[Snort-users] RE: XML Plugins

David Stubblefield dstubblefield at ...7643...
Mon Nov 3 07:18:29 EST 2003


I had the same problems with it crashing for snort 2.0.2, I would get
segmentation faults.  I found a posting on snort-developers from Harry
at vigilantminds regarding a patch for XML for snort 2.0.2.  I
downloaded the patch and followed the instructions in the README and it
works just fine.  I am running RH8 with snort 2.0.2.  Here is the
posting:

List:     snort-devel
Subject:  [Snort-devel] Patch: Updated XML patch for 2.0.2
From:     "Harry M. Leitzell III" <harry.leitzell () hushmail ! com>
Date:     2003-10-29 5:57:46
[Download message RAW]

Howdie folks,
Here is an updated patch for the XML output of snort 2.0.2.  If there
is enough demand for it, I could move this into barnyard for the next
snort release.
I do work for Vigilantminds (The people who patched the original 2.0.0),
 and I am subscribed to all the Snort lists through
harry.leitzell at ...8101...
and this hushmail account, so you can reach me through either address
if you like.

-Harry

["snort_xml_2.0.2.tar.bz2" (application/x-bzip2)]




Regards,
David Stubblefield
RagingNet


-----Original Message-----
From: snort-users-request at lists.sourceforge.net
[mailto:snort-users-request at lists.sourceforge.net] 
Sent: Thursday, August 28, 2003 8:26 AM
To: snort-users at lists.sourceforge.net
Subject: Snort-users digest, Vol 1 #3506 - 10 msgs

Send Snort-users mailing list submissions to
	snort-users at lists.sourceforge.net

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.sourceforge.net/lists/listinfo/snort-users
or, via email, send a message with subject or body 'help' to
	snort-users-request at lists.sourceforge.net

You can reach the person managing the list at
	snort-users-admin at lists.sourceforge.net

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Snort-users digest..."


Today's Topics:

   1. Xml Plugins (Neal Timm)
   2. Re: Re: [Snort-devel] IDS vs IPS (Mark Teicher)
   3. RE: Re: [Snort-devel] IDS vs IPS (Mark Teicher)
   4. ARP packets, exploits (chris)
   5. RE: Re: [Snort-devel] IDS vs IPS (Mark Teicher)
   6. Re: Re: [Snort-devel] IDS vs IPS (Mark Teicher)
   7. RE: Re: [Snort-devel] IDS vs IPS (Gordon Cunningham)
   8. Re: Rules for detecting spyware (Brian)
   9. Re: Microsoft DCOM RPC Worm Alert (Brian)
  10. RE: Re: [Snort-devel] IDS vs IPS (Gordon Cunningham)

--__--__--

Message: 1
From: "Neal Timm" <nealtimm at ...9090...>
To: <snort-users at lists.sourceforge.net>
Date: Wed, 27 Aug 2003 20:18:52 -0500
Subject: [Snort-users] Xml Plugins

This is a multi-part message in MIME format.

------=_NextPart_000_0009_01C36CD8.6FC60510
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: 7bit

We are currently running snort 2.1 have upgraded from 2.0  we use the
xml plugin supplied by vigiliantminds.com  we have had a issue with it
crashing on 2.0 and 2.1 on a regular basis currently we are on  about a
8 meg isp pipe seeing about 20000 events a day.  We really need the xml
output from snort for our parsers.   I have tried to download the xml
patch from Cert also but when I compile snort with the libih and libair
options snort does not recognize it and  gives no xml plugin support.
Has anybody been able to get this to work at all.  Or does anyone know
of any other xml plugins that could be used with snort.
Any help is appreciated is this is a very big issue for our network.

