[Snort-users] [Emerging-Sigs] Matt Jonkman in the new Hakin9

Jason Wallace jason.r.wallace at ...11827...
Tue Feb 1 11:58:24 EST 2011

Nice article, but I don't think I'd agree with a lot of it's content.

"[ ... ]NO security product is 100%. I’d argue that most security
tools at the absolute best will get about 70% of your badness."

-- I understand the point being made with that statement (and I agree
with it), but anytime a vendor (or potential vendor) puts a number or
percentage to a statement the first thing I ask for is their data set.
In my opinion, that statement would have been better served as "will
get most but not all of your badness."

"[ ... ] NSS I think focuses far too much on hitting a signature for
every CVE out there while leaving malware and other issues off to the

-- I do not work for NSS, but I can see a good reason for this method
of comparison. Even if they added samples from the top 100 malware
threats to their testing, that test would be valid for a limited
amount of time. Malware moves fast. 60 days later their test results
would be questionable. Tying testing to specific vulnerabilities
(vulnerabilities...not exploits) improves the shelf life of their

"An effective IDS ruleset HAS to cover malware."

-- In my opinion, I[DP]S is not the answer to malware. "Many of those
will not happen while the computer is on your network [ ... ]" That is
why IDS has limited value when it comes to malware. I do not think IDS
should ignore malware, but at most it should be seen as a second or
third layer of protection. Patching, privilege reduction, and content
filtering _at the asset level_ combined with user education will
always be better primary levels of defense then IDS for this type of
threat. An infected asset (on or off your network) constitutes a
failure in your security program. That failure should initiate some
sort of action/response. If the user was off-site when the infection
occurred (and ~85% of our malware infections occur off-site, and yes I
have that data) there is no direct action I can take from a network
based IDS perspective to prevent a recurrence of that infection. If it
is not directly actionable, it should not be considered a primary
defense layer. If it is not a primary defense then it does not HAVE to
cover it. Coverage would, at that point, be a value add.

"You can have high throughput, reliable, secure, manageable and
inexpensive. All of those exist, but not at the same time."

-- That is not true, at least that is not true all of the time. The
only real wildcard there is "inexpensive." That is only a wildcard
because it is based on the organizations point of view. At the small
private .edu I use to work for "inexpensive" meant something very
different than it did at the multi-billion dollar company I worked for
at a different time. I would say the solution we have in place where I
currently work meets all 5 of those categories from our point of view.
Is it perfect? No. No solution will ever be perfect. But it meets the
high expectations I require from an IPS solution. It would not,
however, be considered inexpensive at the .edu I mentioned previously.
When I find areas that need to be improved, I let the vendor know.
Their responsiveness to those issues plays a role in whether they
continue to be our solution or not.

The biggest issue I had with that article (until I dug deeper) was this...

"I believe we need to as consumers realign what we read into those
marketing phrases, and reconsider what we should allow to be
acceptable for the rhetoric."
[ ... ]
"We’ve just gone through launch, and have spent a lot of time
developing our marketing slang. We purposely chose to use the term
comprehensive to describe our ruleset."
[ ... ]
"We did not choose to use the term Complete. I don’t think any
security product can nor should give the impression that they’ll catch

Sounds great, but while the main page of the ET Pro web site (which
will set many potential customer's initial impression) is entitled
"the comprehensive ruleset" the first paragraph on the ET PRO website
however is titled "Complete Coverage." That put me off a little bit
until I read the "the rules > coverage" page which does use
"comprehensive" as opposed to "complete." Purposeful rhetoric? No, of
course not, but that inconsistency immediately stood out when I went
from the article directly to the main page of the ET Pro website.

All my previous points are obviously my opinion and can be argued
either way, and I don't think there is a "right answer" that fits
everyone's views points on IDS/IPS. While I do not agree with
everything Matt said, I think the article did explain his point of
view and vision. Thanks for the interesting read.


More information about the Snort-users mailing list