[Snort-sigs] [Emerging-Sigs] Surprised by snort classtype.

evilghost at ...3397... evilghost at ...3397...
Tue Jan 19 13:29:41 EST 2010


I was going to sit on the sidelines for this one since Matt already 
covered it. Jerry, I've found that things like this can certainly 
influence a purchase decision, especially when higher-level management 
is involved. Arguing the technical merits of a product is often 
impossible once a negative non-enterprise perception exists. Guise is at 
fault for "not scrubbing the bits" but this nomenclature, legacy or not, 
persists in the current Snort manual and is not something I would want 
or expect in an enterprise class product.

Got to be careful with the live data...

-evilghost

Jerry wrote:
> Hi Guise,
>
> Guise McAllaster napsal(a):
>   
>> Gents,
>>
>> Yesterday I was tasked with giving an executive level presentation to the
>> CISO and CFO 
>>     
>
> I expect someone from SourceFire folks might get an explanation for 
> these legacy signatures.
>
> As for Snort enterprise failure. I wonder if you're looking for  leading 
> IPS vendor to protect your company or you give up and choose IDS 
> according to "it seems cool". It seems ridiculous to me evaluating the 
> benefit of SF IPS by classification names.  I wonder if shellcodes, 
> exploits and such things matter in your choice and choice of your C* 
> management. In my opinion "Enterprise-Ready" IPS should be able to 
> detect, block, alert and log threats. Rejecting "Snort" for "not cool 
> sound of alerts" sounds to me like "not purchasing certain type of car 
> because of the color the radio has".
>
> When you're evaluating something for your company, I'd expect you using 
> all possible knowledge and skills for that before. You can easily get 
> rid of such signatures by simply disabling and ignoring them.... or you 
> can change them in something that really does not offend your superiors.
>
> If you've used all your skills to enable such signatures (I believe they 
> are disabled by default) in my opinion you can't blame SF for that.  It 
> has been your choice and your decision that brought those signature in 
> front of your superiors.
>
> Regards
>
> Jerry
>
>
>
>   




More information about the Snort-sigs mailing list