Thanks,


Neal Timm
1400 Sleepytime Trl
Pflugerville, Tx 78660
(512)-670-1516


------=_NextPart_000_0009_01C36CD8.6FC60510
Content-Type: text/html;
	charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
6.0.4630.0">
<TITLE>Xml Plugins</TITLE>
</HEAD>
<BODY>
<!-- Converted from text/rtf format -->

<P><FONT SIZE=3D2 FACE=3D"Arial">We are currently running snort 2.1 have
=
upgraded from 2.0  we use the xml plugin supplied by =
vigiliantminds.com  we have had a issue with it crashing on 2.0 and
=
2.1 on a regular basis currently we are on  about a 8 meg isp pipe
=
seeing about 20000 events a day.  We really need the xml output =
from snort for our parsers.   I have tried to download the xml
=
patch from Cert also but when I compile snort with the libih and libair
=
options snort does not recognize it and  gives no xml plugin =
support.   Has anybody been able to get this to work at =
all.  Or does anyone know of any other xml plugins that could be =
used with snort.</FONT></P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Any help is appreciated is this is a =
very big issue for our network.</FONT>
</P>

<P><FONT SIZE=3D2 FACE=3D"Arial">Thanks,</FONT>
</P>
<BR>

<P><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Arial">Neal Timm</FONT>

<BR><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Arial">1400 Sleepytime =
Trl</FONT>

<BR><FONT COLOR=3D"#0000FF" SIZE=3D2 FACE=3D"Arial">Pflugerville, Tx =
78660</FONT>

<BR><FONT COLOR=3D"#0000FF" SIZE=3D2 =
FACE=3D"Arial">(512)-670-1516</FONT>
</P>

</BODY>
</HTML>
------=_NextPart_000_0009_01C36CD8.6FC60510--



--__--__--

Message: 2
Date: Wed, 27 Aug 2003 22:21:52 -0600
To: Jason <security at ...5028...>,Frank Knobbe <frank at ...9761...>
From: Mark Teicher <mht3 at ...741...>
Subject: Re: [Snort-users] Re: [Snort-devel] IDS vs IPS
Cc: bwalder at ...1926...,'Jeff Nathan' <jeff at ...950...>,Vkmobile at ...661...,
 snort-devel at lists.sourceforge.net,snort-users at lists.sourceforge.net

I disagree, New IPS is not the natural evolution of the existing
firewall, 
it is natural evolution of marketing hype. !!! Good firewall code just 
doesn't exist anymore, except for the Ultimate Firewall toolkit....!!!

At 09:16 PM 8/27/2003, Jason wrote:

>Thanks, I think the matrix shows fairly well that the _new IPS_ is a 
>natural evolution of the existing firewall.
>
>This is important to point out because there are existing investments
in 
>firewalls and these firewalls are rapidly closing the gap where needed.
I 
>know that CP has been moving in this direction for a while. It has also

>been my experience that they have been moving at an appropriate pace
and 
>the capabilities have been there when I've needed them.
>
>One final statement. You do not need the firewall to log content if you

>have an IDS that you can trust will not have a direct impact on the 
>business should it be too critical of the data.
>
>You can also have confidence in your firewall because your IDS verifies

>what you told the firewall to do and covers your arse when you let 
>something by because of business requirements or a human error.



--__--__--

Message: 3
Date: Wed, 27 Aug 2003 22:22:45 -0600
To: twig les <twigles at ...131...>,snort-users at lists.sourceforge.net
From: Mark Teicher <mht3 at ...741...>
Subject: RE: [Snort-users] Re: [Snort-devel] IDS vs IPS

I am still waiting for people on the list to detail what an IPS actually
is 
and the underlying technology that makes it so attractive to large 
enterprise entities

/mark

At 09:20 PM 8/27/2003, twig les wrote:

>I agree with an early post on this thread that IPS is basically
>a BS marketing term. A buzzword like "B2B". IPS is not a BS
>*concept* but techs can not let marketing ppl define our lingo
>(since they don't understand what they are describing) or we
>risk mass confusion, which it seems is happening here. So IDS
>and firewalls seem to be doing some overlapping functions, good,
>I hope the functionality matures. But I think we should let the
>Powerpoint brigade argue over what to call things in pamphlets.
>
>It's been a long day so this may come across way more
>offensive-sounding than I mean it.
>
>--- Frank Knobbe <frank at ...9761...> wrote:
> > On Thu, 2003-08-28 at 01:46, Gordon Cunningham wrote:
> > > Black Ice Defender did this a few years ago... based on
> > signatures, the
> > > system could detect some attack types and automatically
> > react by preventing
> > > access from the source IP or port for some period of time.
> >
> >
> > Right. But don't you consider BlackICE an IPS instead of a
> > firewall?
> >
> > Regards,
> > Frank
> >
>
> > ATTACHMENT part 2 application/pgp-signature name=signature.asc
>
>
>
>=====
>-----------------------------------------------------------
>Emo is what happens when the glee club goes punk.
>-----------------------------------------------------------
>
>__________________________________
>Do you Yahoo!?
>Yahoo! SiteBuilder - Free, easy-to-use web site design software
>http://sitebuilder.yahoo.com
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users



