[Snort-sigs] question :: interest in testing SENF preprocessor for Snort?

Beasley, Cam cam at ...2156...
Thu Jul 25 23:46:56 EDT 2013


hi Joel --

we've found it works 1000% better.. it doesn't crush you with false positives and doesn't waylay your sensor if your flows are 10-20Gbps.

we've deployed this across a state-wide network serving over 800,000 endpoints we monitor.  the major egress points average 15Gbps and burst upwards of 40Gbps..
the false positive rate for SF's solution is in the 100K/day range for us..  our preprocessor is in the couple dozen range/day and it is extremely accurate.
we've been using this since 2007 to serve higher education institutions, hospitals, municipalities, etc.

we believe it is proven and ready for others to test drive.

~cam.

On Jul 25, 2013, at 2:24 PM, Joel Esler <jesler at ...435...> wrote:

> How is this different than the Sensitive Data preprocessor that is already
> built into Snort?
> 
> 
> On Thu, Jul 25, 2013 at 2:44 PM, Beasley, Cam <cam at ...2156...> wrote:
> 
>> 
>> all --
>> 
>> we've developed what we think to be a very efficient and effective Snort
>> preprocessor for identifying SSNs, CCNs, MRNs (Medical Record Numbers), and
>> other personally identifiable strings of data and we are wondering if there
>> are any others who might be interested in testing this out with us.
>> 
>> we've been running this on Sourcefire appliances serving networks that
>> steadily operate at 20+Gbps since 2007 with great results..  we've managed
>> to keep the false positive rate extremely low and the preprocessor adds
>> minimal load to the sensors -- plus it outperforms the existing snort dlp
>> preprocessor by good deal.
>> 
>> we're looking for a few testers who we would extend a customer license to
>> at no cost.  we'll help you get the preprocessor setup and we'd simply ask
>> that you tell us how it performs for you.
>> we'd like to get at least two open source snort users and one Sourcefire
>> user.
>> 
>> feel free to contact me offline if you have questions or would like to
>> participate.
>> 
>> thanks,
>> 
>> ~cam.
>> 
>> 
>> 
>> Cam Beasley
>> Chief Information Security Officer
>> Information Security Office | UT Austin
>> cam at ...2156... | 512.475.9476
>> http://security.utexas.edu
>> ===============================
>> 
>> 
>> ------------------------------------------------------------------------------
>> See everything from the browser to the database with AppDynamics
>> Get end-to-end visibility with application monitoring from AppDynamics
>> Isolate bottlenecks and diagnose root cause in seconds.
>> Start your free trial of AppDynamics Pro today!
>> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Snort-sigs mailing list
>> Snort-sigs at lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/snort-sigs
>> http://www.snort.org
>> 
>> 
>> Please visit http://blog.snort.org for the latest news about Snort!
>> 
> 
> 
> 
> -- 
> Joel Esler
> Senior Research Engineer, VRT
> OpenSource Community Manager
> Sourcefire

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4908 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130726/3532dd72/attachment.bin>


More information about the Snort-sigs mailing list