IDS mailing list archives
RE: Snort vs Hogwash vs bait future
From: "Alberto Gonzalez" <albertg () cerebro wwjh net>
Date: Wed, 16 Apr 2003 20:28:18 -0700
Hogwash actually has been out longer, folks just started hearing about it around that time. Bait N Switch currently uses Snort engine (with the snort patch) and the functionality _is_ currently built into the new H2 engine. We aren't an IPS.. so as of right now we don't need our own engine. The main page on [1] tells you what exactly the project aims for. Here is a snippet directly from our site. "Project Definition: The Bait and Switch Honeypot is a multifaceted attempt to take honeypots out of the shadows of the network security model and to make them an active participant in system defense. To do this, we are creating a system that reacts to hostile intrusion attempts by redirecting all hostile traffic to a honeypot that is partially mirroring your production system. Once switched, the would-be hacker is unknowingly attacking your honeypot instead of the real data and your clients and/or users still safely accessing the real system. Life goes on, your data is safe, and you are learning about the bad guy as an added benefit. The system is based on snort, linux's iproute2, netfilter, and custom code for now. We plan on adding additional support in the future if possible." We plan to add support for other OS'es as well as prelude in the NEAR future... Whenever our damn jobs gives us any free time :-( Cheers, Alberto Gonzalez [1] - http://baitnswitch.sf.net/ --- "Success comes to the person who does today, what you are thinking of doing tomorrow." -----Original Message----- From: Shaiful [mailto:shaifuljahari () yahoo com] Sent: Tuesday, April 15, 2003 5:43 PM To: focus-ids () securityfocus com Cc: Jochen Vogel Subject: Re: Snort vs Hogwash vs bait future Hi, FYI, I'm not a developer for any of the IDS/IPS product but I'm a lame user ;-). I've been following IDS/IPS technology from their infancy. First a bit of history. Snort started as open source project around 1999 and Hogwash started as open source project around 2001. Bait and Switch (B&S) started this year, 2003. It looks promissing since we have a new and shining IDS/IPS every two years! Each of them really has different focus, depending on the security direction at that particular time. But, to filter the noise, and to understand the similarity and the difference we should go back to basic. What is the framework that really join everything together? We could start with Staniford's excellent paper on the CIDF, a Common Intrusion Detection Framework. We could argue that IDS is not an IPS, but really IPS is just IDS with prevention mode enable. So, from the framework we can see that each of the IDS/IPS product can be divided into rather similar logical modules namely Event, Analysis, Response and Database Engine. I seems to me now, all these IDS/IPS is forking in term of analysis engine which can be shared among all open source IDS/IPS. Unfortunately, the direction is not really encouraging since Snort has its own Snort2 engine whereas Hogwash has its own H2 engine. I think B&S using snort analysis engine, may be until they figure out how to make their own analysis engine. IMHO, the difference in the same basic analysis component is not necessary since all of them reading the VERY SIMILAR snort rule file format. The rule for might not be identical, but the difference is not significant. May be we could follow Mozilla direction where netscape, mozilla and galeon, all shared the same HTML and standard compliant rendering engine. My two cents, Regards, Shaiful ------------------------------------------------------------------------------ INTRUSION PREVENTION: READY FOR PRIME TIME? IntruShield now offers unprecedented Intrusion IntelligenceTM capabilities - including intrusion identification, relevancy, direction, impact and analysis - enabling a path to prevention. Download the latest white paper "Intrusion Prevention: Myths, Challenges, and Requirements" at: http://www.securityfocus.com/IntruVert-focus-ids
Current thread:
- Snort vs Hogwash vs bait future Jochen Vogel (Apr 14)
- Re: Snort vs Hogwash vs bait future Shaiful (Apr 16)
- RE: Snort vs Hogwash vs bait future Alberto Gonzalez (Apr 16)
- Re: Snort vs Hogwash vs bait future Shaiful (Apr 16)