--__--__--

Message: 4
From: chris <cfeldmann at ...4479...>
To: snort-users at lists.sourceforge.net
Organization: 
Date: 28 Aug 2003 00:53:41 -0400
Subject: [Snort-users] ARP packets, exploits

I am using snort behind shorewall at home because, frankly, I find IDS
interesting (write SQL for a living, which helps a bit), but I am an
admitted newbie. The preponderance of my logs (~95%) are ARP packets;
they really stack up. Since I am behind a fairly muscular firewall
configuration (there are a few ports open, e.g. ssh and http) would it
be a big deal to write a rule to just drop these (from the logs, not
drop the packets)? I can filter them (I guess, haven't tried yet) to an
ignored table in the DB, but are there exploits that would appear as
ARP-header packets? Is it obvious that I'm lazily posting when I could
find this online (I hate it when people do that)? Actually I have pulled
a bit of hair researching this before posting.

Thanks,
Chris



--__--__--

Message: 5
Date: Wed, 27 Aug 2003 23:36:06 -0600
To: Frank Knobbe <frank at ...9761...>,twig les <twigles at ...131...>
From: Mark Teicher <mht3 at ...741...>
Subject: RE: [Snort-users] Re: [Snort-devel] IDS vs IPS
Cc: snort-users at lists.sourceforge.net

Can't call it that. You will infring on www.intrusion.com or 
www.innerwall.com claim to fame.. :)

Inline IDS is a proven technology, IPS is not..  All the small fish were

gobbled by the bigger fish, and are in the midst of re-tooling..

/mark


At 09:53 PM 8/27/2003, Frank Knobbe wrote:

>On Thu, 2003-08-28 at 03:20, twig les wrote:
> > I agree with an early post on this thread that IPS is basically
> > a BS marketing term.
> > [...]
> > It's been a long day so this may come across way more
> > offensive-sounding than I mean it.
>
>heh... not at all. I used to prefer GIDS or Inline IDS, but I've come
to
>realize that it does contain firewall like elements so xIDS may not be
>appropriate.
>
>Since it's somewhat an equal marriage of them, we should probably call
>it an Intrusion Wall, or IW. It's just that 'prevention' sounds so sexy
>:)
>
>Frank
>



--__--__--

Message: 6
Date: Wed, 27 Aug 2003 23:37:31 -0600
To: Frank Knobbe <frank at ...9761...>,Jason <security at ...5028...>
From: Mark Teicher <mht3 at ...741...>
Subject: Re: [Snort-users] Re: [Snort-devel] IDS vs IPS
Cc: snort-devel at lists.sourceforge.net,snort-users at lists.sourceforge.net

At 09:47 PM 8/27/2003, Frank Knobbe wrote:

><mht> Some vendors are already introducing their products as a hybrid
IDS 
>and Forensics.  NAI recently announced the Intellistream box.. Linux
with 
>3 terrabytes of storage.


/mark


>I probably made this prediction before, but here is a good place to do
>it again. Mark my words :) "We will see a new breed of software become
>popular soon which is a merger of IDS and forensics software".
>
>Cheers,
>Frank
>
>
>
>



--__--__--

Message: 7
Reply-To: <gacunningham at ...163...>
From: "Gordon Cunningham" <gacunningham at ...163...>
To: <snort-devel at lists.sourceforge.net>,
	<snort-users at lists.sourceforge.net>
Subject: RE: [Snort-users] Re: [Snort-devel] IDS vs IPS
Date: Thu, 28 Aug 2003 10:16:03 -0400

Yes, we *ARE* seeing convergence in products like BlackIce (which I do
consider a firewall+IDS - but not a router - I used to use it as my home
DSL
firewall with a dual-NIC machine and it worked very well during the
height
of Code Red),  and the Cisco NIDS system's ability to interact with
Cisco
switches, routers and firewalls to provide reactive hardening upon
threat
detection.  The problem, IMO, is that sufficient granularity has been
lacking, possibly due to traffic levels and speed of detection issues to
say
nothing of the rulebase size, and the nature of networks to often have
many
types of inappropriate traffic appear as legitimate traffic or vice
versa.
And now we are adding a 4th dimension - time - how do you differentiate
not
only by host, protocol, port and payload, but now differentiation
changes
over time?

