[Snort-users] "trons" Rules

counter.spy at ...348... counter.spy at ...348...
Fri Mar 1 10:30:20 EST 2002

Hey all,
having read the information about TRON on Robert Graham's website I decided
trigger a little discussion on protocol analysis - an issue that has been on
my mind
for some time now:

Robert Graham is known as a protocol geek and he prays his protocol
Alright, as far as I know snort does perform some kind of protocol analysis.
In his document 0103cansec.ppt (to be found in the "slides" directory on his
he compares "snortlike" pattern match against snort protocol analysis - all
very lucid, bene.

Now can somebody, please explain the difference between snort protocol
analysis and
BlackICE protocol analysis (might be somehow difficult, as the BlackICE
product, now
being integrated into RealSecure, was, still is and will forever be closed

I know that BlackICE detected all the NSS Group attacks, but I also know
that snort
made an excellent job as well, despite the fact, that they had a rather
outdated version.

Any comments that are based on technical facts are greatly appreciated,
this informatin  could be of great help for my diploma thesis :-)

In addition, here are some snips of the TRON page (commented by me ;-) )

"....TRONS was reverse engineered from Snort signatures.."
big deal, its opensource! :-)

"...I didn't look at Snort source more from a politeness issue rather than
anything else..."
Oh..., wow! ;-)

...How does BlackICE compare to Snort? 
I prefer protocol-analysis for IDS signatures over pattern-match, of course,
which is why I chose that technology instead of pattern-match. The thing to
remember is that it is a different techique that gives you different
We can argue which results most people would prefer, but it would be foolish
to say that one technique is always better than another. In any case, this
is the wrong paper for such a discussion. 

so, lets discuss BlackICE protocol-analysis versus snort protocol-analysis
here on this list. I think this would be a proper discussion, comparing
that are compareable ;-)

In order to anticipate any complaints or misunderstandings:
This is not criticism of Robert Grahams work or Robert Graham himself.
In the opposite, I have great respect for this man and his work and very
appreciate that he is always sharing his knowledge with the public.
I just would like to heat some discussion ;-)

D. Liesen

GMX - Die Kommunikationsplattform im Internet.

GMX - Die Kommunikationsplattform im Internet.

More information about the Snort-users mailing list