[Snort-users] "trons" Rules

counter.spy at ...348... counter.spy at ...348...
Fri Mar 1 10:30:20 EST 2002


Hey all,
having read the information about TRON on Robert Graham's website I decided
to
trigger a little discussion on protocol analysis - an issue that has been on
my mind
for some time now:

Robert Graham is known as a protocol geek and he prays his protocol
analysis.
Alright, as far as I know snort does perform some kind of protocol analysis.
In his document 0103cansec.ppt (to be found in the "slides" directory on his
site)
he compares "snortlike" pattern match against snort protocol analysis - all
very lucid, bene.

Now can somebody, please explain the difference between snort protocol
analysis and
BlackICE protocol analysis (might be somehow difficult, as the BlackICE
product, now
being integrated into RealSecure, was, still is and will forever be closed
source).

I know that BlackICE detected all the NSS Group attacks, but I also know
that snort
made an excellent job as well, despite the fact, that they had a rather
outdated version.

Any comments that are based on technical facts are greatly appreciated,
because
this informatin  could be of great help for my diploma thesis :-)

In addition, here are some snips of the TRON page (commented by me ;-) )

"....TRONS was reverse engineered from Snort signatures.."
[snip]
big deal, its opensource! :-)

"...I didn't look at Snort source more from a politeness issue rather than
anything else..."
[snip]
Oh..., wow! ;-)

...How does BlackICE compare to Snort? 
I prefer protocol-analysis for IDS signatures over pattern-match, of course,
which is why I chose that technology instead of pattern-match. The thing to
remember is that it is a different techique that gives you different
results.
We can argue which results most people would prefer, but it would be foolish
to say that one technique is always better than another. In any case, this
is the wrong paper for such a discussion. 
[snip]
well...

so, lets discuss BlackICE protocol-analysis versus snort protocol-analysis
here on this list. I think this would be a proper discussion, comparing
things
that are compareable ;-)

In order to anticipate any complaints or misunderstandings:
This is not criticism of Robert Grahams work or Robert Graham himself.
In the opposite, I have great respect for this man and his work and very
much
appreciate that he is always sharing his knowledge with the public.
I just would like to heat some discussion ;-)

Greetings,
D. Liesen

-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net



-- 
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net





More information about the Snort-users mailing list