[Snort-sigs] Re:Did anyone else notice...?

counter.spy at ...52... counter.spy at ...52...
Mon Jun 17 13:47:04 EDT 2002


On the focus-ids at ...113... Robert Graham has just commented the
TRONS
feature in RealSecure 7.
I am so free as to forward this here:

----------------------------------original
message--------------------------------
--- Martin Roesch <roesch at ...435...> wrote:
> It should be noted that, last I heard, the TRONS engine doesn't have
> anything like the Snort preprocessor stack.  That being the case, it
doesn't
> have anything approaching the stateful inspection, stream reassembly, ip
> defragmentation, application protocol normalization, etc capabilities of
> more recent Snort releases.  In other words, if the information I received
a
> few months ago is still accurate, the TRONS engine is equivalent to Snort
in
> the 1.5-1.6 era (late 1999 to mid 2000).
> 
> It's capable of running Snort rules, but is subject to trivial evasion
> techniques and essentially a stateless Snort rules processor, so I
wouldn't
> sell it as a "Snort replacement" by any means.

In BlackICE, Trons was a wholly independent module; packets that got sniffed
off the wire were fed into two independent engines (Trons and "PAM"); then
events were combined at the other end back into a single stream.

RealSecure 7 does a bit more integration between the two modules, using the
core engine (called PAM - Protocol Analysis Module) to "pre-process" for
Trons.
PAM does things like reassembling IP fragments, uricontent, RPC, and so
forth.

The BIG thing missing is TCP stream-reassembly. I've been waiting to figure
out
where Snort is going with "flows". PAM is inherently "flow" based; which
makes
it hard to reassemble for the older Snort, but it is easy to integrate with
the
yet-unreleased flow-based Snort.

In any case, the Trons module will never be a Snort replacement. It is there
for customers to add their own rules, as well as rules created by the entire
community. It is also there to allow us to better participate in that
community; e.g. the latest X-Force advisory contained a Trons/Snort rule
(though it had a minor bug with the SID, at least it's a start).

Robert Graham (developer of Trons, as well as PAM)
-----------------------------end of
message----------------------------------



-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net





More information about the Snort-sigs mailing list