that the
feature compares
poorly to snort, provides by no means a full integration of
snortrules into
BlackICE and
would be easily evaded by fragroute and other tools.
Since TRONS is out of
ficially I have read no new facts 'bout
this feature.
Anybody knowing facts about the current TRONS?


Message: 3
Subject: Re: [Snort-sigs] Did anyone else notice...?
To: Jim Becher  <jim at ...632...>
Date: Fri, 14 Jun 2002 18:15:21 -0400 (EDT)
CC:  snort-sigs at lists.sourceforge.net
From: Michael Scheidell  <scheidell at ...249...>

Interesting.. they bash snort, and a year later say 'we are

better because

we can use snort sigs'..

' http://bvlive01.iss.net/issEn/delivery/prdetail.jsp?type=&o


Standard User Defined Signatures . In addition to its advanced analysis
engine,... now has the ability to import most of
the published rules from Snort, an open-source intrusion detection


Users can now take advantage of Internet Security Systems. X-Press
Updates. and publicly posted open-source rules. This new feature also
enables companies to leverage their experience with unsupported
network-based intrusion detection systems and upgrade to a commercially
available, fully supported family of protection products without new
training for signature updates.

GMX - Die Kommunikationsplattform im Internet.

GMX - Die Kommunikationsplattform im Internet.

GMX - Die Kommunikationsplattform im Internet.


Sponsored by:
ThinkGeek at  http://www.ThinkGeek.com/
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net

Stephen Schwing - Account Executive, Sourcefire Inc.
(410)290-1616 ext. 7565
Sourcefire: Professional Snort Sensor and Management Console Appliances
sschwing at ...435... -  http://www.sourcefire.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20020617/cb2fd149/attachment.html>

More information about the Snort-sigs mailing list