Firewall Wizards mailing list archives
Re: Recording slow scans
From: "Donald Martin" <grey () usa net>
Date: Wed, 14 Oct 1998 12:11:37 -0000
I need to clarify something. I should probably hold my tongue, but I want to understand how this works. I mentioned NFR to a client of mine several months back at the earliest possible opportunity. I had followed NFR on the lists and examined the notes and such that came with the package I downloaded from the web. The client expressed an interest and I immediately contacted MJR via email to ask about a commercial license. The response was, that I could try NFR, play with it a bit, possibly write some agents and such and if the client wanted to purchase the product, I'd have to contact a certified NFR agency. I asked, of course "How much does it cost to get certified?". Here is my point... NFR is not free. It costs money to become a certified installer or to purchase the product for commercial use. So, am I not understanding something here? In what way are you asking people to give back to the community? You are selling NFR and your charging an arm and a leg to become certified in order that other people can sell your product commercially. Either we have a contradiction in terms of commercial use, or I'm missing something. If I write an agent, and give it to you, it's enhancing your product thereby allowing you to possibly charge more for it or sell more products by possibly being more competative. Your only giving NFR away if people don't intend to use it commercially. I really didn't want to open my mouth as MJR was very cool in my communications with him and I appreciated the opportunity to play with NFR. I really like NFR, and I think it's hot, but these companies that can afford xxx dollars to become certified installers aren't the folks that are going to spend their time writing agents and giving back to the 'community'. They are making $250/hour installing security products and such. It's people like me that would write those agents, and I'm not going to give anything back to the 'community' that is charging me a mint to become certified in order that I can sell the very same product which I've helped to build. This could very easily be taken out of context, please don't. If there is an opportunity for me to get involved with NFR more intimately and use it at my clients sites without bringing some other network security organization into the picture I'd be most pleased. I actually *HOPE* I've mis-understood something here... and it's been awhile since I've had any such communications with MJR. gg -----Original Message----- From: Marcus J. Ranum <mjr () nfr net> To: Crispin Cowan <crispin () cse ogi edu>; Darren Reed <darrenr () reed wattle id au> Cc: spb () incyte com <spb () incyte com>; firewall-wizards () nfr net <firewall-wizards () nfr net> Date: Wednesday, October 14, 1998 3:23 PM Subject: Re: Recording slow scans
Crispin writes:I don't see a whole lot of open-source IDS-ware floating around. On the other hand, there is a lot of commercial, closed-source IDS products out there.As far as I'm aware, NFR is the only open source commercial IDS tool out there. There are a couple of other IDS systems that you can get source for, if you're in the gov't. But my impression is that you wouldn't want it once you had it. There are other good pieces of software out there (Bro, Argus, NNstat, tcpdump) which can be used to make IDS-ware. It's just a matter of putting your code where your mouth is.If there was an IDS toolkit,there is.... That's what NFR *IS* ....then open source coders could writecleaver new instruments, finte tune stuff, debug stuff, contribute enhancements back into the community ... you know, that cool stuff that open-source people tend to do if you let them.That *COULD* but they haven't been so far. NFR has been out for quite a long time and the amount of actual contributed stuff from the community (Hi Mudge! Hi Stuart!) has been disappointingly small. We've welcomed it all along, and have tried to encourage it - our approach of using an interpreted language means that the whole system is completely open to such things. The notion of people writing clever new stuff, fine tuning, and contributing back to the community sounds very nice in a kind of armchair pink sort of way but that's not the reality of how things are working at this point in the 'net's development. Especially not with something like IDS that is seen as so valuable. We know there are lots of con$ultants out there taking NFRs and writing IDS and monitoring tools and selling them to customers - not contributing back to the community or even to the folks who built the software they're making the money off of. :( (*AND* they are violating our license by doing so) So don't lecture about how sweet it'd be if everyone just pitched in - Everyone has had plenty of chances to just pitch in and as far as any of us can tell the majority are just sitting back and whining that it's not turnkey and doesn't have 8,000 attack signatures already.This kind of open source development model seems particularly well-suited
to
the IDS problem, where you have the following characteristics:Of course I agree with you. That's why we made our software open source...* Needs lots of fine-tuning: many hands can do that in parallel....but they're not.* Data-dependent: different people have access to different data
sources
Yeah, thought of that, too.* Different information streams: IDS instruments can be inserted in
lots
of places, if they can find a convenient fire-alarm to pullYup.An IDS-TK seems like a very fine thing indeed. Is there one?We think so. BTW, NFR's license terms are basically the same as the firewall toolkit's were (Yeah, I did that, too). Fwtk was a big success. *BUT* don't give me a lot of crap about how much the community contributed there, either. There were a few patches and Wietse Venema contributed some assistance, but in general it was the same thing: whine, whine, whine, why don't you just give us a free firewall that does everything checkpoint does and more and by the way I need to have no clues to install it? I'm a big proponent of open source but I think that NFR is the last time I'm going to do that. Next time I develop a cool concept, it'll be patented 20 ways to sunday, venture-backed, 100% proprietary, and I'll start suing anyone who even talks about making a free product that remotely resembles it. :) I find it amusing that you're having this discussion with Darren, who also has done considerable good work in the community by making ip_filt available. I don't know if his experience matches mine, but I doubt he's gotten a whole lot of "pitching in" from all over the 'net. Tell me Darren, what's the whine-to-help ratio on ip_filt? For the fwtk, I'd put it at 100:1 and for NFR it's closer to 2000:1. But hey don't take my word for it. Write a GPL IDS toolkit for us, post it, and watch everyone make money off you while asking you to support them. It'll give you a warm feeling. :) mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- ifconfig down (was Re: Recording slow scans, (continued)
- ifconfig down (was Re: Recording slow scans Rob Quinn (Oct 09)
- Re: ifconfig down (was Re: Recording slow scans Doug Hughes (Oct 13)
- Re: ifconfig down (was Re: Recording slow scans Henry Hertz Hobbit (Oct 13)
- Re: ifconfig down (was Re: Recording slow scans Radovan Semancik (Oct 14)
- Re: Recording slow scans Vern Paxson (Oct 07)
- Re: Recording slow scans Marcus J. Ranum (Oct 07)
- Re: Recording slow scans Stephen P. Berry (Oct 13)
- Re: Recording slow scans Darren Reed (Oct 14)
- Re: Recording slow scans Stephen P. Berry (Oct 23)
- Re: Recording slow scans Darren Reed (Oct 23)
- Re: Recording slow scans Darren Reed (Oct 14)
- ifconfig down (was Re: Recording slow scans Rob Quinn (Oct 09)
- Re: Recording slow scans Donald Martin (Oct 14)
- Re: Recording slow scans Darren Reed (Oct 16)
- Re: Recording slow scans Eric Budke (Oct 16)
- Re: Recording slow scans Matt Curtin (Oct 16)
- Re: Recording slow scans Darren Reed (Oct 16)
- Re: Recording slow scans ark (Oct 19)
- Re: Recording slow scans Vern Paxson (Oct 28)