Dailydave mailing list archives
Re: News, dumbug, prediction rebuttals.
From: Anton Chuvakin <anton () chuvakin org>
Date: Fri, 23 Dec 2005 11:18:23 -0500
Thomas and all,
(1) To paraphrase jwz, "Some people see a problem and say, 'hey, I'll use regular expressions to solve it!'. Now they have two problems." On Checkpoint Firewall-1 and Cisco PIX, you will have to convince me that my SIM needs to care about 10% of the possible log messages, or that those 10% are hard to recognize.
Well, as they say "great question" :-) There are two popular answers to this one; some say that you are always interested in 100% of all messages by definition, since you truly never know which one might come handy under the right circumstances. Yes, even the silly "%PIX-6-199003: Reducing Link MTU <dec>" might come handy one day... In fact, the above opinion that you project indicates a somewhat dated view on SIM as a "filtering tool." BTW, before my vendor hat burns my head :-), I want to disclaim that I disagree with your prediction on merits and not to sell more of the relevant product (I would love to see how a popular future open source SIM will stack up again the current pricy commercial offerings...)
(2) There are, last time I counted, 17,293 different templating ... entry" you're talking about? Have you looked at Freshmeat lately?
Point taken! :-) But writing a "Python application server" *once* is not the same as committing to writing and updating regexes for logs for the rest of your life...
Anton, your product isn't dumb, boring, or particularly hard to replicate as an 80% solution. At my last job, we concerned ourselves with "bucketing" one out of every 100 connections made across the backbones of every service provider in the world. We were concerned about open-source competition. Why are you immune?
Well, I do not think that I am immune; its just that the credible open-source competition didn't materialize and, as I stated above, likely won't materialize. And, indeed, creating a SIM is a very exciting thing!! However, the ongoing maintenance tasks are much more complicated than maintaining a, say, NIDS implementation.
If there's a real need in the market for SIM products (and I'll state that as an "if", because, while my 2006 prediction implicitly gives SIM the benefit of the doubt, I haven't talked to a network security guy who relies on one yet), then over the next 12 months we're going to see a credible open-source response to it.
He-he, this is where is gets dangerous :-) And fun at the same time. Is that a common wisdom that market need always leads to an emergence of an open source solution? Best, -- Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA http://www.chuvakin.org http://www.securitywarrior.com
Current thread:
- News, dumbug, prediction rebuttals. Dave Aitel (Dec 21)
- Message not available
- Re: News, dumbug, prediction rebuttals. Dave Aitel (Dec 21)
- Message not available
- Re: News, dumbug, prediction rebuttals. Anton Chuvakin (Dec 21)
- Re: News, dumbug, prediction rebuttals. David J. Bianco (Dec 21)
- Re: News, dumbug, prediction rebuttals. Anton Chuvakin (Dec 22)
- Message not available
- Re: News, dumbug, prediction rebuttals. Anton Chuvakin (Dec 23)
- Message not available
- Re: News, dumbug, prediction rebuttals. Anton Chuvakin (Dec 23)
- Re: News, dumbug, prediction rebuttals. David J. Bianco (Dec 21)
- Re: News, dumbug, prediction rebuttals. Dave Aitel (Dec 22)
- Re: News, dumbug, prediction rebuttals. Florian Weimer (Dec 22)
- Re: News, dumbug, prediction rebuttals. Blue Boar (Dec 22)
- Re: News, dumbug, prediction rebuttals. Adam Shostack (Dec 22)
- Re: News, dumbug, prediction rebuttals. plonky (Dec 22)
- Message not available
- Re: News, dumbug, prediction rebuttals. plonky (Dec 23)
- <Possible follow-ups>
- Re: News, dumbug, prediction rebuttals. sgc (Dec 22)
- RE: News, dumbug, prediction rebuttals. Marc Maiffret (Dec 27)