While some firewall vendors will have a tough time making the leap from
stateful inspection, those with application/proxy level (IP stack)
firewalls
(remember Raptor?) might be more comfortable dealing with packet
payloads
and traffic analysis, IMO.  IPS is just another spin on this
convergence,
attempting to make it "one box" or one methodology, but either way it is
the
next step - an integration.

But it will be the specialists teaming with the big boys that pull this
off - unless someone really misses the mark, that's usually how the
evolution (not revolution) in IT usually goes.


- Gordon

"The software said it requires Windows 98 or better, so I installed
Linux..."

 -----Original Message-----
From: 	snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]  On Behalf Of Bob
Walder
Sent:	Thursday, August 28, 2003 5:15 AM
To:	'Jason'; 'Frank Knobbe'
Cc:	bwalder at ...1926...; 'Mark Teicher'; 'Jeff Nathan';
Vkmobile at ...661...;
snort-devel at lists.sourceforge.net; snort-users at lists.sourceforge.net
Subject:	RE: [Snort-users] Re: [Snort-devel] IDS vs IPS

One important distinction

Firewalls are about policy enforcement - IDS and IPS are about detection
(as of THIS moment in time)

I still see the IPS as an evolution of the IDS and not the firewall. In
my opinion, the firewall is itself gonna have to evolve pretty damn
quickly to stop the IPS going the whole hog and taking over its job too.

YES - the two technologies have similar aims and will undoubtedly
converge. BUT, who do you see winning the race? In my opinion, the guys
who already have the flashy hardware and solid IDS/IPS technology will
have an easier time of it than the firewall vendors (i.e. the likes of
Tippingpoint and Intruvert/NAI).

By the way - why not ask NetScreen how hard it is to integrate IPS and
firewall technology?! They already had a firewall appliance - if it is
really that easy to converge these technologies (or if there really
isn't a difference between them in the first place) then why have we not
seen their IPS technology already fully integrated into their fancy
firewall platform?

Cisco is well placed to do this job too - it has the big switches which
could take a flashy new IPS/IDS/firewall blade, and the in-house
expertise with both firewall and IDS technologies. AND it understands
how important it is for this stuff to be rock solid and scalable. Both
Intruvert and Tippingpoint could probably also make a decent fist of it.

But... It ain't easy! It will be a while before these things do
converge, and until then I foresee a number of religious arguments over
which technology is best, which technology is pure marketing hype, which
technology came first, blah, blah, blah (i.e. a bit like this thread...
;o)

Oh... And no way am I advocating that any one of these technologies can
displace the others right now - they all have their place. On my network
I have two firewalls at the perimeter for the policy enforcement stuff
(i.e. that's where I say "allow HTTP to this server on my DMZ, don't
allow Telnet to anything, allow FTP to that server on my DMZ, and so
on...). Behind those I have an IPS - also at the perimeter - to catch
the bad stuff that the firewall lets through (i.e. the firewall says let
through HTTP traffic, but there is a lot of nasty stuff that could ride
on the back of that). And finally, I have IDS systems on the DMZ and
internal networks just so I can mop up anything that might get through
owing to the fact I don't want my IPS to block absolutely everything
('cos it's just not ready for that yet!)

