RE: Snort vs Hogwash vs bait future

["Alberto Gonzalez" <albertg () cerebro wwjh net>]

 Hogwash actually has been out longer, folks just started hearing about
it around that time. 
 Bait N Switch currently uses Snort engine (with the snort patch) and
the functionality _is_ 
 currently built into the new H2 engine. We aren't an IPS.. so as of
right now we don't need our
 own engine. The main page on [1] tells you what exactly the project
aims for. Here is a snippet
 directly from our site.

"Project Definition: The Bait and Switch Honeypot is a multifaceted
attempt to take honeypots 
out of the shadows of the network security model and to make them an
active participant in 
system defense. To do this, we are creating a system that reacts to
hostile intrusion attempts
by redirecting all hostile traffic to a honeypot that is partially
mirroring your production system.
Once switched, the would-be hacker is unknowingly attacking your
honeypot instead of the real 
data and your clients and/or users still safely accessing the real
system. Life goes on, your data 
is safe, and you are learning about the bad guy as an added benefit. The
system is based on snort, 
linux's iproute2, netfilter, and custom code for now. We plan on adding
additional support in the 
future if possible."

 
 We plan to add support for other OS'es as well as prelude in the NEAR
future... Whenever our damn 
 jobs gives us any free time :-(

 Cheers,
 Alberto Gonzalez 

[1] - http://baitnswitch.sf.net/ 



---
"Success comes to the person who does today, what you are thinking of
doing tomorrow." 
 


-----Original Message-----
From: Shaiful [mailto:shaifuljahari () yahoo com] 
Sent: Tuesday, April 15, 2003 5:43 PM
To: focus-ids () securityfocus com
Cc: Jochen Vogel
Subject: Re: Snort vs Hogwash vs bait future


Hi,

FYI, I'm not a developer for any of the IDS/IPS
product but I'm a lame user ;-). I've been following
IDS/IPS technology from their infancy.

First a bit of history. Snort started as open source
project around 1999 and Hogwash started as open source
project around 2001. Bait and Switch (B&S) started
this year, 2003. It looks promissing since we have a
new and shining IDS/IPS every two years! Each of them
really has different focus, depending on the security
direction at that particular time. But, to filter the
noise, and to understand the similarity and the
difference we should go back to basic. What is the
framework that really join everything together? We
could start with Staniford's excellent paper on the
CIDF, a Common Intrusion Detection Framework.  We
could argue that IDS is not an IPS, but really IPS is
just IDS with prevention mode enable.

So, from the framework we can see that each of the
IDS/IPS product can be divided into rather similar
logical modules namely Event, Analysis, Response and
Database Engine. I seems to me now, all these IDS/IPS
is forking in term of analysis engine which can be
shared among all open source IDS/IPS. Unfortunately,
the direction is not really encouraging since Snort
has its own Snort2 engine whereas Hogwash has its own
H2 engine. I think B&S using snort analysis engine,
may be until they figure out how to make their own
analysis engine. 

IMHO, the difference in the same basic analysis
component is not necessary since all of them reading
the VERY SIMILAR snort rule file format.  The rule for
might not be identical, but the difference is not
significant. May be we could follow Mozilla direction
where netscape, mozilla and galeon, all shared the
same HTML and standard compliant rendering engine.

My two cents,

Regards,
Shaiful




------------------------------------------------------------------------------
INTRUSION PREVENTION: READY FOR PRIME TIME?
 
IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - 
including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. 
 
Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: 
http://www.securityfocus.com/IntruVert-focus-ids