I would LOVE to have just the one box for this.... But it's just not
available...sorry

Regards,

Bob



>> -----Original Message-----
>> From: Jason [mailto:security at ...5028...]
>> Sent: 28 August 2003 05:17
>> To: Frank Knobbe
>> Cc: bwalder at ...1926...; 'Mark Teicher'; 'Jeff Nathan';
>> Vkmobile at ...661...; snort-devel at lists.sourceforge.net;
>> snort-users at lists.sourceforge.net
>> Subject: Re: [Snort-users] Re: [Snort-devel] IDS vs IPS
>>
>>
>> Thanks, I think the matrix shows fairly well that the _new IPS_ is a
>> natural evolution of the existing firewall.
>>
>> This is important to point out because there are existing
>> investments in
>> firewalls and these firewalls are rapidly closing the gap
>> where needed.
>> I know that CP has been moving in this direction for a while. It has
>> also been my experience that they have been moving at an appropriate
>> pace and the capabilities have been there when I've needed them.
>>
>> One final statement. You do not need the firewall to log
>> content if you
>> have an IDS that you can trust will not have a direct impact on the
>> business should it be too critical of the data.
>>
>> You can also have confidence in your firewall because your
>> IDS verifies
>> what you told the firewall to do and covers your arse when you let
>> something by because of business requirements or a human error.
>>
>> Frank Knobbe wrote:
>>
>> > On Wed, 2003-08-27 at 18:36, Jason wrote:
>> >
>> >>Bob Walder wrote:
>> >>
>> >>>My 0.02 worth is that a Network IPS (NIPS) is a device with two
>> >>>interfaces that operates in-line to detect suspicious traffic and
>> >>>INSTANTLY discard the offending packet and the rest of
>> the suspicious
>> >>>flow.
>> >>
>> >>What we have here is a definition of an IPS that matches pretty
>> >>closely what firewalls have been able to do for some time.
>> >
>> >
>> >
>> > Not quite. There are difference in the way firewalls and intrusion
>> > detection systems analyze data. For example, I have not seen a
>> > firewall that can identify a CodeRed attempt by name for example.
>> > Yeah, you can block HTTP methods and put limiters on URL's
>> etc (you
>> > mentioned CP as an example which can do that with HTTP
>> content stuff).
>> > But I have not come across a firewall with a 'signature
>> set' like IDS'
>> > have them......yet.
>> >
>> > It is true that most firewalls are under-utilized. However, an IPS
>> > (being based on an IDS) has capabilities beyond a firewall. Policy
>> > violations (or network flow anomalies) can be detected by
>> firewalls
>> > and cause some sort of reaction/enforcement (CP's SAM is
>> one example).
>> > However, firewalls don't have statistical anomaly
>> detection like some
>> > IDS' do.
>> >
>> > Let's draft a matrix of capabilities:
>> >
>> > Metric      |  Firewall      |  IDS           |  IPS
>> > -----------------------------------------------------------
>> > Signature   | Limited packet | Extensive      | See IDS
>> > Analysis    | inspection     | signature sets |
>> >             | due to lack of | allow wide     |
>> >             | rule set defin.| pattern match  |
>> > -----------------------------------------------------------
>> > Protocol    | Mostly present | Present        | Present
>> > validation  |                |                |
>> > -----------------------------------------------------------
>> > Traffic flow| Present, that's| Present        | Present
>> > Anomaly Det.| what they do   |                | Present
>> > -----------------------------------------------------------
>> > Statisitcal | Absent         | Present        | Absent (???)
>> > Anomaly Det.|                |                | (as of today)
>> > -----------------------------------------------------------
>> > Packet Log  | Logging mostly | capable of     | See IDS
>> >             | high level     | logging content|
>> > -----------------------------------------------------------
>> > Protocol    | Present        | Absent         | Present
>> > normalizat  |                |                |
>> > ion         |                |                |
>> > ===========================================================
>> > Activity    | Active         | Mostly Passive | Active
>> >
>> >
>> > If someone wants to take this further, feel free. But as
>> you can see,
>> > IPS and firewalls are not quite alike (but neither are IPS
>> and IDS! :)
>> >
>> > Regards,
>> > Frank
>> >
>>




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--__--__--

Message: 8
Date: Thu, 28 Aug 2003 11:16:01 -0400
From: Brian <bmc at ...950...>
To: Marc Quibell <mquibell at ...7759...>
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Rules for detecting spyware

On Mon, Aug 11, 2003 at 09:54:49AM -0500, Marc Quibell wrote:
> I've done a little checking, so far no luck. I wonder if it's possible
to setup
> some Snort rules for detecting spyware data. I'll keep looking for the
actual
> data content of such packets, but does anyone already have some rules?
TIA!

Sure its possible to detect spyware.  Do we do it currently?  Nope.  But

thats cause I don't have packet captures for it.  The easiest method for

finding packets is to install the spyware in question, then sit back
and watch.  :)

-brian


--__--__--

Message: 9
Date: Thu, 28 Aug 2003 11:24:15 -0400
From: Brian <bmc at ...950...>
To: David <dwad24 at ...722...>
Cc: snort-users at lists.sourceforge.net, rreid at ...7835...
Subject: Re: [Snort-users] Microsoft DCOM RPC Worm Alert

On Tue, Aug 12, 2003 at 11:56:26AM -0400, David wrote:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 135 \
> (msg:"DCE RPC Interface Buffer Overflow Exploit"; \
> content:"|00 5C 00 5C|"; \
> content:!"|5C|"; within:32;\
> flow:to_server,established; \
> reference:bugtraq,8205; rev: 1;)

This rule is easily evadable.

Sure, the vulnerability is predicated by an overly long path.  That 
doesn't mean the service validates the path before it attempts to deal
with it.  Take any of the exploits and change the path from 
\\[lotsocrap]\C$\123456111111111111111.doc to random crap and it will
still crash the service.

-brian


--__--__--

Message: 10
Reply-To: <gacunningham at ...163...>
From: "Gordon Cunningham" <gacunningham at ...163...>
To: "Mark Teicher" <mht3 at ...741...>,
	"twig les" <twigles at ...131...>,
	<snort-users at lists.sourceforge.net>
Subject: RE: [Snort-users] Re: [Snort-devel] IDS vs IPS
Date: Thu, 28 Aug 2003 11:24:30 -0400

Ok, for me, IPS is a class of systems, not a single hardware device.  It
includes firewalls, routers, IDS and whatever convergence of those
systems
is seen.  Whether we include security policy in the definition, yes if
we
talk about a general enterprise system, no if we refer to hardware
devices.

Who coined the term and how do they define it?

- Gordon

"The software said it requires Windows 98 or better, so I installed
Linux..."

 -----Original Message-----
From: 	snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net]  On Behalf Of Mark
Teicher
Sent:	Thursday, August 28, 2003 12:23 AM
To:	twig les; snort-users at lists.sourceforge.net
Subject:	RE: [Snort-users] Re: [Snort-devel] IDS vs IPS

I am still waiting for people on the list to detail what an IPS actually
is
and the underlying technology that makes it so attractive to large
enterprise entities

/mark

At 09:20 PM 8/27/2003, twig les wrote:

>I agree with an early post on this thread that IPS is basically
>a BS marketing term. A buzzword like "B2B". IPS is not a BS
>*concept* but techs can not let marketing ppl define our lingo
>(since they don't understand what they are describing) or we
>risk mass confusion, which it seems is happening here. So IDS
>and firewalls seem to be doing some overlapping functions, good,
>I hope the functionality matures. But I think we should let the
>Powerpoint brigade argue over what to call things in pamphlets.
>
>It's been a long day so this may come across way more
>offensive-sounding than I mean it.
>
>--- Frank Knobbe <frank at ...9761...> wrote:
> > On Thu, 2003-08-28 at 01:46, Gordon Cunningham wrote:
> > > Black Ice Defender did this a few years ago... based on
> > signatures, the
> > > system could detect some attack types and automatically
> > react by preventing
> > > access from the source IP or port for some period of time.
> >
> >
> > Right. But don't you consider BlackICE an IPS instead of a
> > firewall?
> >
> > Regards,
> > Frank
> >
>
> > ATTACHMENT part 2 application/pgp-signature name=signature.asc
>
>
>
>=====
>-----------------------------------------------------------
>Emo is what happens when the glee club goes punk.
>-----------------------------------------------------------
>
>__________________________________
>Do you Yahoo!?
>Yahoo! SiteBuilder - Free, easy-to-use web site design software
>http://sitebuilder.yahoo.com
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




--__--__--

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-users


End of Snort-users Digest





More information about the Snort-users mailing list